Mercurial > hg > nginx-tests
changeset 1831:f6d1f82f314b
Tests: separate SSL session reuse tests in mail.
Instead of being mixed with generic SSL tests, session reuse variants
are now tested in a separate file.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Thu, 23 Mar 2023 19:49:51 +0300 |
| parents | 8dec885fa3da |
| children | 2e541778e5d8 |
| files | mail_ssl.t mail_ssl_session_reuse.t |
| diffstat | 2 files changed, 180 insertions(+), 58 deletions(-) [+] |
line wrap: on
line diff
--- a/mail_ssl.t Thu Mar 23 19:49:49 2023 +0300 +++ b/mail_ssl.t Thu Mar 23 19:49:51 2023 +0300 @@ -37,7 +37,7 @@ plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@; my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/) - ->has_daemon('openssl')->plan(22); + ->has_daemon('openssl')->plan(18); $t->write_file_expand('nginx.conf', <<'EOF'); @@ -51,44 +51,25 @@ mail { ssl_certificate_key localhost.key; ssl_certificate localhost.crt; - ssl_session_tickets off; ssl_password_file password; auth_http http://127.0.0.1:8080; # unused - ssl_session_cache none; - server { listen 127.0.0.1:8143; listen 127.0.0.1:8145 ssl; protocol imap; - - ssl_session_cache builtin; } server { - listen 127.0.0.1:8146 ssl; - protocol imap; - - ssl_session_cache off; - } - - server { - listen 127.0.0.1:8147; + listen 127.0.0.1:8148; protocol imap; # Special case for enabled "ssl" directive. ssl on; - ssl_session_cache builtin:1000; - } - server { - listen 127.0.0.1:8148 ssl; - protocol imap; - - ssl_session_cache shared:SSL:1m; ssl_certificate_key inherits.key; ssl_certificate inherits.crt; } @@ -169,46 +150,16 @@ ############################################################################### +my ($s, $ssl); + # simple tests to ensure that nothing broke with ssl_password_file directive -my $s = Test::Nginx::IMAP->new(); +$s = Test::Nginx::IMAP->new(); $s->ok('greeting'); $s->send('1 AUTHENTICATE LOGIN'); $s->check(qr/\+ VXNlcm5hbWU6/, 'login'); -# ssl_session_cache - -my ($ssl, $ses); - -($s, $ssl) = get_ssl_socket(8145); -Net::SSLeay::read($ssl); -$ses = Net::SSLeay::get_session($ssl); - -($s, $ssl) = get_ssl_socket(8145, $ses); -is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused'); - -($s, $ssl) = get_ssl_socket(8146); -Net::SSLeay::read($ssl); -$ses = Net::SSLeay::get_session($ssl); - -($s, $ssl) = get_ssl_socket(8146, $ses); -is(Net::SSLeay::session_reused($ssl), 0, 'session not reused'); - -($s, $ssl) = get_ssl_socket(8147); -Net::SSLeay::read($ssl); -$ses = Net::SSLeay::get_session($ssl); - -($s, $ssl) = get_ssl_socket(8147, $ses); -is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused'); - -($s, $ssl) = get_ssl_socket(8148); -Net::SSLeay::read($ssl); -$ses = Net::SSLeay::get_session($ssl); - -($s, $ssl) = get_ssl_socket(8148, $ses); -is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused'); - # ssl_certificate inheritance ($s, $ssl) = get_ssl_socket(8145); @@ -219,7 +170,7 @@ # alpn -ok(get_ssl_socket(8148, undef, ['imap']), 'alpn'); +ok(get_ssl_socket(8148, ['imap']), 'alpn'); SKIP: { $t->{_configure_args} =~ /LibreSSL ([\d\.]+)/; @@ -230,7 +181,7 @@ TODO: { local $TODO = 'not yet' unless $t->has_version('1.21.4'); -ok(!get_ssl_socket(8148, undef, ['unknown']), 'alpn rejected'); +ok(!get_ssl_socket(8148, ['unknown']), 'alpn rejected'); } @@ -317,11 +268,10 @@ ############################################################################### sub get_ssl_socket { - my ($port, $ses, $alpn) = @_; + my ($port, $alpn) = @_; my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); - Net::SSLeay::set_session($ssl, $ses) if defined $ses; Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn; Net::SSLeay::set_fd($ssl, fileno($s)); Net::SSLeay::connect($ssl) == 1 or return;
--- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/mail_ssl_session_reuse.t Thu Mar 23 19:49:51 2023 +0300 @@ -0,0 +1,172 @@ +#!/usr/bin/perl + +# (C) Andrey Zelenkov +# (C) Maxim Dounin +# (C) Nginx, Inc. + +# Tests for mail ssl module, session reuse. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval { + require Net::SSLeay; + Net::SSLeay::load_error_strings(); + Net::SSLeay::SSLeay_add_ssl_algorithms(); + Net::SSLeay::randomize(); +}; +plan(skip_all => 'Net::SSLeay not installed') if $@; + +my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/) + ->has_daemon('openssl')->plan(7); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +mail { + auth_http http://127.0.0.1:8080; + + ssl_certificate localhost.crt; + ssl_certificate_key localhost.key; + + server { + listen 127.0.0.1:8993 ssl; + protocol imap; + } + + server { + listen 127.0.0.1:8994 ssl; + protocol imap; + + ssl_session_cache shared:SSL:1m; + ssl_session_tickets on; + } + + server { + listen 127.0.0.1:8995 ssl; + protocol imap; + + ssl_session_cache shared:SSL:1m; + ssl_session_tickets off; + } + + server { + listen 127.0.0.1:8996 ssl; + protocol imap; + + ssl_session_cache builtin; + ssl_session_tickets off; + } + + server { + listen 127.0.0.1:8997 ssl; + protocol imap; + + ssl_session_cache builtin:1000; + ssl_session_tickets off; + } + + server { + listen 127.0.0.1:8998 ssl; + protocol imap; + + ssl_session_cache none; + ssl_session_tickets off; + } + + server { + listen 127.0.0.1:8999 ssl; + protocol imap; + + ssl_session_cache off; + ssl_session_tickets off; + } +} + +EOF + +$t->write_file('openssl.conf', <<EOF); +[ req ] +default_bits = 2048 +encrypt_key = no +distinguished_name = req_distinguished_name +[ req_distinguished_name ] +EOF + +my $d = $t->testdir(); + +foreach my $name ('localhost') { + system('openssl req -x509 -new ' + . "-config $d/openssl.conf -subj /CN=$name/ " + . "-out $d/$name.crt -keyout $d/$name.key " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!"); + +$t->run(); + +############################################################################### + +# session reuse: +# +# - only tickets, the default +# - tickets and shared cache, should work always +# - only shared cache +# - only builtin cache +# - only builtin cache with explicitly configured size +# - only cache none +# - only cache off + +is(test_reuse(8993), 1, 'tickets reused'); +is(test_reuse(8994), 1, 'tickets and cache reused'); +is(test_reuse(8995), 1, 'cache shared reused'); +is(test_reuse(8996), 1, 'cache builtin reused'); +is(test_reuse(8997), 1, 'cache builtin size reused'); +is(test_reuse(8998), 0, 'cache none not reused'); +is(test_reuse(8999), 0, 'cache off not reused'); + +############################################################################### + +sub test_reuse { + my ($port) = @_; + my ($s, $ssl) = get_ssl_socket($port); + Net::SSLeay::read($ssl); + my $ses = Net::SSLeay::get_session($ssl); + ($s, $ssl) = get_ssl_socket($port, $ses); + return Net::SSLeay::session_reused($ssl); +} + +sub get_ssl_socket { + my ($port, $ses) = @_; + + my $s = IO::Socket::INET->new('127.0.0.1:' . port($port)); + my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!"); + Net::SSLeay::set_session($ssl, $ses) if defined $ses; + Net::SSLeay::set_fd($ssl, fileno($s)); + Net::SSLeay::connect($ssl) == 1 or return; + return ($s, $ssl); +} + +###############################################################################