@@ -6,13 +6,8 @@ repeat_each(2);
6
6
7
7
plan tests => repeat_each() * 42;
8
8
9
- $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
10
-
11
- $ENV{TEST_NGINX_MEMCACHED_PORT} ||= 11211;
12
9
$ENV{TEST_NGINX_RESOLVER} ||= '8.8.8.8';
13
- $ENV{TEST_NGINX_SERVER_SSL_PORT} ||= 12345;
14
10
15
- #log_level 'warn';
16
11
log_level 'debug';
17
12
18
13
no_long_string();
@@ -27,11 +22,6 @@ sub read_file {
27
22
$cert;
28
23
}
29
24
30
- our $DSTRootCertificate = read_file("t/cert/dst-ca.crt");
31
- our $EquifaxRootCertificate = read_file("t/cert/equifax.crt");
32
- our $TestCertificate = read_file("t/cert/test.crt");
33
- our $TestCertificateKey = read_file("t/cert/test.key");
34
- our $TestCRL = read_file("t/cert/test.crl");
35
25
our $MTLSCA = read_file("t/cert/mtls_ca.crt");
36
26
our $MTLSClient = read_file("t/cert/mtls_client.crt");
37
27
our $MTLSClientKey = read_file("t/cert/mtls_client.key");
@@ -44,12 +34,11 @@ our $mtls_http_config = <<"_EOC_";
44
34
server {
45
35
listen unix:$::HtmlDir/mtls.sock ssl;
46
36
47
- ssl_certificate $::HtmlDir/mtls_server.crt;
48
- ssl_certificate_key $::HtmlDir/mtls_server.key;
49
-
37
+ ssl_certificate $::HtmlDir/mtls_server.crt;
38
+ ssl_certificate_key $::HtmlDir/mtls_server.key;
50
39
ssl_client_certificate $::HtmlDir/mtls_ca.crt;
51
- ssl_verify_client on;
52
- server_tokens off;
40
+ ssl_verify_client on;
41
+ server_tokens off;
53
42
54
43
location / {
55
44
return 200 "hello, \$ssl_client_s_dn";
@@ -78,10 +67,8 @@ __DATA__
78
67
--- config
79
68
server_tokens off;
80
69
resolver $TEST_NGINX_RESOLVER ipv6=off;
81
- location /t {
82
- #set $port 5000;
83
- set $port $TEST_NGINX_MEMCACHED_PORT;
84
70
71
+ location /t {
85
72
content_by_lua_block {
86
73
-- avoid flushing google in "check leak" testing mode:
87
74
local counter = package.loaded.counter
@@ -92,11 +79,13 @@ __DATA__
92
79
else
93
80
counter = counter + 1
94
81
end
82
+
95
83
package.loaded.counter = counter
96
84
97
85
do
98
86
local sock = ngx.socket.tcp()
99
87
sock:settimeout(2000)
88
+
100
89
local ok, err = sock:connect("www.google.com", 443)
101
90
if not ok then
102
91
ngx.say("failed to connect: ", err)
@@ -133,10 +122,10 @@ __DATA__
133
122
local ok, err = sock:close()
134
123
ngx.say("close: ", ok, " ", err)
135
124
end -- do
125
+
136
126
collectgarbage()
137
127
}
138
128
}
139
-
140
129
--- request
141
130
GET /t
142
131
--- response_body_like chop
@@ -162,12 +151,9 @@ SSL reused session
162
151
163
152
=== TEST 2: bad options table
164
153
--- config
165
- server_tokens off;
166
154
resolver $TEST_NGINX_RESOLVER ipv6=off;
167
- location /t {
168
- #set $port 5000;
169
- set $port $TEST_NGINX_MEMCACHED_PORT;
170
155
156
+ location /t {
171
157
content_by_lua_block {
172
158
local sock = ngx.socket.tcp()
173
159
sock:settimeout(7000)
@@ -183,24 +169,21 @@ SSL reused session
183
169
local session, err = sock:tlshandshake("foo")
184
170
}
185
171
}
186
-
187
172
--- request
188
173
GET /t
189
174
--- ignore_response
190
175
--- error_log eval
191
- qr/\[error\] .* bad options table type /
176
+ qr/\[error\] .* bad options arg: table expected /
192
177
--- no_error_log
193
178
[alert]
194
179
--- timeout: 10
195
180
196
181
197
182
198
- === TEST 3: mutual TLS handshake, upstream is not accessible without client certs
183
+ === TEST 3: mutual TLS handshake, upstream is not accessible without client certs (no options table)
