[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail

Maxim Dounin mdounin at mdounin.ru
Thu Mar 23 14:15:47 UTC 2023 

Hello!

On Wed, Mar 22, 2023 at 01:46:33PM +0400, Sergey Kandaurov wrote:

> > On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin at mdounin.ru> wrote:
> > 
> > # HG changeset patch
> > # User Maxim Dounin <mdounin at mdounin.ru>
> > # Date 1679107816 -10800
> > #      Sat Mar 18 05:50:16 2023 +0300
> > # Node ID 97b09b6633f69747c0d6ef13c76739bdd6b7f3bb
> > # Parent  125fb8461d88a81a62ccb40d0e205a01ecc759f5
> > Tests: separate SSL session reuse tests in mail.
> > 
> > Instead of being mixed with generic SSL tests, session reuse variants
> > are now tested in a separate file.
> > 
> > [..]
> > diff --git a/mail_ssl.t b/mail_ssl_session_reuse.t
> > copy from mail_ssl.t
> > copy to mail_ssl_session_reuse.t
> > --- a/mail_ssl.t
> > +++ b/mail_ssl_session_reuse.t
> > @@ -1,6 +1,7 @@
> > #!/usr/bin/perl
> > 
> > # (C) Andrey Zelenkov
> > +# (C) Maxim Dounin
> > # (C) Nginx, Inc.
> > 
> > # Tests for mail ssl module.
> > @@ -33,11 +34,8 @@ eval {
> > };
> > plan(skip_all => 'Net::SSLeay not installed') if $@;
> > 
> > -eval { exists &Net::SSLeay::P_alpn_selected or die; };
> > -plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
> > -
> > -my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
> > -	->has_daemon('openssl')->plan(22);
> > +my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/)
> > +	->has_daemon('openssl')->plan(7);
> > 
> > $t->write_file_expand('nginx.conf', <<'EOF');
> > 
> > @@ -49,90 +47,62 @@ events {
> > }
> > 
> > mail {
> > -    ssl_certificate_key localhost.key;
> > -    ssl_certificate localhost.crt;
> > -    ssl_session_tickets off;
> > +    auth_http  http://127.0.0.1:8080;
> > 
> > -    ssl_password_file password;
> > -
> > -    auth_http  http://127.0.0.1:8080;	# unused
> > -
> > -    ssl_session_cache none;
> > +    ssl_certificate localhost.crt;
> > +    ssl_certificate_key localhost.key;
> > 
> >     server {
> > -        listen             127.0.0.1:8143;
> > -        listen             127.0.0.1:8145 ssl;
> > -        protocol           imap;
> > -
> > -        ssl_session_cache  builtin;
> > +        listen    127.0.0.1:8993 ssl;
> > +        protocol  imap;
> >     }
> > 
> >     server {
> > -        listen             127.0.0.1:8146 ssl;
> > -        protocol           imap;
> > +        listen    127.0.0.1:8994 ssl;
> > +        protocol  imap;
> > 
> > -        ssl_session_cache  off;
> > +        ssl_session_cache shared:SSL:1m;
> > +        ssl_session_tickets on;
> >     }
> > 
> >     server {
> > -        listen             127.0.0.1:8147;
> > -        protocol           imap;
> > +        listen    127.0.0.1:8995 ssl;
> > +        protocol  imap;
> > 
> > -        # Special case for enabled "ssl" directive.
> > -
> > -        ssl on;
> > -        ssl_session_cache  builtin:1000;
> > +        ssl_session_cache shared:SSL:1m;
> > +        ssl_session_tickets off;
> >     }
> > 
> >     server {
> > -        listen             127.0.0.1:8148 ssl;
> > -        protocol           imap;
> > -
> > -        ssl_session_cache shared:SSL:1m;
> > -        ssl_certificate_key inherits.key;
> > -        ssl_certificate inherits.crt;
> > -    }
> > +        listen    127.0.0.1:8996 ssl;
> > +        protocol  imap;
> > 
> > -    server {
> > -        listen             127.0.0.1:8149;
> > -        protocol           imap;
> > -
> > -        starttls           on;
> > -    }
> > -
> > -    server {
> > -        listen             127.0.0.1:8150;
> > -        protocol           imap;
> > -
> > -        starttls           only;
> > +        ssl_session_cache builtin;
> > +        ssl_session_tickets off;
> >     }
> > 
> >     server {
> > -        listen             127.0.0.1:8151;
> > -        protocol           pop3;
> > +        listen    127.0.0.1:8997 ssl;
> > +        protocol  imap;
> > 
> > -        starttls           on;
> > +        ssl_session_cache builtin:1000;
> > +        ssl_session_tickets off;
> >     }
> > 
> >     server {
> > -        listen             127.0.0.1:8152;
> > -        protocol           pop3;
> > +        listen    127.0.0.1:8998 ssl;
> > +        protocol  imap;
> > 
> > -        starttls           only;
> > +        ssl_session_cache none;
> > +        ssl_session_tickets off;
> >     }
> > 
> >     server {
> > -        listen             127.0.0.1:8153;
> > -        protocol           smtp;
> > -
> > -        starttls           on;
> > -    }
> > +        listen    127.0.0.1:8999 ssl;
> > +        protocol  imap;
> > 
> > -    server {
> > -        listen             127.0.0.1:8154;
> > -        protocol           smtp;
> > -
> > -        starttls           only;
> > +        ssl_session_cache off;
> > +        ssl_session_tickets off;
> >     }
> > }
> > 
> > @@ -148,181 +118,57 @@ EOF
> > 
> > my $d = $t->testdir();
> > 
> > -foreach my $name ('localhost', 'inherits') {
> > -	system("openssl genrsa -out $d/$name.key -passout pass:localhost "
> > -		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
> > -		or die "Can't create private key: $!\n";
> > +foreach my $name ('localhost') {
> > 	system('openssl req -x509 -new '
> > 		. "-config $d/openssl.conf -subj /CN=$name/ "
> > -		. "-out $d/$name.crt "
> > -		. "-key $d/$name.key -passin pass:localhost"
> > +		. "-out $d/$name.crt -keyout $d/$name.key "
> > 		. ">>$d/openssl.out 2>&1") == 0
> > 		or die "Can't create certificate for $name: $!\n";
> > }
> > 
> > my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
> > -$t->write_file('password', 'localhost');
> > 
> > -open OLDERR, ">&", \*STDERR; close STDERR;
> > $t->run();
> > -open STDERR, ">&", \*OLDERR;
> > 
> > ###############################################################################
> > 
> > [..]
> > +# session reuse:
> > +#
> > +# - only tickets, the default
> > +# - tickets and shared cache
> 
> "should work always", like in http and stream?

