Tests: added ssl_ocsp test with failing request.
diff --git a/ssl_ocsp.t b/ssl_ocsp.t
index 530ccde..e4b45b5 100644
--- a/ssl_ocsp.t
+++ b/ssl_ocsp.t
@@ -88,9 +88,17 @@
}
server {
+ listen 127.0.0.1:8443 ssl;
+ server_name resolver;
+
+ ssl_ocsp on;
+ }
+
+ server {
listen 127.0.0.1:8444 ssl;
server_name localhost;
+ ssl_ocsp_responder http://127.0.0.1:8081;
ssl_ocsp on;
}
@@ -151,6 +159,29 @@
authorityInfoAccess = OCSP;URI:http://127.0.0.1:$p
EOF
+# variant for int.crt to trigger missing resolver
+
+$t->write_file('ca2.conf', <<EOF);
+[ ca ]
+default_ca = myca
+
+[ myca ]
+new_certs_dir = $d
+database = $d/certindex
+default_md = sha256
+policy = myca_policy
+serial = $d/certserial
+default_days = 1
+x509_extensions = myca_extensions
+
+[ myca_policy ]
+commonName = supplied
+
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
+authorityInfoAccess = OCSP;URI:http://localhost:$p
+EOF
+
foreach my $name ('root') {
system('openssl req -x509 -new '
. "-config $d/openssl.conf -subj /CN=$name/ "
@@ -181,7 +212,7 @@
$t->write_file('certserial', '1000');
$t->write_file('certindex', '');
-system("openssl ca -batch -config $d/ca.conf "
+system("openssl ca -batch -config $d/ca2.conf "
. "-keyfile $d/root.key -cert $d/root.crt "
. "-subj /CN=int/ -in $d/int.csr -out $d/int.crt "
. ">>$d/openssl.out 2>&1") == 0
@@ -256,7 +287,7 @@
$t->run_daemon(\&http_daemon, $t, port(8081));
$t->run_daemon(\&http_daemon, $t, port(8082));
-$t->try_run('no ssl_ocsp')->plan(13);
+$t->try_run('no ssl_ocsp')->plan(14);
$t->waitforsocket("127.0.0.1:" . port(8081));
$t->waitforsocket("127.0.0.1:" . port(8082));
@@ -267,6 +298,18 @@
like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
+# demonstrate that ocsp int request is failed due to missing resolver
+
+TODO: {
+todo_skip 'leaves coredump', 1 unless $t->has_version('1.19.1')
+ or $ENV{TEST_NGINX_UNSAFE};
+
+like(get('RSA', 'end', sni => 'resolver'),
+ qr/400 Bad.*FAILED:certificate status request failed/s,
+ 'ocsp many failed request');
+
+}
+
# demonstrate that ocsp int request is actually made by failing ocsp response
like(get('RSA', 'end', port => 8444),