Sergey Kandaurov | 2028d51 | 2020-10-22 18:55:53 +0100 | [diff] [blame] | 1 | #!/usr/bin/perl |
| 2 | |
| 3 | # (C) Sergey Kandaurov |
| 4 | # (C) Nginx, Inc. |
| 5 | |
| 6 | # Tests for http ssl module, ssl_reject_handshake. |
| 7 | |
| 8 | ############################################################################### |
| 9 | |
| 10 | use warnings; |
| 11 | use strict; |
| 12 | |
| 13 | use Test::More; |
| 14 | |
| 15 | BEGIN { use FindBin; chdir($FindBin::Bin); } |
| 16 | |
| 17 | use lib 'lib'; |
| 18 | use Test::Nginx; |
| 19 | |
| 20 | ############################################################################### |
| 21 | |
| 22 | select STDERR; $| = 1; |
| 23 | select STDOUT; $| = 1; |
| 24 | |
| 25 | eval { require IO::Socket::SSL; }; |
| 26 | plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
Sergey Kandaurov | cd7507e | 2020-10-23 01:07:27 +0100 | [diff] [blame] | 27 | eval { IO::Socket::SSL->can_client_sni() or die; }; |
| 28 | plan(skip_all => 'IO::Socket::SSL with OpenSSL SNI support required') if $@; |
Sergey Kandaurov | 2028d51 | 2020-10-22 18:55:53 +0100 | [diff] [blame] | 29 | |
Sergey Kandaurov | cd7507e | 2020-10-23 01:07:27 +0100 | [diff] [blame] | 30 | my $t = Test::Nginx->new()->has(qw/http http_ssl sni/)->has_daemon('openssl'); |
Sergey Kandaurov | 2028d51 | 2020-10-22 18:55:53 +0100 | [diff] [blame] | 31 | |
| 32 | $t->write_file_expand('nginx.conf', <<'EOF'); |
| 33 | |
| 34 | %%TEST_GLOBALS%% |
| 35 | |
| 36 | daemon off; |
| 37 | |
| 38 | events { |
| 39 | } |
| 40 | |
| 41 | http { |
| 42 | %%TEST_GLOBALS_HTTP%% |
| 43 | |
| 44 | add_header X-Name $ssl_server_name; |
| 45 | |
| 46 | server { |
| 47 | listen 127.0.0.1:8080 ssl; |
| 48 | server_name localhost; |
| 49 | |
| 50 | ssl_reject_handshake on; |
| 51 | } |
| 52 | |
| 53 | server { |
| 54 | listen 127.0.0.1:8081; |
| 55 | server_name ssl; |
| 56 | |
| 57 | ssl on; |
| 58 | ssl_reject_handshake on; |
| 59 | } |
| 60 | |
| 61 | server { |
| 62 | listen 127.0.0.1:8080 ssl; |
| 63 | listen 127.0.0.1:8081 ssl; |
| 64 | server_name virtual; |
| 65 | |
| 66 | ssl_certificate localhost.crt; |
| 67 | ssl_certificate_key localhost.key; |
| 68 | } |
| 69 | |
| 70 | server { |
| 71 | listen 127.0.0.1:8082 ssl; |
| 72 | server_name localhost; |
| 73 | |
| 74 | ssl_certificate localhost.crt; |
| 75 | ssl_certificate_key localhost.key; |
| 76 | } |
| 77 | |
| 78 | server { |
| 79 | listen 127.0.0.1:8082 ssl; |
| 80 | server_name virtual1; |
| 81 | } |
| 82 | |
| 83 | server { |
| 84 | listen 127.0.0.1:8082 ssl; |
| 85 | server_name virtual2; |
| 86 | |
| 87 | ssl_reject_handshake on; |
| 88 | } |
| 89 | } |
| 90 | |
| 91 | EOF |
| 92 | |
| 93 | $t->write_file('openssl.conf', <<EOF); |
| 94 | [ req ] |
| 95 | default_bits = 2048 |
| 96 | encrypt_key = no |
| 97 | distinguished_name = req_distinguished_name |
| 98 | [ req_distinguished_name ] |
| 99 | EOF |
| 100 | |
| 101 | my $d = $t->testdir(); |
| 102 | |
| 103 | foreach my $name ('localhost') { |
