Mercurial > hg > nginx-tests
changeset 1139:e7e968e3eb74
Tests: split ssl.t to run relevant tests on stable versions again.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Wed, 01 Mar 2017 18:04:25 +0300 |
parents | d6acd17ca4e3 |
children | 778eae8230e4 |
files | ssl.t ssl2.t |
diffstat | 2 files changed, 185 insertions(+), 17 deletions(-) [+] |
line wrap: on
line diff
--- a/ssl.t Mon Feb 27 17:15:24 2017 +0300 +++ b/ssl.t Wed Mar 01 18:04:25 2017 +0300 @@ -29,7 +29,7 @@ plan(skip_all => 'IO::Socket::SSL too old') if $@; my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) - ->has_daemon('openssl'); + ->has_daemon('openssl')->plan(20); $t->write_file_expand('nginx.conf', <<'EOF'); @@ -66,9 +66,6 @@ location /cipher { return 200 "body $ssl_cipher"; } - location /ciphers { - return 200 "body $ssl_ciphers"; - } location /client_verify { return 200 "body $ssl_client_verify"; } @@ -76,13 +73,10 @@ return 200 "body $ssl_protocol"; } location /issuer { - return 200 "body $ssl_client_i_dn:$ssl_client_i_dn_legacy"; + return 200 "body $ssl_client_i_dn"; } location /subject { - return 200 "body $ssl_client_s_dn:$ssl_client_s_dn_legacy"; - } - location /time { - return 200 "body $ssl_client_v_start!$ssl_client_v_end!$ssl_client_v_remain"; + return 200 "body $ssl_client_s_dn"; } } @@ -196,7 +190,7 @@ SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), SSL_session_cache_size => 100); -$t->try_run('no ssl_ciphers')->plan(22); +$t->run(); ############################################################################### @@ -238,15 +232,16 @@ like(get('/id', 8085), qr/^body \w{64}$/m, 'session id'); unlike(http_get('/id'), qr/body \w/, 'session id no ssl'); like(get('/cipher', 8085), qr/^body [\w-]+$/m, 'cipher'); - -$s = get_ssl_socket(undef, port(8085)); -like(http_get('/ciphers', socket => $s), qr/^body [:\w-]+$/m, 'ciphers'); - like(get('/client_verify', 8085), qr/^body NONE$/m, 'client verify'); like(get('/protocol', 8085), qr/^body (TLS|SSL)v(\d|\.)+$/m, 'protocol'); -like(cert('/issuer', 8085), qr!^body CN=issuer:/CN=issuer$!m, 'issuer'); -like(cert('/subject', 8085), qr!^body CN=subject:/CN=subject$!m, 'subject'); -like(cert('/time', 8085), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); + +TODO: { +local $TODO = 'not yet' unless $t->has_version('1.11.6'); + +like(cert('/issuer', 8085), qr!^body CN=issuer$!m, 'issuer'); +like(cert('/subject', 8085), qr!^body CN=subject$!m, 'subject'); + +} ###############################################################################
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ssl2.t Wed Mar 01 18:04:25 2017 +0300 @@ -0,0 +1,173 @@ +#!/usr/bin/perl + +# (C) Sergey Kandaurov +# (C) Andrey Zelenkov +# (C) Nginx, Inc. + +# Tests for http ssl module. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval { require IO::Socket::SSL; }; +plan(skip_all => 'IO::Socket::SSL not installed') if $@; +eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; +plan(skip_all => 'IO::Socket::SSL too old') if $@; + +my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) + ->has_daemon('openssl'); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_verify_client optional_no_ca; + + server { + listen 127.0.0.1:8080 ssl; + server_name localhost; + + location /ciphers { + return 200 "body $ssl_ciphers"; + } + location /issuer { + return 200 "body $ssl_client_i_dn_legacy"; + } + location /subject { + return 200 "body $ssl_client_s_dn_legacy"; + } + location /time { + return 200 "body $ssl_client_v_start!$ssl_client_v_end!$ssl_client_v_remain"; + } + } +} + +EOF + +$t->write_file('openssl.conf', <<EOF); +[ req ] +default_bits = 1024 +encrypt_key = no +distinguished_name = req_distinguished_name +[ req_distinguished_name ] +EOF + +my $d = $t->testdir(); + +$t->write_file('ca.conf', <<EOF); +[ ca ] +default_ca = myca + +[ myca ] +new_certs_dir = $d +database = $d/certindex +default_md = sha1 +policy = myca_policy +serial = $d/certserial +default_days = 3 + +[ myca_policy ] +commonName = supplied +EOF + +$t->write_file('certserial', '1000'); +$t->write_file('certindex', ''); + +system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=issuer/' " + . "-out '$d/issuer.crt' -keyout '$d/issuer.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for issuer: $!\n"; + +system("openssl req -new " + . "-config '$d/openssl.conf' -subj '/CN=subject/' " + . "-out '$d/subject.csr' -keyout '$d/subject.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for subject: $!\n"; + +system("openssl ca -batch -config '$d/ca.conf' " + . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " + . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for subject: $!\n"; + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -keyout '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +$t->try_run('no ssl_ciphers')->plan(4); + +############################################################################### + +like(get('/ciphers'), qr/^body [:\w-]+$/m, 'ciphers'); +like(get('/issuer'), qr!^body /CN=issuer$!m, 'issuer'); +like(get('/subject'), qr!^body /CN=subject$!m, 'subject'); +like(get('/time'), qr/^body [:\s\w]+![:\s\w]+![23]$/m, 'time'); + +############################################################################### + +sub get { + my ($uri) = @_; + my $s = get_ssl_socket() or return; + http_get($uri, socket => $s); +} + +sub get_ssl_socket { + my (%extra) = @_; + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1', + PeerPort => port(8080), + SSL_cert_file => "$d/subject.crt", + SSL_key_file => "$d/subject.key", + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), + SSL_error_trap => sub { die $_[1] }, + %extra + ); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + return $s; +} + +###############################################################################