199
184
--- http_config eval: $::mtls_http_config
200
185
--- config eval
201
186
"
202
- server_tokens off;
203
-
204
187
location /t {
205
188
content_by_lua_block {
206
189
local sock = ngx.socket.tcp()
@@ -229,7 +212,6 @@ qr/\[error\] .* bad options table type/
229
212
}
230
213
}
231
214
"
232
-
233
215
--- user_files eval: $::mtls_user_files
234
216
--- request
235
217
GET /t
@@ -242,12 +224,54 @@ GET /t
242
224
243
225
244
226
245
- === TEST 4: mutual TLS handshake, upstream is accessible when client certs are supplied
227
+ === TEST 4: mutual TLS handshake, upstream is not accessible without client certs (empty options table)
246
228
--- http_config eval: $::mtls_http_config
247
229
--- config eval
248
230
"
249
- server_tokens off;
231
+ location /t {
232
+ content_by_lua_block {
233
+ local sock = ngx.socket.tcp()
234
+ local ok, err = sock:connect('unix:$::HtmlDir/mtls.sock')
235
+ if not ok then
236
+ ngx.say('failed to connect: ', err)
237
+ end
238
+
239
+ assert(sock:tlshandshake({}))
240
+
241
+ ngx.say('connected: ', ok)
242
+
243
+ local req = 'GET /\\r\\n'
250
244
245
+ local bytes, err = sock:send(req)
246
+ if not bytes then
247
+ ngx.say('failed to send request: ', err)
248
+ return
249
+ end
250
+
251
+ ngx.say('request sent: ', bytes)
252
+
253
+ ngx.say(sock:receive('*a'))
254
+
255
+ assert(sock:close())
256
+ }
257
+ }
258
+ "
259
+ --- user_files eval: $::mtls_user_files
260
+ --- request
261
+ GET /t
262
+ --- response_body_like: 400 No required SSL certificate was sent
263
+ --- no_error_log
264
+ [alert]
265
+ [error]
266
+ [crit]
267
+ [emerg]
268
+
269
+
270
+
271
+ === TEST 5: mutual TLS handshake, upstream is accessible with client certs
272
+ --- http_config eval: $::mtls_http_config
273
+ --- config eval
274
+ "
251
275
location /t {
252
276
content_by_lua_block {
253
277
local sock = ngx.socket.tcp()
@@ -269,7 +293,7 @@ GET /t
269
293
local chain = assert(ssl.parse_pem_cert(cert_data))
270
294
local priv = assert(ssl.parse_pem_priv_key(key_data))
271
295
272
- assert(sock:tlshandshake({ client_cert = chain, client_priv_key = priv, }))
296
+ assert(sock:tlshandshake({ client_cert = chain, client_priv_key = priv }))
273
297
274
298
ngx.say('connected: ', ok)
275
299
@@ -289,7 +313,6 @@ GET /t
289
313
}
290
314
}
291
315
"
292
-
293
316
--- user_files eval: $::mtls_user_files
294
317
--- request
295
318
GET /t
@@ -305,27 +328,24 @@ hello, CN=foo@example.com,O=OpenResty,ST=California,C=US
305
328
306
329
307
330
308
- === TEST 5 : incorrect type of client cert
331
+ === TEST 6 : incorrect type of client cert
309
332
--- config
310
- server_tokens off;
311
-
312
333
location /t {
313
334
content_by_lua_block {
314
335
local sock = ngx.socket.tcp()
315
- local ok, err = sock:connect(' 127.0.0.1' , ngx.var.server_port)
336
+ local ok, err = sock:connect(" 127.0.0.1" , ngx.var.server_port)
316
337
if not ok then
317
- ngx.say(' failed to connect: ' , err)
338
+ ngx.say(" failed to connect: " , err)
318
339
end
319
340
320
- ok, err = sock:tlshandshake({ client_cert = "doesnt", client_priv_key = "work", })
341
+ ok, err = sock:tlshandshake({ client_cert = "doesnt", client_priv_key = "work" })
321
342
if not ok then
322
- ngx.say(' failed to handshake: ' , err)
343
+ ngx.say(" failed to handshake: " , err)
323
344
end
324
345
325
346
assert(sock:close())