| 104 | system('openssl req -x509 -new ' |
| 105 | . "-config $d/openssl.conf -subj /CN=$name/ " |
| 106 | . "-out $d/$name.crt -keyout $d/$name.key " |
| 107 | . ">>$d/openssl.out 2>&1") == 0 |
| 108 | or die "Can't create certificate for $name: $!\n"; |
| 109 | } |
| 110 | |
| 111 | $t->write_file('index.html', ''); |
Sergey Kandaurov | 3457b85 | 2021-06-01 16:40:18 +0300 | [diff] [blame] | 112 | |
| 113 | # suppress deprecation warning |
| 114 | |
| 115 | open OLDERR, ">&", \*STDERR; close STDERR; |
| 116 | $t->run()->plan(9); |
| 117 | open STDERR, ">&", \*OLDERR; |
Sergey Kandaurov | 2028d51 | 2020-10-22 18:55:53 +0100 | [diff] [blame] | 118 | |
| 119 | ############################################################################### |
| 120 | |
| 121 | # default virtual server rejected |
| 122 | |
| 123 | like(get('default', 8080), qr/unrecognized name/, 'default rejected'); |
| 124 | like(get(undef, 8080), qr/unrecognized name/, 'absent sni rejected'); |
| 125 | like(get('virtual', 8080), qr/virtual/, 'virtual accepted'); |
| 126 | |
| 127 | # default virtual server rejected - ssl on |
| 128 | |
| 129 | like(get('default', 8081), qr/unrecognized name/, 'default rejected - ssl on'); |
| 130 | like(get('virtual', 8081), qr/virtual/, 'virtual accepted - ssl on'); |
| 131 | |
| 132 | # non-default server "virtual2" rejected |
| 133 | |
| 134 | like(get('default', 8082), qr/default/, 'default accepted'); |
| 135 | like(get(undef, 8082), qr/200 OK(?!.*X-Name)/is, 'absent sni accepted'); |
| 136 | like(get('virtual1', 8082), qr/virtual1/, 'virtual 1 accepted'); |
| 137 | like(get('virtual2', 8082), qr/unrecognized name/, 'virtual 2 rejected'); |
| 138 | |
| 139 | ############################################################################### |
| 140 | |
| 141 | sub get { |
| 142 | my ($host, $port) = @_; |
| 143 | my $s = get_ssl_socket($host, $port) or return $@; |
| 144 | $host = 'localhost' if !defined $host; |
| 145 | my $r = http(<<EOF, socket => $s); |
| 146 | GET / HTTP/1.0 |
| 147 | Host: $host |
| 148 | |
| 149 | EOF |
| 150 | |
| 151 | $s->close(); |
| 152 | return $r; |
| 153 | } |
| 154 | |
| 155 | sub get_ssl_socket { |
| 156 | my ($host, $port) = @_; |
| 157 | my $s; |
| 158 | |
| 159 | eval { |
| 160 | local $SIG{ALRM} = sub { die "timeout\n" }; |
| 161 | local $SIG{PIPE} = sub { die "sigpipe\n" }; |
| 162 | alarm(8); |
| 163 | $s = IO::Socket::SSL->new( |
| 164 | Proto => 'tcp', |
| 165 | PeerAddr => '127.0.0.1', |
| 166 | PeerPort => port($port), |
| 167 | SSL_hostname => $host, |
| 168 | SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 169 | SSL_error_trap => sub { die $_[1] }, |
| 170 | ); |
| 171 | alarm(0); |
| 172 | }; |
| 173 | alarm(0); |
| 174 | |
| 175 | if ($@) { |
| 176 | log_in("died: $@"); |
| 177 | return undef; |
| 178 | } |
| 179 | |
| 180 | return $s; |
| 181 | } |
| 182 | |
| 183 | ############################################################################### |