Mercurial > hg > nginx-tests
changeset 1605:aa5a61d1254b
Tests: actually test the verification depth in ssl_verify_depth.t.
This reverts 5b22e2014f76. Two basic cases are now provided for a full chain:
when the verification depth is big enough and when it is insufficient.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Fri, 06 Nov 2020 14:32:13 +0000 |
parents | 4be791074207 |
children | e4e0695552ed |
files | ssl_verify_depth.t |
diffstat | 1 files changed, 25 insertions(+), 8 deletions(-) [+] |
line wrap: on
line diff
--- a/ssl_verify_depth.t Fri Oct 23 13:22:19 2020 +0100 +++ b/ssl_verify_depth.t Fri Nov 06 14:32:13 2020 +0000 @@ -46,14 +46,19 @@ ssl_certificate localhost.crt; ssl_verify_client on; - ssl_client_certificate int-root.crt; + ssl_client_certificate root.crt; - add_header X-Verify $ssl_client_verify; + add_header X-Verify $ssl_client_verify always; server { listen 127.0.0.1:8080 ssl; server_name localhost; - ssl_verify_depth 0; + ssl_verify_depth 3; + } + + server { + listen 127.0.0.1:8081 ssl; + server_name localhost; } } @@ -80,9 +85,13 @@ policy = myca_policy serial = $d/certserial default_days = 1 +x509_extensions = myca_extensions [ myca_policy ] commonName = supplied + +[ myca_extensions ] +basicConstraints = critical,CA:TRUE EOF foreach my $name ('root', 'localhost') { @@ -93,7 +102,7 @@ or die "Can't create certificate for $name: $!\n"; } -foreach my $name ('int', 'end') { +foreach my $name ('int', 'int2', 'end') { system("openssl req -new " . "-config $d/openssl.conf -subj /CN=$name/ " . "-out $d/$name.csr -keyout $d/$name.key " @@ -112,20 +121,28 @@ system("openssl ca -batch -config $d/ca.conf " . "-keyfile $d/int.key -cert $d/int.crt " + . "-subj /CN=int2/ -in $d/int2.csr -out $d/int2.crt " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for int2: $!\n"; + +system("openssl ca -batch -config $d/ca.conf " + . "-keyfile $d/int2.key -cert $d/int2.crt " . "-subj /CN=end/ -in $d/end.csr -out $d/end.crt " . ">>$d/openssl.out 2>&1") == 0 or die "Can't sign certificate for end: $!\n"; -$t->write_file('int-root.crt', - $t->read_file('int.crt') . $t->read_file('root.crt')); +$t->write_file('client.key', $t->read_file('end.key') . + $t->read_file('int.key') . $t->read_file('int2.key')); +$t->write_file('client.crt', $t->read_file('end.crt') . + $t->read_file('int.crt') . $t->read_file('int2.crt')); $t->write_file('t', ''); $t->run(); ############################################################################### -like(get(8080, 'root'), qr/SUCCESS/, 'verify depth'); -like(get(8080, 'end'), qr/400 Bad Request/, 'verify depth limited'); +like(get(8080, 'client'), qr/SUCCESS/, 'verify depth'); +like(get(8081, 'client'), qr/FAILED/, 'verify depth limited'); ###############################################################################