326
347
}
327
348
}
328
-
329
349
--- request
330
350
GET /t
331
351
--- error_code: 500
@@ -334,15 +354,13 @@ GET /t
334
354
[crit]
335
355
[emerg]
336
356
--- error_log
337
- wrong type of client certificate or private key supplied
357
+ bad client_cert option type
338
358
339
359
340
360
341
- === TEST 6 : incorrect type of client key
361
+ === TEST 7 : incorrect type of client key
342
362
--- config eval
343
363
"
344
- server_tokens off;
345
-
346
364
location /t {
347
365
content_by_lua_block {
348
366
local sock = ngx.socket.tcp()
@@ -359,7 +377,7 @@ wrong type of client certificate or private key supplied
359
377
360
378
local chain = assert(ssl.parse_pem_cert(cert_data))
361
379
362
- ok, err = sock:tlshandshake({ client_cert = chain, client_priv_key = 'work', })
380
+ ok, err = sock:tlshandshake({ client_cert = chain, client_priv_key = 'work' })
363
381
if not ok then
364
382
ngx.say('failed to handshake: ', err)
365
383
end
@@ -368,7 +386,6 @@ wrong type of client certificate or private key supplied
368
386
}
369
387
}
370
388
"
371
-
372
389
--- user_files eval: $::mtls_user_files
373
390
--- request
374
391
GET /t
@@ -378,15 +395,13 @@ GET /t
378
395
[crit]
379
396
[emerg]
380
397
--- error_log
381
- wrong type of client certificate or private key supplied
398
+ bad client_priv_key option type
382
399
383
400
384
401
385
- === TEST 7 : missing private key
402
+ === TEST 8 : missing private key
386
403
--- config eval
387
404
"
388
- server_tokens off;
389
-
390
405
location /t {
391
406
content_by_lua_block {
392
407
local sock = ngx.socket.tcp()
@@ -403,7 +418,7 @@ wrong type of client certificate or private key supplied
403
418
404
419
local chain = assert(ssl.parse_pem_cert(cert_data))
405
420
406
- ok, err = sock:tlshandshake({ client_cert = chain, })
421
+ ok, err = sock:tlshandshake({ client_cert = chain })
407
422
if not ok then
408
423
ngx.say('failed to handshake: ', err)
409
424
end
@@ -412,7 +427,6 @@ wrong type of client certificate or private key supplied
412
427
}
413
428
}
414
429
"
415
-
416
430
--- user_files eval: $::mtls_user_files
417
431
--- request
418
432
GET /t
@@ -423,50 +437,3 @@ GET /t
423
437
[emerg]
424
438
--- error_log
425
439
client certificate supplied without corresponding private key
426
-
427
-
428
-
429
- === TEST 8: mutual TLS handshake, upstream is not accessible without empty options table
430
- --- http_config eval: $::mtls_http_config
431
- --- config eval
432
- "
433
- server_tokens off;
434
-
435
- location /t {
436
- content_by_lua_block {
437
- local sock = ngx.socket.tcp()
438
- local ok, err = sock:connect('unix:$::HtmlDir/mtls.sock')
439
- if not ok then
440
- ngx.say('failed to connect: ', err)
441
- end
442
-
443
- assert(sock:tlshandshake({}))
444
-
445
- ngx.say('connected: ', ok)
446
-
447
- local req = 'GET /\\r\\n'
448
-
449
- local bytes, err = sock:send(req)
450
- if not bytes then
451
- ngx.say('failed to send request: ', err)
452
- return
453
- end
454
-
455
- ngx.say('request sent: ', bytes)
456
-
457
- ngx.say(sock:receive('*a'))
458
-
459
- assert(sock:close())
460
- }
461
- }
462
- "
463
-
464
- --- user_files eval: $::mtls_user_files
465
- --- request
466
- GET /t
467
- --- response_body_like: 400 No required SSL certificate was sent
468
- --- no_error_log
469
- [alert]
470
- [error]
471
- [crit]
472
- [emerg]
0 commit comments