Mercurial > hg > nginx-tests
changeset 1389:73a9504ae6fd
Tests: support TLS 1.3 in ssl_stapling.t by preferring sigalgs.
See 0090e2476ef0 for details.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 19 Oct 2018 18:49:45 +0300 |
parents | 0090e2476ef0 |
children | 2c0955286894 |
files | ssl_stapling.t |
diffstat | 1 files changed, 61 insertions(+), 18 deletions(-) [+] |
line wrap: on
line diff
--- a/ssl_stapling.t Wed Oct 17 23:34:17 2018 +0300 +++ b/ssl_stapling.t Fri Oct 19 18:49:45 2018 +0300 @@ -24,10 +24,15 @@ select STDERR; $| = 1; select STDOUT; $| = 1; -eval { require IO::Socket::SSL; }; -plan(skip_all => 'IO::Socket::SSL not installed') if $@; -eval { IO::Socket::SSL->can_ocsp() or die; }; -plan(skip_all => 'IO::Socket::SSL with OCSP support required') if $@; +eval { + require Net::SSLeay; + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); + Net::SSLeay::SSLeay(); + defined &Net::SSLeay::set_tlsext_status_type or die; +}; +plan(skip_all => 'Net::SSLeay not installed or too old') if $@; my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl') ->plan(9)->write_file_expand('nginx.conf', <<'EOF'); @@ -236,6 +241,8 @@ ############################################################################### +my $version = get_version(); + staple(8443, 'RSA'); staple(8443, 'ECDSA'); staple(8444, 'RSA'); @@ -271,30 +278,21 @@ my ($ssl, $resp) = @_; push @resp, !!$resp; return 1 unless $resp; - my $obj = $ssl->_get_ssl_object; - my $cert = Net::SSLeay::get_peer_certificate($obj); - my $certid = eval { Net::SSLeay::OCSP_cert2ids($obj, $cert) } + my $cert = Net::SSLeay::get_peer_certificate($ssl); + my $certid = eval { Net::SSLeay::OCSP_cert2ids($ssl, $cert) } or do { die "no OCSP_CERTID for certificate: $@"; }; my @res = Net::SSLeay::OCSP_response_results($resp, $certid); push @resp, $res[0][2]->{'statusType'}; }; + my $s; + eval { local $SIG{ALRM} = sub { die "timeout\n" }; local $SIG{PIPE} = sub { die "sigpipe\n" }; alarm(2); - IO::Socket::SSL->new( - Proto => 'tcp', - PeerAddr => '127.0.0.1', - PeerPort => port($port), - SSL_cipher_list => $ciphers, - SSL_ca_file => $ca, - SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), - SSL_ocsp_mode => IO::Socket::SSL::SSL_OCSP_TRY_STAPLE(), - SSL_ocsp_staple_callback => $staple_cb, - SSL_error_trap => sub { die $_[1] } - ); + $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); alarm(0); }; alarm(0); @@ -304,9 +302,54 @@ return undef; } + my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); + + if (Net::SSLeay::SSLeay() < 0x1000200f) { + Net::SSLeay::CTX_set_cipher_list($ctx, $ciphers) + or die("Failed to set cipher list"); + } else { + # SSL_CTRL_SET_SIGALGS_LIST + $ciphers = 'PSS' if $ciphers eq 'RSA' && $version > 0x0303; + Net::SSLeay::CTX_ctrl($ctx, 98, 0, $ciphers . '+SHA256') + or die("Failed to set sigalgs"); + } + + Net::SSLeay::CTX_load_verify_locations($ctx, $ca || '', ''); + Net::SSLeay::CTX_set_tlsext_status_cb($ctx, $staple_cb); + my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); + Net::SSLeay::set_tlsext_status_type($ssl, + Net::SSLeay::TLSEXT_STATUSTYPE_ocsp()); + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl) or die("ssl connect"); + return join ' ', @resp; } +sub get_version { + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::INET->new('127.0.0.1:' . port(8443)); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); + my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl) or die("ssl connect"); + + Net::SSLeay::version($ssl); +} + ############################################################################### sub http_daemon {