-
Notifications
You must be signed in to change notification settings - Fork 2k
/
Copy path187-ssl-two-verification.t
147 lines (122 loc) · 4.53 KB
/
187-ssl-two-verification.t
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
# vim:set ft= ts=4 sw=4 et fdm=marker:
use Test::Nginx::Socket::Lua;
repeat_each(3);
# All these tests need to have new openssl
my $NginxBinary = $ENV{'TEST_NGINX_BINARY'} || 'nginx';
my $openssl_version = eval { `$NginxBinary -V 2>&1` };
if ($openssl_version =~ m/built with OpenSSL (0\S*|1\.0\S*|1\.1\.0\S*)/) {
plan(skip_all => "too old OpenSSL, need 1.1.1, was $1");
} elsif ($openssl_version =~ m/running with BoringSSL/) {
plan(skip_all => "does not support BoringSSL");
} elsif ($openssl_version =~ m/AWS-LC/) {
plan(skip_all => "does not support AWS-LC");
} else {
plan tests => repeat_each() * (blocks() * 7);
}
$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
$ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
#log_level 'warn';
log_level 'debug';
no_long_string();
#no_diff();
run_tests();
__DATA__
=== TEST 1: simple logging
--- http_config
server {
listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
#listen 127.0.0.1:4433 ssl;
server_name test.com;
ssl_client_hello_by_lua_block { print("ssl client hello by lua is running!") }
ssl_certificate ../../cert/test.crt;
ssl_certificate_key ../../cert/test.key;
#ssl_trusted_certificate ../../cert/test.crt;
ssl_client_certificate ../../cert/test.crt;
ssl_verify_client on;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
server_tokens off;
location /foo {
default_type 'text/plain';
content_by_lua_block { ngx.status = 201 ngx.say("foo") ngx.exit(201) }
log_by_lua_block {
ngx.log(ngx.INFO, "ssl_client_s_dn: ", ngx.var.ssl_client_s_dn)
}
more_clear_headers Date;
}
}
--- config
server_tokens off;
lua_ssl_certificate ../../cert/test.crt;
lua_ssl_certificate_key ../../cert/test.key;
lua_ssl_trusted_certificate ../../cert/test.crt;
location /t {
content_by_lua_block {
do
local sock = ngx.socket.tcp()
sock:settimeout(2000)
local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
-- local ok, err = sock:connect("127.0.0.1", 4433)
if not ok then
ngx.say("failed to connect: ", err)
return
end
ngx.say("connected: ", ok)
local sess, err = sock:sslhandshake(nil, "test.com", true)
if not sess then
ngx.say("failed to do SSL handshake: ", err)
return
end
ngx.say("ssl handshake: ", type(sess))
local req = "GET /foo HTTP/1.0\r\nHost: test.com\r\nConnection: close\r\n\r\n"
local bytes, err = sock:send(req)
if not bytes then
ngx.say("failed to send http request: ", err)
return
end
ngx.say("sent http request: ", bytes, " bytes.")
while true do
local line, err = sock:receive()
if not line then
-- ngx.say("failed to receive response status line: ", err)
break
end
ngx.say("received: ", line)
end
local ok, err = sock:close()
ngx.say("close: ", ok, " ", err)
end -- do
-- collectgarbage()
}
}
--- request
GET /t
--- response_body
connected: 1
ssl handshake: cdata
sent http request: 56 bytes.
received: HTTP/1.1 201 Created
received: Server: nginx
received: Content-Type: text/plain
received: Content-Length: 4
received: Connection: close
received:
received: foo
close: 1 nil
--- error_log
lua ssl server name: "test.com"
ssl_client_s_dn: [email protected],CN=test.com,OU=OpenResty,O=OpenResty,L=San Francisco,ST=California,C=US
--- no_error_log
[error]
[alert]
--- grep_error_log eval: qr/ssl_client_hello_by_lua\(.*?,|\bssl client hello: connection reusable: \d+|\breusable connection: \d+/
--- grep_error_log_out eval
# Since nginx version 1.17.9, nginx call ngx_reusable_connection(c, 0)
# before call ssl callback function
$Test::Nginx::Util::NginxVersion >= 1.017009 ?
qr/reusable connection: 0
ssl client hello: connection reusable: 0
ssl_client_hello_by_lua\(nginx.conf:\d+\):1: ssl client hello by lua is running!,/
: qr /reusable connection: 1
ssl client hello: connection reusable: 1
reusable connection: 0
ssl_client_hello_by_lua\(nginx.conf:\d+\):1: ssl client hello by lua is running!,/