# HG changeset patch # User Valentin Bartenev # Date 1347892340 -14400 # Node ID 21c20b866f5a40417d22d8adf7929df8faa63fb2 # Parent 62114a0c13896f1bb83410fb9544bcf5488d0706 Tests: https sni tests. diff -r 62114a0c1389 -r 21c20b866f5a lib/Test/Nginx.pm --- a/lib/Test/Nginx.pm Tue Sep 11 19:29:14 2012 +0400 +++ b/lib/Test/Nginx.pm Mon Sep 17 18:32:20 2012 +0400 @@ -69,6 +69,8 @@ sub has_module($) { my %regex = ( mail => '--with-mail(?!\S)', + ssl => '--with-http_ssl_module', + sni => 'TLS SNI support enabled', flv => '--with-http_flv_module', perl => '--with-http_perl_module', charset => '(?s)^(?!.*--without-http_charset_module)', @@ -387,7 +389,7 @@ sub http($;%) { local $SIG{ALRM} = sub { die "timeout\n" }; local $SIG{PIPE} = sub { die "sigpipe\n" }; alarm(2); - my $s = IO::Socket::INET->new( + my $s = $extra{socket} || IO::Socket::INET->new( Proto => 'tcp', PeerAddr => '127.0.0.1:8080' ); diff -r 62114a0c1389 -r 21c20b866f5a ssl_sni.t --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/ssl_sni.t Mon Sep 17 18:32:20 2012 +0400 @@ -0,0 +1,158 @@ +#!/usr/bin/perl + +# (C) Maxim Dounin +# (C) Valentin Bartenev + +# Tests for Server Name Indication (SNI) TLS extension + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval "use IO::Socket::SSL 1.56"; +Test::More::plan(skip_all => "IO::Socket::SSL >= 1.56 not found") if $@; + +my $t = Test::Nginx->new()->has(qw/http ssl sni rewrite/) + ->has_daemon('openssl')->plan(6) + ->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_certificate_key test.key; + + server { + listen 127.0.0.1:4433 ssl; + server_name localhost; + + ssl_certificate localhost.crt; + + underscores_in_headers off; + + location / { + return 200 $server_name; + } + } + + server { + listen 127.0.0.1:4433; + server_name example.com; + + ssl_certificate example.com.crt; + + underscores_in_headers on; + + location / { + return 200 $server_name; + } + + location /header { + return 200 $http_special_header; + } + } +} + +EOF + +my $d = $t->testdir(); + +system('openssl', 'genrsa', '-out', "$d/test.key", '2048') == 0 + or die "system() failed: $?\n"; + +foreach my $crt ('localhost', 'example.com'){ + system('openssl', 'req', '-new', + '-subj', '/C=RU/ST=Moscow/L=Moscow/O=test/OU=none' + . "/CN=$crt/emailAddress=test\@$crt/", + '-key', "$d/test.key", '-out', "$d/$crt.csr") == 0 + or die "system() failed: $?\n"; + + system('openssl', 'x509', '-req', '-days', '7', '-in', "$d/$crt.csr", + '-signkey', "$d/test.key", '-out', "$d/$crt.crt") == 0 + or die "system() failed: $?\n"; +} + +$t->run(); + +############################################################################### + +is(get_cert_cn(), 'localhost', 'default cert'); +is(get_cert_cn('example.com'), 'example.com', 'sni cert'); + +like(https_get_host('example.com'), qr!example.com!, + 'host exists, sni exists, and host is equal sni'); + +like(https_get_host('example.com', 'example.org'), qr!example.com!, + 'host exists, sni not found'); + +TODO: { +local $TODO = 'sni restrictions'; + +like(https_get_host('example.com', 'localhost'), qr!400 Bad Request!, + 'host exists, sni exists, and host is not equal sni'); + +like(https_get_host('example.org', 'example.com'), qr!400 Bad Request!, + 'host not found, sni exists'); + +} + +############################################################################### + +sub get_ssl_socket { + my $s = eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + my ($host) = @_; + alarm(2); + return IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1:4433', + SSL_hostname => $host, + SSL_error_trap => sub { die $_[1] } + ); + }; + alarm(0); + if ($@) { + log_in("died: $@"); + return undef; + } + return $s; +} + +sub get_cert_cn { + my ($host) = @_; + my $s = get_ssl_socket($host) or return undef; + $s->dump_peer_certificate() =~ qr!/CN=([^/]+)/!; + return $1; +} + +sub https_get_host { + my ($host, $sni) = @_; + my $s = get_ssl_socket($sni ? $sni : $host) or return undef; + return http(< $s); +GET / HTTP/1.0 +Host: $host + +EOF +} + +############################################################################### -----------------------------133262441816995199391148796555 Content-Disposition: form-data; name="description" File to use with nautilus/put