-
Notifications
You must be signed in to change notification settings - Fork 81
/
Copy pathssl_cache_reload.t
139 lines (99 loc) · 3.16 KB
/
ssl_cache_reload.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/usr/bin/perl
# (C) Sergey Kandaurov
# (C) Nginx, Inc.
# Tests for SSL object cache inheritance on configuration reload.
###############################################################################
use warnings;
use strict;
use Test::More;
BEGIN { use FindBin; chdir($FindBin::Bin); }
use lib 'lib';
use Test::Nginx;
###############################################################################
select STDERR; $| = 1;
select STDOUT; $| = 1;
my $t = Test::Nginx->new()->has(qw/http http_ssl socket_ssl/)
->has_daemon('openssl');
$t->write_file_expand('nginx.conf', << 'EOF');
%%TEST_GLOBALS%%
daemon off;
ssl_object_cache_inheritable on;
events {
}
http {
%%TEST_GLOBALS_HTTP%%
server {
listen 127.0.0.1:8443 ssl;
server_name localhost;
ssl_certificate 1.example.com.crt;
ssl_certificate_key 1.example.com.key;
}
server {
listen 127.0.0.1:8444 ssl;
server_name localhost;
ssl_certificate 2.example.com.crt;
ssl_certificate_key 2.example.com.key;
}
}
EOF
my $d = $t->testdir();
$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF
foreach my $name ('1.example.com', '2.example.com', '3.example.com') {
system('openssl req -x509 -new '
. "-config $d/openssl.conf -subj /CN=$name/ "
. "-out $d/$name.crt -keyout $d/$name.key "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for $name: $!\n";
}
$t->try_run('no ssl_object_cache_inheritable')->plan(5);
###############################################################################
# make sure SSL certificates are properly cached on configuration reload by:
#
# - updating backing storage
# - keeping inode and mtime metadata
# (on win32, File ID appears to be modified by in-place rewrite)
like(get_cert_cn(8443), qr!/CN=1.example.com!, 'certificate 1');
like(get_cert_cn(8444), qr!/CN=2.example.com!, 'certificate 2');
update($t, "1.example.com", "3.example.com", update_metadata => 1);
update($t, "2.example.com", "3.example.com") unless $^O eq 'MSWin32';
ok(reload($t), 'reload');
like(get_cert_cn(8443), qr!/CN=3.example.com!, 'certificate updated');
like(get_cert_cn(8444), qr!/CN=2.example.com!, 'certificate cached');
###############################################################################
sub get_cert_cn {
my ($port) = @_;
my $s = http('',
start => 1,
PeerAddr => '127.0.0.1:' . port($port),
SSL => 1);
return $s->dump_peer_certificate();
}
sub update {
my ($t, $old, $new, %extra) = @_;
for my $ext ("crt", "key") {
if ($extra{update_metadata}) {
$t->write_file("$old.$ext.tmp",
$t->read_file("$new.$ext"));
rename("$d/$old.$ext.tmp", "$d/$old.$ext");
} else {
my $mtime = -e "$d/$old.$ext" && (stat(_))[9];
$t->write_file("$old.$ext", $t->read_file("$new.$ext"));
utime(time(), $mtime, "$d/$old.$ext");
}
}
}
sub reload {
my ($t) = @_;
$t->reload();
for (1 .. 30) {
return 1 if $t->read_file('error.log') =~ /exited with code/;
select undef, undef, undef, 0.2;
}
}
###############################################################################