|
| 1 | +#!/usr/bin/perl |
| 2 | + |
| 3 | +# (C) Sergey Kandaurov |
| 4 | +# (C) Nginx, Inc. |
| 5 | + |
| 6 | +# Tests for http ssl module, $ssl_client_escaped_cert variable. |
| 7 | + |
| 8 | +############################################################################### |
| 9 | + |
| 10 | +use warnings; |
| 11 | +use strict; |
| 12 | + |
| 13 | +use Test::More; |
| 14 | + |
| 15 | +BEGIN { use FindBin; chdir($FindBin::Bin); } |
| 16 | + |
| 17 | +use lib 'lib'; |
| 18 | +use Test::Nginx; |
| 19 | + |
| 20 | +############################################################################### |
| 21 | + |
| 22 | +select STDERR; $| = 1; |
| 23 | +select STDOUT; $| = 1; |
| 24 | + |
| 25 | +eval { require IO::Socket::SSL; }; |
| 26 | +plan(skip_all => 'IO::Socket::SSL not installed') if $@; |
| 27 | +eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; |
| 28 | +plan(skip_all => 'IO::Socket::SSL too old') if $@; |
| 29 | + |
| 30 | +my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) |
| 31 | + ->has_daemon('openssl'); |
| 32 | + |
| 33 | +$t->write_file_expand('nginx.conf', <<'EOF'); |
| 34 | +
|
| 35 | +%%TEST_GLOBALS%% |
| 36 | +
|
| 37 | +daemon off; |
| 38 | +
|
| 39 | +events { |
| 40 | +} |
| 41 | +
|
| 42 | +http { |
| 43 | + %%TEST_GLOBALS_HTTP%% |
| 44 | +
|
| 45 | + ssl_certificate_key localhost.key; |
| 46 | + ssl_certificate localhost.crt; |
| 47 | + ssl_verify_client optional_no_ca; |
| 48 | +
|
| 49 | + server { |
| 50 | + listen 127.0.0.1:8443 ssl; |
| 51 | + server_name localhost; |
| 52 | +
|
| 53 | + location /cert { |
| 54 | + return 200 $ssl_client_raw_cert; |
| 55 | + } |
| 56 | + location /escaped { |
| 57 | + return 200 $ssl_client_escaped_cert; |
| 58 | + } |
| 59 | + } |
| 60 | +} |
| 61 | +
|
| 62 | +EOF |
| 63 | + |
| 64 | +$t->write_file('openssl.conf', <<EOF); |
| 65 | +[ req ] |
| 66 | +default_bits = 1024 |
| 67 | +encrypt_key = no |
| 68 | +distinguished_name = req_distinguished_name |
| 69 | +[ req_distinguished_name ] |
| 70 | +EOF |
| 71 | + |
| 72 | +my $d = $t->testdir(); |
| 73 | + |
| 74 | +foreach my $name ('localhost') { |
| 75 | + system('openssl req -x509 -new ' |
| 76 | + . "-config $d/openssl.conf -subj /CN=$name/ " |
| 77 | + . "-out $d/$name.crt -keyout $d/$name.key " |
| 78 | + . ">>$d/openssl.out 2>&1") == 0 |
| 79 | + or die "Can't create certificate for $name: $!\n"; |
| 80 | +} |
| 81 | + |
| 82 | +$t->try_run('no ssl_client_escaped_cert')->plan(3); |
| 83 | + |
| 84 | +############################################################################### |
| 85 | + |
| 86 | +my ($cert) = cert('/cert') =~ /\x0d\x0a?\x0d\x0a?(.*)/ms; |
| 87 | +my ($escaped) = cert('/escaped') =~ /\x0d\x0a?\x0d\x0a?(.*)/ms; |
| 88 | + |
| 89 | +ok($cert, 'ssl_client_raw_cert'); |
| 90 | +ok($escaped, 'ssl_client_escaped_cert'); |
| 91 | + |
| 92 | +$escaped =~ s/%([0-9A-Fa-f]{2})/chr(hex($1))/eg; |
| 93 | +is($escaped, $cert, 'ssl_client_escaped_cert unescape match'); |
| 94 | + |
| 95 | +############################################################################### |
| 96 | + |
| 97 | +sub cert { |
| 98 | + my ($uri) = @_; |
| 99 | + my $s; |
| 100 | + |
| 101 | + eval { |
| 102 | + local $SIG{ALRM} = sub { die "timeout\n" }; |
| 103 | + local $SIG{PIPE} = sub { die "sigpipe\n" }; |
| 104 | + alarm(2); |
| 105 | + $s = IO::Socket::SSL->new( |
| 106 | + Proto => 'tcp', |
| 107 | + PeerAddr => '127.0.0.1', |
| 108 | + PeerPort => port(8443), |
| 109 | + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), |
| 110 | + SSL_cert_file => "$d/localhost.crt", |
| 111 | + SSL_key_file => "$d/localhost.key", |
| 112 | + SSL_error_trap => sub { die $_[1] }, |
| 113 | + ); |
| 114 | + alarm(0); |
| 115 | + }; |
| 116 | + alarm(0); |
| 117 | + |
| 118 | + if ($@) { |
| 119 | + log_in("died: $@"); |
| 120 | + return undef; |
| 121 | + } |
| 122 | + |
| 123 | + http_get($uri, socket => $s); |
| 124 | +} |
| 125 | + |
| 126 | +############################################################################### |
0 commit comments