Added, thanks.

> > +# - only shared cache
> > +# - only builtin cache
> > +# - only builtin cache with explicitly configured size
> > +# - only cache none
> > +# - only cache off
> > 
> > [..]
> > +is(test_reuse(8993), 1, 'tickets reused');
> > +is(test_reuse(8994), 1, 'tickets and cache reused');
> > +is(test_reuse(8995), 1, 'cache shared reused');
> > +is(test_reuse(8996), 1, 'cache builtin reused');
> > +is(test_reuse(8997), 1, 'cache builtin size reused');
> > +is(test_reuse(8998), 0, 'cache none not reused');
> > +is(test_reuse(8999), 0, 'cache off not reused');
> > 
> > ###############################################################################
> > 
> > +sub test_reuse {
> > +	my ($port) = @_;
> > +	my ($s, $ssl) = get_ssl_socket($port);
> > +	Net::SSLeay::read($ssl);
> > +	my $ses = Net::SSLeay::get_session($ssl);
> > +	($s, $ssl) = get_ssl_socket($port, $ses);
> > +	return Net::SSLeay::session_reused($ssl);
> > +}
> > +
> > sub get_ssl_socket {
> > -	my ($port, $ses, $alpn) = @_;
> > +	my ($port, $ses) = @_;
> > 
> > 	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
> > 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
> > 	Net::SSLeay::set_session($ssl, $ses) if defined $ses;
> > -	Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn;
> > 	Net::SSLeay::set_fd($ssl, fileno($s));
> > 	Net::SSLeay::connect($ssl) == 1 or return;
> 
> Since this won't fail anymore on ALPN checks,
> you can convert this back to die.

Strictly speaking, it shouldn't die regardless of whether 
connect() can legitimately fail during tests or not.  If connect() 
fails (for example, due to a bug in some of the session reuse 
variants), it still should run other tests.

Fixing this (and other issues, such as missing timeout and SIGPIPE 
handling) is out of the scope of this patch series though.

> > 	return ($s, $ssl);

-- 
Maxim Dounin
http://mdounin.ru/

More information about the nginx-devel mailing list