[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream

Sergey Kandaurov pluknet at nginx.com
Wed Mar 22 09:55:48 UTC 2023


> On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1679140351 -10800
> #      Sat Mar 18 14:52:31 2023 +0300
> # Node ID 530336cb449dcb028a55a5a401a122d07521e3a4
> # Parent  3ab3b2d1c2e67bc1f05e386218ceb08da873a477
> Tests: separate SSL session reuse tests in stream.
> 
> Instead of being mixed with generic SSL tests, session reuse variants
> are now tested in a separate file.
> 
> diff --git a/stream_ssl.t b/stream_ssl.t
> --- a/stream_ssl.t
> +++ b/stream_ssl.t
> @@ -37,7 +37,7 @@ plan(skip_all => 'win32') if $^O eq 'MSW
> 
> my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl');
> 
> -$t->plan(7)->write_file_expand('nginx.conf', <<'EOF');
> +$t->plan(5)->write_file_expand('nginx.conf', <<'EOF');
> 
> %%TEST_GLOBALS%%
> 
> @@ -51,40 +51,35 @@ stream {
> 
>     ssl_certificate_key localhost.key;
>     ssl_certificate localhost.crt;
> -    ssl_session_tickets off;
> 
>     # inherited by server "inherits"
>     ssl_password_file password_stream;
> 
>     server {
> -        listen      127.0.0.1:8080 ssl;
> +        listen      127.0.0.1:8443 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache builtin;
>         ssl_password_file password;
>     }
> 
>     server {
> -        listen      127.0.0.1:8082 ssl;
> +        listen      127.0.0.1:8444 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache off;
>         ssl_password_file password_many;
>     }
> 
>     server {
> -        listen      127.0.0.1:8083 ssl;
> +        listen      127.0.0.1:8445 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache builtin:1000;
>         ssl_password_file password_fifo;
>     }
> 
>     server {
> -        listen      127.0.0.1:8084 ssl;
> +        listen      127.0.0.1:8446 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache shared:SSL:1m;
>         ssl_certificate_key inherits.key;
>         ssl_certificate inherits.crt;
>     }
> @@ -138,52 +133,26 @@ kill 'INT', $p if $@;
> 
> ###############################################################################
> 
> -my ($s, $ssl, $ses);
> +my ($s, $ssl);
> 
> -($s, $ssl) = get_ssl_socket(port(8080));
> +($s, $ssl) = get_ssl_socket(8443);
> Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl');
> 
> -# ssl_session_cache
> -
> -($s, $ssl) = get_ssl_socket(port(8080));
> +($s, $ssl) = get_ssl_socket(8444);
> Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> -Net::SSLeay::read($ssl);
> -$ses = Net::SSLeay::get_session($ssl);
> -
> -($s, $ssl) = get_ssl_socket(port(8080), $ses);
> -is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
> -
> -($s, $ssl) = get_ssl_socket(port(8082));
> -Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> -Net::SSLeay::read($ssl);
> -$ses = Net::SSLeay::get_session($ssl);
> +like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many');
> 
> -($s, $ssl) = get_ssl_socket(port(8082), $ses);
> -isnt(Net::SSLeay::session_reused($ssl), 1, 'session not reused');
> -
> -($s, $ssl) = get_ssl_socket(port(8083));
> +($s, $ssl) = get_ssl_socket(8444);

should be 8445

> Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> -Net::SSLeay::read($ssl);
> -$ses = Net::SSLeay::get_session($ssl);
> -
> -($s, $ssl) = get_ssl_socket(port(8083), $ses);
> -is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
> -
> -($s, $ssl) = get_ssl_socket(port(8084));
> -Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> -Net::SSLeay::read($ssl);
> -$ses = Net::SSLeay::get_session($ssl);
> -
> -($s, $ssl) = get_ssl_socket(port(8084), $ses);
> -is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
> +like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo');
> 
> # ssl_certificate inheritance
> 
> -($s, $ssl) = get_ssl_socket(port(8080));
> +($s, $ssl) = get_ssl_socket(8443);
> like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
> 
> -($s, $ssl) = get_ssl_socket(port(8084));
> +($s, $ssl) = get_ssl_socket(8446);
> like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
> 
> ###############################################################################
> @@ -191,7 +160,7 @@ like(Net::SSLeay::dump_peer_certificate(
> sub get_ssl_socket {
> 	my ($port, $ses) = @_;
> 
> -	my $s = IO::Socket::INET->new('127.0.0.1:' . $port);
> +	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
> 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
> 	Net::SSLeay::set_session($ssl, $ses) if defined $ses;

Session test remnants can be cleaned up.

> 	Net::SSLeay::set_fd($ssl, fileno($s));
> diff --git a/stream_ssl.t b/stream_ssl_session_reuse.t
> copy from stream_ssl.t
> copy to stream_ssl_session_reuse.t
> --- a/stream_ssl.t
> +++ b/stream_ssl_session_reuse.t
> @@ -1,6 +1,7 @@
> #!/usr/bin/perl
> 
> # (C) Sergey Kandaurov
> +# (C) Maxim Dounin
> # (C) Nginx, Inc.
> 
> # Tests for stream ssl module.
> @@ -12,7 +13,6 @@ use strict;
> 
> use Test::More;
> 
> -use POSIX qw/ mkfifo /;

This file can be run now on win32.

