登录 注册
开源 企业版 高校版 私有云 Gitee AI NEW
扫描微信二维码支付
取消
支付完成
Watch
不关注 关注所有动态 仅关注版本发行动态 关注但不提醒动态
2 Star 0 Fork 0

mirrors_nginx/nginx-tests

代码 Wiki 统计 流水线
服务
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
克隆/下载
ssl_cache.t 5.16 KB
一键复制 编辑 原始数据 按行查看 历史
Sergey Kandaurov 提交于 2024-10-08 14:48 . Tests: skip ssl_cache.t server certificate verify if not supported.
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
#!/usr/bin/perl



# (C) Nginx, Inc.



# Tests for SSL object cache.



###############################################################################



use warnings;

use strict;



use Test::More;



use POSIX qw/ mkfifo /;



BEGIN { use FindBin; chdir($FindBin::Bin); }



use lib 'lib';

use Test::Nginx;



###############################################################################



select STDERR; $| = 1;

select STDOUT; $| = 1;



plan(skip_all => 'win32') if $^O eq 'MSWin32';



my $t = Test::Nginx->new();



plan(skip_all => "not yet") unless $t->has_version('1.27.2');



$t->has(qw/http http_ssl proxy socket_ssl/)->has_daemon('openssl')

	->write_file_expand('nginx.conf', <<'EOF');



%%TEST_GLOBALS%%



daemon off;



events {

}



http {

    %%TEST_GLOBALS_HTTP%%



    server {

        listen       127.0.0.1:8443 ssl;

        server_name  1.example.com;



        ssl_certificate 1.example.com.crt.fifo;

        ssl_certificate_key 1.example.com.key.fifo;



        ssl_trusted_certificate root.crt.fifo;

        ssl_crl root.crl.fifo;

    }



    server {

        listen       127.0.0.1:8444 ssl;

        server_name  1.example.com;



        ssl_certificate %%TESTDIR%%/1.example.com.crt.fifo;

        ssl_certificate_key %%TESTDIR%%/1.example.com.key.fifo;



        ssl_trusted_certificate %%TESTDIR%%/root.crt.fifo;

        ssl_crl %%TESTDIR%%/root.crl.fifo;

    }



    server {

        listen       127.0.0.1:8445 ssl;

        server_name  2.example.com;



        add_header X-Verify $ssl_client_verify:$ssl_client_s_dn;



        ssl_certificate 2.example.com.crt.fifo;

        ssl_certificate_key 2.example.com.key.fifo;



        ssl_verify_client on;

        ssl_client_certificate root.crt.fifo;

        ssl_crl root.crl.fifo;

    }



    server {

        listen       127.0.0.1:8080;

        server_name  localhost;



        location / {

            proxy_pass https://127.0.0.1:8445;



            proxy_ssl_certificate 1.example.com.crt.fifo;

            proxy_ssl_certificate_key 1.example.com.key.fifo;



            proxy_ssl_name 2.example.com;

            proxy_ssl_verify on;

            proxy_ssl_trusted_certificate root.crt.fifo;

            proxy_ssl_crl root.crl.fifo;

        }

    }

}



EOF



my $d = $t->testdir();



$t->write_file('openssl.conf', <<EOF);

[ req ]

default_bits = 2048

encrypt_key = no

distinguished_name = req_distinguished_name

x509_extensions = myca_extensions

[ req_distinguished_name ]

[ myca_extensions ]

basicConstraints = critical,CA:TRUE

EOF



$t->write_file('ca.conf', <<EOF);

[ ca ]

default_ca = myca



[ myca ]

new_certs_dir = $d

database = $d/certindex

default_md = sha256

policy = myca_policy

serial = $d/certserial

default_days = 1



[ myca_policy ]

commonName = supplied

EOF



foreach my $name ('root') {

	system('openssl req -x509 -new '

		. "-config $d/openssl.conf -subj /CN=$name/ "

		. "-out $d/$name.crt -keyout $d/$name.key "

		. ">>$d/openssl.out 2>&1") == 0

		or die "Can't create certificate for $name: $!\n";

}



$t->write_file('certserial', '1000');

$t->write_file('certindex', '');



foreach my $name ('1.example.com', '2.example.com') {

	system('openssl req -new '

		. "-config $d/openssl.conf -subj /CN=$name/ "

		. "-out $d/$name.csr -keyout $d/$name.key "

		. ">>$d/openssl.out 2>&1") == 0

		or die "Can't create certificate for $name: $!\n";



	system("openssl ca -batch -config $d/ca.conf "

		. "-keyfile $d/root.key -cert $d/root.crt "

		. "-subj /CN=$name/ -in $d/$name.csr -out $d/$name.crt "

		. ">>$d/openssl.out 2>&1") == 0

		or die "Can't sign certificate for $name: $!\n";

}



system("openssl ca -gencrl -config $d/ca.conf "

	. "-keyfile $d/root.key -cert $d/root.crt "

	. "-out $d/root.crl -crldays 1 "

	. ">>$d/openssl.out 2>&1") == 0

	or die "Can't update crl: $!\n";



foreach my $name ('root.crt', 'root.crl', '1.example.com.crt',

	'1.example.com.key', '2.example.com.crt', '2.example.com.key')

{

	mkfifo("$d/$name.fifo", 0700);

	$t->run_daemon(\&fifo_writer_daemon, $t, $name);

}



$t->write_file('t', '');



$t->plan(4)->run();



###############################################################################



like(get(8443, '1.example.com'), qr/200 OK/, 'cached certificate');

like(get(8444, '1.example.com'), qr/200 OK/, 'absolute path');



like(get(8445, '2.example.com', '1.example.com'),

	qr/200 OK.*SUCCESS:.*1\.example\.com/s, 'cached CA and CRL');



like(http_get('/t'), qr/200 OK.*SUCCESS:.*1\.example\.com/s, 'proxy ssl');



###############################################################################



sub get {

	my ($port, $ca, $cert) = @_;



	$ca = undef if $IO::Socket::SSL::VERSION < 2.062

		|| !eval { Net::SSLeay::X509_V_FLAG_PARTIAL_CHAIN() };



	http_get('/t',

		PeerAddr => '127.0.0.1:' . port($port),

		SSL => 1,

		$ca ? (

		SSL_ca_file => "$d/$ca.crt",

		SSL_verifycn_name => $ca,

		SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_PEER(),

		) : (),

		$cert ? (

		SSL_cert_file => "$d/$cert.crt",

		SSL_key_file => "$d/$cert.key"

		) : ()

	);

}



###############################################################################



sub fifo_writer_daemon {

	my ($t, $name) = @_;



	my $content = $t->read_file($name);



	while (1) {

		$t->write_file("$name.fifo", $content);

		# reset content after the first read

		$content = "";

	}

}



###############################################################################
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/mirrors_nginx/nginx-tests.git
git@gitee.com:mirrors_nginx/nginx-tests.git
mirrors_nginx
nginx-tests
nginx-tests
master
点此查找更多帮助

搜索帮助

Git 命令在线学习 如何在 Gitee 导入 GitHub 仓库
Git 仓库基础操作
企业版和社区版功能对比
SSH 公钥设置
如何处理代码冲突
仓库体积过大,如何减小?
如何找回被删除的仓库数据
Gitee 产品配额说明
GitHub仓库快速导入Gitee及同步更新
什么是 Release(发行版)
将 PHP 项目自动发布到 packagist.org
评论
仓库举报
回到顶部
0d507c66 1850385 C8b1a773 1850385