[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail

Sergey Kandaurov pluknet at nginx.com
Wed Mar 22 09:46:33 UTC 2023


> On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1679107816 -10800
> #      Sat Mar 18 05:50:16 2023 +0300
> # Node ID 97b09b6633f69747c0d6ef13c76739bdd6b7f3bb
> # Parent  125fb8461d88a81a62ccb40d0e205a01ecc759f5
> Tests: separate SSL session reuse tests in mail.
> 
> Instead of being mixed with generic SSL tests, session reuse variants
> are now tested in a separate file.
> 
> [..]
> diff --git a/mail_ssl.t b/mail_ssl_session_reuse.t
> copy from mail_ssl.t
> copy to mail_ssl_session_reuse.t
> --- a/mail_ssl.t
> +++ b/mail_ssl_session_reuse.t
> @@ -1,6 +1,7 @@
> #!/usr/bin/perl
> 
> # (C) Andrey Zelenkov
> +# (C) Maxim Dounin
> # (C) Nginx, Inc.
> 
> # Tests for mail ssl module.
> @@ -33,11 +34,8 @@ eval {
> };
> plan(skip_all => 'Net::SSLeay not installed') if $@;
> 
> -eval { exists &Net::SSLeay::P_alpn_selected or die; };
> -plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
> -
> -my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
> -	->has_daemon('openssl')->plan(22);
> +my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/)
> +	->has_daemon('openssl')->plan(7);
> 
> $t->write_file_expand('nginx.conf', <<'EOF');
> 
> @@ -49,90 +47,62 @@ events {
> }
> 
> mail {
> -    ssl_certificate_key localhost.key;
> -    ssl_certificate localhost.crt;
> -    ssl_session_tickets off;
> +    auth_http  http://127.0.0.1:8080;
> 
> -    ssl_password_file password;
> -
> -    auth_http  http://127.0.0.1:8080;	# unused
> -
> -    ssl_session_cache none;
> +    ssl_certificate localhost.crt;
> +    ssl_certificate_key localhost.key;
> 
>     server {
> -        listen             127.0.0.1:8143;
> -        listen             127.0.0.1:8145 ssl;
> -        protocol           imap;
> -
> -        ssl_session_cache  builtin;
> +        listen    127.0.0.1:8993 ssl;
> +        protocol  imap;
>     }
> 
>     server {
> -        listen             127.0.0.1:8146 ssl;
> -        protocol           imap;
> +        listen    127.0.0.1:8994 ssl;
> +        protocol  imap;
> 
> -        ssl_session_cache  off;
> +        ssl_session_cache shared:SSL:1m;
> +        ssl_session_tickets on;
>     }
> 
>     server {
> -        listen             127.0.0.1:8147;
> -        protocol           imap;
> +        listen    127.0.0.1:8995 ssl;
> +        protocol  imap;
> 
> -        # Special case for enabled "ssl" directive.
> -
> -        ssl on;
> -        ssl_session_cache  builtin:1000;
> +        ssl_session_cache shared:SSL:1m;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen             127.0.0.1:8148 ssl;
> -        protocol           imap;
> -
> -        ssl_session_cache shared:SSL:1m;
> -        ssl_certificate_key inherits.key;
> -        ssl_certificate inherits.crt;
> -    }
> +        listen    127.0.0.1:8996 ssl;
> +        protocol  imap;
> 
> -    server {
> -        listen             127.0.0.1:8149;
> -        protocol           imap;
> -
> -        starttls           on;
> -    }
> -
> -    server {
> -        listen             127.0.0.1:8150;
> -        protocol           imap;
> -
> -        starttls           only;
> +        ssl_session_cache builtin;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen             127.0.0.1:8151;
> -        protocol           pop3;
> +        listen    127.0.0.1:8997 ssl;
> +        protocol  imap;
> 
> -        starttls           on;
> +        ssl_session_cache builtin:1000;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen             127.0.0.1:8152;
> -        protocol           pop3;
> +        listen    127.0.0.1:8998 ssl;
> +        protocol  imap;
> 
> -        starttls           only;
> +        ssl_session_cache none;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen             127.0.0.1:8153;
> -        protocol           smtp;
> -
> -        starttls           on;
> -    }
> +        listen    127.0.0.1:8999 ssl;
> +        protocol  imap;
> 
> -    server {
> -        listen             127.0.0.1:8154;
> -        protocol           smtp;
> -
> -        starttls           only;
> +        ssl_session_cache off;
> +        ssl_session_tickets off;
>     }
> }
> 
> @@ -148,181 +118,57 @@ EOF
> 
> my $d = $t->testdir();
> 
> -foreach my $name ('localhost', 'inherits') {
> -	system("openssl genrsa -out $d/$name.key -passout pass:localhost "
> -		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
> -		or die "Can't create private key: $!\n";
> +foreach my $name ('localhost') {
> 	system('openssl req -x509 -new '
> 		. "-config $d/openssl.conf -subj /CN=$name/ "
> -		. "-out $d/$name.crt "
> -		. "-key $d/$name.key -passin pass:localhost"
> +		. "-out $d/$name.crt -keyout $d/$name.key "
> 		. ">>$d/openssl.out 2>&1") == 0
> 		or die "Can't create certificate for $name: $!\n";
> }
> 
> my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
> -$t->write_file('password', 'localhost');
> 
> -open OLDERR, ">&", \*STDERR; close STDERR;
> $t->run();
> -open STDERR, ">&", \*OLDERR;
> 
> ###############################################################################
> 
> [..]
> +# session reuse:
> +#
> +# - only tickets, the default
> +# - tickets and shared cache

"should work always", like in http and stream?

> +# - only shared cache
> +# - only builtin cache
> +# - only builtin cache with explicitly configured size
> +# - only cache none
> +# - only cache off
> 
> [..]
> +is(test_reuse(8993), 1, 'tickets reused');
> +is(test_reuse(8994), 1, 'tickets and cache reused');
> +is(test_reuse(8995), 1, 'cache shared reused');
> +is(test_reuse(8996), 1, 'cache builtin reused');
> +is(test_reuse(8997), 1, 'cache builtin size reused');
> +is(test_reuse(8998), 0, 'cache none not reused');
> +is(test_reuse(8999), 0, 'cache off not reused');
> 
> ###############################################################################
> 
> +sub test_reuse {
> +	my ($port) = @_;
> +	my ($s, $ssl) = get_ssl_socket($port);
> +	Net::SSLeay::read($ssl);
> +	my $ses = Net::SSLeay::get_session($ssl);
> +	($s, $ssl) = get_ssl_socket($port, $ses);
> +	return Net::SSLeay::session_reused($ssl);
> +}
> +
> sub get_ssl_socket {
> -	my ($port, $ses, $alpn) = @_;
> +	my ($port, $ses) = @_;
> 
> 	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
> 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
> 	Net::SSLeay::set_session($ssl, $ses) if defined $ses;
> -	Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn;
> 	Net::SSLeay::set_fd($ssl, fileno($s));
> 	Net::SSLeay::connect($ssl) == 1 or return;

Since this won't fail anymore on ALPN checks,
you can convert this back to die.

> 	return ($s, $ssl);

-- 
Sergey Kandaurov


More information about the nginx-devel mailing list