[nginx-tests] Tests: upstream certificates specified as an empty string.

Eugene Grebenschikov E.Grebenshchikov at F5.com
Thu Sep 29 00:02:32 UTC 2022 

changeset:   1797:c2c188c91488
tag:         tip
user:        Eugene Grebenshchikov <e.grebenshchikov at f5.com>
date:        Wed Sep 28 16:29:50 2022 -0700
summary:     Tests: upstream certificates specified as an empty string.

diff -r e1fd234baac0 -r c2c188c91488 grpc_ssl.t
--- a/grpc_ssl.t	Tue Sep 27 16:11:56 2022 -0700
+++ b/grpc_ssl.t	Wed Sep 28 16:29:50 2022 -0700
@@ -29,7 +29,7 @@
 $t->{_configure_args} =~ /OpenSSL ([\d\.]+)/;
 plan(skip_all => 'OpenSSL too old') unless defined $1 and $1 ge '1.0.2';
 
-$t->write_file_expand('nginx.conf', <<'EOF')->plan(38);
+$t->write_file_expand('nginx.conf', <<'EOF')->plan(39);
 
 %%TEST_GLOBALS%%
 
@@ -46,6 +46,8 @@
         keepalive 1;
     }
 
+    grpc_ssl_session_reuse off;
+
     server {
         listen       127.0.0.1:8081 http2 ssl;
         server_name  localhost;
@@ -61,6 +63,7 @@
         location / {
             grpc_pass 127.0.0.1:8082;
             add_header X-Connection $connection;
+            add_header X-Verify $ssl_client_verify;
         }
     }
 
@@ -89,6 +92,13 @@
             }
         }
 
+        location /nocert {
+            grpc_pass grpcs://127.0.0.1:8081;
+
+            grpc_ssl_certificate "";
+            grpc_ssl_certificate_key "";
+        }
+
         location /KeepAlive {
             grpc_pass grpcs://u;
         }
@@ -232,6 +242,14 @@
 ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
 is($frame->{headers}{'x-connection'}, $c, 'keepalive - connection reuse');
 
+# no client certificate
+
+$f->{http_start}('/nocert');
+$f->{data}('Hello');
+$frames = $f->{http_end}();
+($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
+is($frame->{headers}{'x-verify'}, 'NONE', 'request - no client certificate');
+
 ###############################################################################
 
 sub grpc {
diff -r e1fd234baac0 -r c2c188c91488 proxy_ssl_certificate.t
--- a/proxy_ssl_certificate.t	Tue Sep 27 16:11:56 2022 -0700
+++ b/proxy_ssl_certificate.t	Wed Sep 28 16:29:50 2022 -0700
@@ -24,7 +24,7 @@
 select STDOUT; $| = 1;
 
 my $t = Test::Nginx->new()->has(qw/http http_ssl proxy/)
-	->has_daemon('openssl')->plan(5);
+	->has_daemon('openssl')->plan(6);
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -62,6 +62,12 @@
             proxy_ssl_certificate_key 3.example.com.key;
             proxy_ssl_password_file password;
         }
+
+        location /nocert {
+            proxy_pass https://127.0.0.1:8082/;
+            proxy_ssl_certificate "";
+            proxy_ssl_certificate_key "";
+        }
     }
 
     server {
@@ -139,6 +145,7 @@
 
 like(http_get('/verify'), qr/X-Verify: SUCCESS/ms, 'verify certificate');
 like(http_get('/fail'), qr/X-Verify: FAILED/ms, 'fail certificate');
+like(http_get('/nocert'), qr/X-Verify: NONE/ms, 'no certificate');
 like(http_get('/encrypted'), qr/X-Verify: SUCCESS/ms, 'with encrypted key');
 
 like(http_get('/verify'), qr!X-Name: /?CN=1.example!, 'valid certificate');
diff -r e1fd234baac0 -r c2c188c91488 stream_proxy_ssl_certificate.t
--- a/stream_proxy_ssl_certificate.t	Tue Sep 27 16:11:56 2022 -0700
+++ b/stream_proxy_ssl_certificate.t	Wed Sep 28 16:29:50 2022 -0700
@@ -24,7 +24,7 @@
 select STDOUT; $| = 1;
 
 my $t = Test::Nginx->new()->has(qw/stream stream_ssl http http_ssl/)
-	->has_daemon('openssl')->plan(5);
+	->has_daemon('openssl')->plan(6);
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -65,6 +65,14 @@
         proxy_ssl_certificate_key 3.example.com.key;
         proxy_ssl_password_file password;
     }
+
+    server {
+        listen      127.0.0.1:8085;
+        proxy_pass  127.0.0.1:8080;
+
+        proxy_ssl_certificate "";
+        proxy_ssl_certificate_key "";
+    }
 }
 
 http {
@@ -149,6 +157,8 @@
 	qr/X-Verify: FAILED/ms, 'fail certificate');
 like(http_get('/', socket => getconn('127.0.0.1:' . port(8084))),
 	qr/X-Verify: SUCCESS/ms, 'with encrypted key');
+like(http_get('/', socket => getconn('127.0.0.1:' . port(8085))),
+	qr/X-Verify: NONE/ms, 'no certificate');
 
 like(http_get('/', socket => getconn('127.0.0.1:' . port(8082))),
 	qr!X-Name: /?CN=1.example!, 'valid certificate');
diff -r e1fd234baac0 -r c2c188c91488 uwsgi_ssl_certificate.t
--- a/uwsgi_ssl_certificate.t	Tue Sep 27 16:11:56 2022 -0700
+++ b/uwsgi_ssl_certificate.t	Wed Sep 28 16:29:50 2022 -0700
@@ -24,7 +24,7 @@
 select STDOUT; $| = 1;
 
 my $t = Test::Nginx->new()->has(qw/http http_ssl uwsgi/)
-	->has_daemon('openssl')->plan(5);
+	->has_daemon('openssl')->plan(6);
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -62,6 +62,12 @@
             uwsgi_ssl_certificate_key 3.example.com.key;
             uwsgi_ssl_password_file password;
         }
+
+        location /nocert {
+            uwsgi_pass suwsgi://127.0.0.1:8081;
+            uwsgi_ssl_certificate "";
+            uwsgi_ssl_certificate_key "";
+        }
     }
 
     # stub to implement SSL logic for tests
@@ -137,6 +143,7 @@
 
 like(http_get('/verify'), qr/X-Verify: SUCCESS/ms, 'verify certificate');
 like(http_get('/fail'), qr/X-Verify: FAILED/ms, 'fail certificate');
+like(http_get('/nocert'), qr/X-Verify: NONE/ms, 'no certificate');
 like(http_get('/encrypted'), qr/X-Verify: SUCCESS/ms, 'with encrypted key');
 
 like(http_get('/verify'), qr!X-Name: /?CN=1.example!, 'valid certificate');

More information about the nginx-devel mailing list