Skip to content

Commit 40f0ae0

Browse files
mdouninmdounin
committed
Tests: removed multiple server certificates from ssl_ocsp.t.
Multiple server certificates are not needed to test OCSP verification of client certificates (in contrast to OCSP stapling, where server certificates are verified, and different staples should be correctly returned with different server certificates). And using multiple server certificates causes issues when testing with LibreSSL due to broken sigalgs-based server certificate selection in LibreSSL with TLSv1.3. Accordingly, the test is simplified to do not use multiple server certificates.
1 parent e119490 commit 40f0ae0

File tree

1 file changed

+25
-44
lines changed

1 file changed

+25
-44
lines changed

ssl_ocsp.t

Lines changed: 25 additions & 44 deletions
Original file line numberDiff line numberDiff line change
@@ -63,11 +63,6 @@ http {
6363
ssl_verify_depth 2;
6464
ssl_client_certificate trusted.crt;
6565
66-
ssl_ciphers DEFAULT:ECCdraft;
67-
68-
ssl_certificate_key ec.key;
69-
ssl_certificate ec.crt;
70-
7166
ssl_certificate_key rsa.key;
7267
ssl_certificate rsa.crt;
7368
@@ -273,13 +268,8 @@ $t->write_file('trusted.crt',
273268

274269
# server cert/key
275270

276-
system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
277-
. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
278-
system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
279-
or die "Can't create RSA pem: $!\n";
280-
281-
foreach my $name ('ec', 'rsa') {
282-
system("openssl req -x509 -new -key $d/$name.key "
271+
foreach my $name ('rsa') {
272+
system('openssl req -x509 -new '
283273
. "-config $d/openssl.conf -subj /CN=$name/ "
284274
. "-out $d/$name.crt -keyout $d/$name.key "
285275
. ">>$d/openssl.out 2>&1") == 0
@@ -288,7 +278,7 @@ foreach my $name ('ec', 'rsa') {
288278

289279
$t->run_daemon(\&http_daemon, $t, port(8081));
290280
$t->run_daemon(\&http_daemon, $t, port(8082));
291-
$t->run()->plan(14);
281+
$t->run()->plan(15);
292282

293283
$t->waitforsocket("127.0.0.1:" . port(8081));
294284
$t->waitforsocket("127.0.0.1:" . port(8082));
@@ -297,17 +287,17 @@ my $version = get_version();
297287

298288
###############################################################################
299289

300-
like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
290+
like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
301291

302292
# demonstrate that ocsp int request is failed due to missing resolver
303293

304-
like(get('RSA', 'end', sni => 'resolver'),
294+
like(get('end', sni => 'resolver'),
305295
qr/400 Bad.*FAILED:certificate status request failed/s,
306296
'ocsp many failed request');
307297

308298
# demonstrate that ocsp int request is actually made by failing ocsp response
309299

310-
like(get('RSA', 'end', port => 8444),
300+
like(get('end', port => 8444),
311301
qr/400 Bad.*FAILED:certificate status request failed/s,
312302
'ocsp many failed');
313303

@@ -323,11 +313,11 @@ system("openssl ocsp -index $d/certindex -CA $d/root.crt "
323313
. ">>$d/openssl.out 2>&1") == 0
324314
or die "Can't create OCSP response: $!\n";
325315

326-
like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
316+
like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
327317

328318
# store into ssl_ocsp_cache
329319

330-
like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
320+
like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
331321

332322
# revoke
333323

@@ -346,23 +336,23 @@ system("openssl ocsp -index $d/certindex -CA $d/int.crt "
346336
. ">>$d/openssl.out 2>&1") == 0
347337
or die "Can't create OCSP response: $!\n";
348338

349-
like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
339+
like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
350340

351341
# with different responder where it's still valid
352342

353-
like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
343+
like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
354344

355345
# with different context to responder where it's still valid
356346

357-
like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
347+
like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
358348

359349
# with cached ocsp response it's still valid
360350

361-
like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
351+
like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
362352

363353
# ocsp end response signed with invalid (root) cert, expect HTTP 400
364354

365-
like(get('ECDSA', 'ec-end'),
355+
like(get('ec-end'),
366356
qr/400 Bad.*FAILED:certificate status request failed/s,
367357
'root ca not trusted');
368358

@@ -374,12 +364,12 @@ system("openssl ocsp -index $d/certindex -CA $d/int.crt "
374364
. ">>$d/openssl.out 2>&1") == 0
375365
or die "Can't create EC OCSP response: $!\n";
376366

377-
like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
367+
like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
378368

379-
my ($s, $ssl) = get('ECDSA', 'ec-end');
369+
my ($s, $ssl) = get('ec-end');
380370
my $ses = Net::SSLeay::get_session($ssl);
381371

382-
like(get('ECDSA', 'ec-end', ses => $ses),
372+
like(get('ec-end', ses => $ses),
383373
qr/200 OK.*SUCCESS:r/s, 'session reused');
384374

385375
# revoke with saved session
@@ -401,19 +391,22 @@ system("openssl ocsp -index $d/certindex -CA $d/int.crt "
401391

402392
# reusing session with revoked certificate
403393

404-
like(get('ECDSA', 'ec-end', ses => $ses),
394+
like(get('ec-end', ses => $ses),
405395
qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
406396

407397
# regression test for self-signed
408398

409-
like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
399+
like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
400+
401+
# check for errors
402+
403+
like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
410404

411405
###############################################################################
412406

413407
sub get {
414-
my ($type, $cert, %extra) = @_;
415-
$type = 'PSS' if $type eq 'RSA' && $version > 0x0303;
416-
my ($s, $ssl) = get_ssl_socket($type, $cert, %extra);
408+
my ($cert, %extra) = @_;
409+
my ($s, $ssl) = get_ssl_socket($cert, %extra);
417410
my $cipher = Net::SSLeay::get_cipher($ssl);
418411
Test::Nginx::log_core('||', "cipher: $cipher");
419412
my $host = $extra{sni} ? $extra{sni} : 'localhost';
@@ -428,7 +421,7 @@ sub get {
428421
}
429422

430423
sub get_ssl_socket {
431-
my ($type, $cert, %extra) = @_;
424+
my ($cert, %extra) = @_;
432425
my $ses = $extra{ses};
433426
my $sni = $extra{sni};
434427
my $port = $extra{port} || 8443;
@@ -450,18 +443,6 @@ sub get_ssl_socket {
450443

451444
my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
452445

453-
if (defined $type) {
454-
my $ssleay = Net::SSLeay::SSLeay();
455-
if ($ssleay < 0x1000200f || $ssleay == 0x20000000) {
456-
Net::SSLeay::CTX_set_cipher_list($ctx, $type)
457-
or die("Failed to set cipher list");
458-
} else {
459-
# SSL_CTRL_SET_SIGALGS_LIST
460-
Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256')
461-
or die("Failed to set sigalgs");
462-
}
463-
}
464-
465446
Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key")
466447
or die if $cert;
467448
my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");

0 commit comments

Comments
 (0)