# HG changeset patch
# User Sergey Kandaurov <pluknet@nginx.com>
# Date 1629297823 -10800
# Node ID 1522ab9d37b4c0f72836c4475330bb307b174a66
# Parent  3581dc3c1937919dea41a9fc5542b87069982fe3
Tests: Auth-SSL-Protocol and Auth-SSL-Cipher tests (ticket #2134).

diff -r 3581dc3c1937 -r 1522ab9d37b4 mail_imap_ssl.t
--- a/mail_imap_ssl.t	Wed Aug 11 11:55:51 2021 +0300
+++ b/mail_imap_ssl.t	Wed Aug 18 17:43:43 2021 +0300
@@ -34,7 +34,7 @@
 local $SIG{PIPE} = 'IGNORE';
 
 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap http rewrite/)
-	->has_daemon('openssl')->plan(12)
+	->has_daemon('openssl')->plan(13)
 	->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
@@ -99,6 +99,7 @@
                       '$http_auth_ssl_subject:$http_auth_ssl_issuer:'
                       '$http_auth_ssl_serial:$http_auth_ssl_fingerprint:'
                       '$http_auth_ssl_cert:$http_auth_pass';
+    log_format  test2 '$http_auth_ssl_cipher:$http_auth_ssl_protocol';
 
     server {
         listen       127.0.0.1:8080;
@@ -106,6 +107,7 @@
 
         location = /mail/auth {
             access_log auth.log test;
+            access_log auth2.log test2;
 
             add_header Auth-Status OK;
             add_header Auth-Server 127.0.0.1;
@@ -208,6 +210,18 @@
 $s->ok('trusted cert');
 $s->send('1 AUTHENTICATE PLAIN ' . $cred->("s5"));
 $s->read();
+
+# Auth-SSL-Protocol and Auth-SSL-Cipher headers
+
+my ($cipher, $sslversion);
+
+if ($IO::Socket::SSL::VERSION >= 1.964) {
+	$s = get_ssl_socket(8143);
+	$cipher = $s->get_cipher();
+	$sslversion = $s->get_sslversion();
+	$sslversion =~ s/_/./;
+}
+
 undef $s;
 
 # test auth_http request header fields with access_log
@@ -225,4 +239,46 @@
 like($f, qr!^on:SUCCESS:(/?CN=3.example.com):\1:\w+:\w+:[^:]+:s5$!m,
 	'log - trusted cert');
 
+SKIP: {
+skip 'IO::Socket::SSL version >= 1.964 required', 1
+	if $IO::Socket::SSL::VERSION < 1.964;
+
+TODO: {
+local $TODO = 'not yet' unless $t->has_version('1.21.2');
+
+$f = $t->read_file('auth2.log');
+like($f, qr|^$cipher:$sslversion$|m, 'log - cipher sslversion');
+
+}
+
+}
+
 ###############################################################################
+
+sub get_ssl_socket {
+	my ($port) = @_;
+	my $s;
+
+	eval {
+		local $SIG{ALRM} = sub { die "timeout\n" };
+		local $SIG{PIPE} = sub { die "sigpipe\n" };
+		alarm(8);
+		$s = IO::Socket::SSL->new(
+			Proto => 'tcp',
+			PeerAddr => '127.0.0.1:' . port($port),
+			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
+			SSL_error_trap => sub { die $_[1] }
+		);
+		alarm(0);
+	};
+	alarm(0);
+
+	if ($@) {
+		log_in("died: $@");
+		return undef;
+	}
+
+	return $s;
+}
+
+###############################################################################