> use Socket qw/ $CRLF /;
> 
> BEGIN { use FindBin; chdir($FindBin::Bin); }
> @@ -49,44 +49,60 @@ events {
> stream {
>     %%TEST_GLOBALS_STREAM%%
> 
> +    ssl_certificate localhost.crt;
>     ssl_certificate_key localhost.key;
> -    ssl_certificate localhost.crt;
> -    ssl_session_tickets off;
> 
> -    # inherited by server "inherits"
> -    ssl_password_file password_stream;
> +    server {
> +        listen      127.0.0.1:8443 ssl;
> +        proxy_pass  127.0.0.1:8081;
> +    }
> 
>     server {
> -        listen      127.0.0.1:8080 ssl;
> +        listen      127.0.0.1:8444 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache builtin;
> -        ssl_password_file password;
> +        ssl_session_cache shared:SSL:1m;
> +        ssl_session_tickets on;
> +    }
> +
> +    server {
> +        listen      127.0.0.1:8445 ssl;
> +        proxy_pass  127.0.0.1:8081;
> +
> +        ssl_session_cache shared:SSL:1m;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen      127.0.0.1:8082 ssl;
> +        listen      127.0.0.1:8446 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache off;
> -        ssl_password_file password_many;
> +        ssl_session_cache builtin;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen      127.0.0.1:8083 ssl;
> +        listen      127.0.0.1:8447 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
>         ssl_session_cache builtin:1000;
> -        ssl_password_file password_fifo;
> +        ssl_session_tickets off;
>     }
> 
>     server {
> -        listen      127.0.0.1:8084 ssl;
> +        listen      127.0.0.1:8448 ssl;
>         proxy_pass  127.0.0.1:8081;
> 
> -        ssl_session_cache shared:SSL:1m;
> -        ssl_certificate_key inherits.key;
> -        ssl_certificate inherits.crt;
> +        ssl_session_cache none;
> +        ssl_session_tickets off;
> +    }
> +
> +    server {
> +        listen      127.0.0.1:8449 ssl;
> +        proxy_pass  127.0.0.1:8081;
> +
> +        ssl_session_cache off;
> +        ssl_session_tickets off;
>     }
> }
> 
> @@ -101,16 +117,11 @@ distinguished_name = req_distinguished_n
> EOF
> 
> my $d = $t->testdir();
> -mkfifo("$d/password_fifo", 0700);
> 
> -foreach my $name ('localhost', 'inherits') {
> -	system("openssl genrsa -out $d/$name.key -passout pass:$name "
> -		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
> -		or die "Can't create private key: $!\n";
> +foreach my $name ('localhost') {
> 	system('openssl req -x509 -new '
> 		. "-config $d/openssl.conf -subj /CN=$name/ "
> -		. "-out $d/$name.crt "
> -		. "-key $d/$name.key -passin pass:$name"
> +		. "-out $d/$name.crt -keyout $d/$name.key "
> 		. ">>$d/openssl.out 2>&1") == 0
> 		or die "Can't create certificate for $name: $!\n";
> }
> @@ -118,80 +129,48 @@ foreach my $name ('localhost', 'inherits
> 

This introduces one more occurrence of extra blank line on copy/paste,
I'd rather fix it in both files.

[..]

diff --git a/stream_ssl.t b/stream_ssl.t
--- a/stream_ssl.t
+++ b/stream_ssl.t
@@ -110,7 +110,6 @@ foreach my $name ('localhost', 'inherits
 		or die "Can't create certificate for $name: $!\n";
 }
 
-
 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
 
 $t->write_file('password', 'localhost');
@@ -143,7 +142,7 @@ like(Net::SSLeay::read($ssl), qr/200 OK/
 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many');
 
-($s, $ssl) = get_ssl_socket(8444);
+($s, $ssl) = get_ssl_socket(8445);
 Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
 like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo');
 
@@ -158,11 +157,10 @@ like(Net::SSLeay::dump_peer_certificate(
 ###############################################################################
 
 sub get_ssl_socket {
-	my ($port, $ses) = @_;
+	my ($port) = @_;
 
 	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
-	Net::SSLeay::set_session($ssl, $ses) if defined $ses;
 	Net::SSLeay::set_fd($ssl, fileno($s));
 	Net::SSLeay::connect($ssl) or die("ssl connect");
 	return ($s, $ssl);
diff --git a/stream_ssl_session_reuse.t b/stream_ssl_session_reuse.t
--- a/stream_ssl_session_reuse.t
+++ b/stream_ssl_session_reuse.t
@@ -33,8 +33,6 @@ eval {
 };
 plan(skip_all => 'Net::SSLeay not installed') if $@;
 
-plan(skip_all => 'win32') if $^O eq 'MSWin32';
-
 my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl');
 
 $t->plan(7)->write_file_expand('nginx.conf', <<'EOF');
@@ -126,7 +124,6 @@ foreach my $name ('localhost') {
 		or die "Can't create certificate for $name: $!\n";
 }
 
-
 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
 
 $t->run_daemon(\&http_daemon);

-- 
Sergey Kandaurov


More information about the nginx-devel mailing list