commit 53c400e0a0a2aac0a05a58868d1adc7bbc36eb08
author Sergey Kandaurov <pluknet@nginx.com> Wed Oct 17 23:34:17 2018 +0300
committer Sergey Kandaurov <pluknet@nginx.com> Wed Oct 17 23:34:17 2018 +0300
tree b23c8c0895ecbf6417523ec51a9292907c74d7c9
parent bbd44a97ccd2f5764242c895ba78015ba3f33cfd

Tests: support TLS 1.3 in ssl_certificates.t by preferring sigalgs.

A certificate key type cannot be selected in TLS 1.3 by limiting cipher suites.
Therefore, tests are modified to prefer "signature_algorithms" based selection,
while retaining limiting cipher suites as a fallback for older OpenSSL versions.

ssl_certificates.t

diff --git a/ssl_certificates.t b/ssl_certificates.t
index 50137cb..20249a3 100644
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -22,10 +22,14 @@
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-eval { require IO::Socket::SSL; };
-plan(skip_all => 'IO::Socket::SSL not installed') if $@;
-eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
-plan(skip_all => 'IO::Socket::SSL too old') if $@;
+eval {
+	require Net::SSLeay;
+	Net::SSLeay::load_error_strings();
+	Net::SSLeay::SSLeay_add_ssl_algorithms();
+	Net::SSLeay::randomize();
+	Net::SSLeay::SSLeay();
+};
+plan(skip_all => 'Net::SSLeay not installed or too old') if $@;
 
 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->has_daemon('openssl');
 
@@ -94,22 +98,29 @@
 
 ###############################################################################
 
+sub get_version {
+	my ($s, $ssl) = get_ssl_socket();
+	return Net::SSLeay::version($ssl);
+}
+
 sub get_cert {
-	my ($ciphers) = @_;
+	my ($type) = @_;
+	$type = 'PSS' if $type eq 'RSA' && get_version() > 0x0303;
+	my ($s, $ssl) = get_ssl_socket($type);
+	my $cipher = Net::SSLeay::get_cipher($ssl);
+	Test::Nginx::log_core('||', "cipher: $cipher");
+	return Net::SSLeay::dump_peer_certificate($ssl);
+}
+
+sub get_ssl_socket {
+	my ($type) = @_;
 	my $s;
 
 	eval {
 		local $SIG{ALRM} = sub { die "timeout\n" };
 		local $SIG{PIPE} = sub { die "sigpipe\n" };
 		alarm(2);
-		$s = IO::Socket::SSL->new(
-			Proto => 'tcp',
-			PeerAddr => '127.0.0.1',
-			PeerPort => port(8080),
-			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
-			SSL_cipher_list => $ciphers,
-			SSL_error_trap => sub { die $_[1] }
-		);
+		$s = IO::Socket::INET->new('127.0.0.1:' . port(8080));
 		alarm(0);
 	};
 	alarm(0);
@@ -119,11 +130,23 @@
 		return undef;
 	}
 
-	my $cipher = $s->get_cipher();
+	my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
 
-	Test::Nginx::log_core('||', "cipher: $cipher");
+	if (defined $type) {
+		if (Net::SSLeay::SSLeay() < 0x1000200f) {
+			Net::SSLeay::CTX_set_cipher_list($ctx, $type)
+				or die("Failed to set cipher list");
+		} else {
+			# SSL_CTRL_SET_SIGALGS_LIST
+			Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256')
+				or die("Failed to set sigalgs");
+		}
+	}
 
-	return $s->dump_peer_certificate;
+	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
+	Net::SSLeay::set_fd($ssl, fileno($s));
+	Net::SSLeay::connect($ssl) or die("ssl connect");
+	return ($s, $ssl);
 }
 
 ###############################################################################