[PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t

Sergey Kandaurov pluknet at nginx.com
Wed Mar 22 11:05:16 UTC 2023 

> On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin at mdounin.ru> wrote:
> 
> # HG changeset patch
> # User Maxim Dounin <mdounin at mdounin.ru>
> # Date 1679148855 -10800
> #      Sat Mar 18 17:14:15 2023 +0300
> # Node ID 782531c3cd79dcf700276e10bef00e524de009d1
> # Parent  c140f78fbc8f62c9694d3b969d1309570a96f2e7
> Tests: removed multiple server certificates from ssl_ocsp.t.
> 
> Multiple server certificates are not needed to test OCSP verification of
> client certificates (in contrast to OCSP stapling, where server certificates
> are verified, and different staples should be correctly returned with
> different server certificates).  And using multiple server certificates
> causes issues when testing with LibreSSL due to broken sigalgs-based
> server certificate selection in LibreSSL with TLSv1.3.
> 
> Accordingly, the test is simplified to do not use multiple server
> certificates.
> 
> diff --git a/ssl_ocsp.t b/ssl_ocsp.t
> --- a/ssl_ocsp.t
> +++ b/ssl_ocsp.t
> @@ -63,10 +63,7 @@ http {
>     ssl_verify_depth 2;
>     ssl_client_certificate trusted.crt;
> 
> -    ssl_ciphers DEFAULT:ECCdraft;
> -
> -    ssl_certificate_key ec.key;
> -    ssl_certificate ec.crt;
> +#    ssl_ciphers DEFAULT:ECCdraft;

This doesn't serve its purpose now and can be removed,
now that you've removed multiple (ECC) certificates.
It was used to run tests with ECC certificates/ciphers,
as otherwise it would result in "no shared cipher" error.

ECCdraft is an old alias used to enable ECC ciphersuites
and run tests with ECC certificate on OpenSSL 0.9.8,
before they became official in RFC 4492.

- ECC ciphersuites were disabled by default in 0.9.8c,
  and ECCdraft alias was used to turn them back.
- ECC ciphersuites were re-enabled in 0.9.9 (1.0.0)

> 
>     ssl_certificate_key rsa.key;
>     ssl_certificate rsa.crt;
> @@ -273,13 +270,8 @@ system("openssl ocsp -index $d/certindex
> 
> # server cert/key
> 
> -system("openssl ecparam -genkey -out $d/ec.key -name prime256v1 "
> -	. ">>$d/openssl.out 2>&1") == 0 or die "Can't create EC pem: $!\n";
> -system("openssl genrsa -out $d/rsa.key 2048 >>$d/openssl.out 2>&1") == 0
> -	or die "Can't create RSA pem: $!\n";
> -
> -foreach my $name ('ec', 'rsa') {
> -	system("openssl req -x509 -new -key $d/$name.key "
> +foreach my $name ('rsa') {
> +	system('openssl req -x509 -new '
> 		. "-config $d/openssl.conf -subj /CN=$name/ "
> 		. "-out $d/$name.crt -keyout $d/$name.key "
> 		. ">>$d/openssl.out 2>&1") == 0
> @@ -288,7 +280,7 @@ foreach my $name ('ec', 'rsa') {
> 
> $t->run_daemon(\&http_daemon, $t, port(8081));
> $t->run_daemon(\&http_daemon, $t, port(8082));
> -$t->run()->plan(14);
> +$t->run()->plan(15);
> 
> $t->waitforsocket("127.0.0.1:" . port(8081));
> $t->waitforsocket("127.0.0.1:" . port(8082));
> @@ -297,17 +289,17 @@ my $version = get_version();
> 
> ###############################################################################
> 
> -like(get('RSA', 'end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
> +like(get('end'), qr/200 OK.*SUCCESS/s, 'ocsp leaf');
> 
> # demonstrate that ocsp int request is failed due to missing resolver
> 
> -like(get('RSA', 'end', sni => 'resolver'),
> +like(get('end', sni => 'resolver'),
> 	qr/400 Bad.*FAILED:certificate status request failed/s,
> 	'ocsp many failed request');
> 
> # demonstrate that ocsp int request is actually made by failing ocsp response
> 
> -like(get('RSA', 'end', port => 8444),
> +like(get('end', port => 8444),
> 	qr/400 Bad.*FAILED:certificate status request failed/s,
> 	'ocsp many failed');
> 
> @@ -323,11 +315,11 @@ system("openssl ocsp -index $d/certindex
> 	. ">>$d/openssl.out 2>&1") == 0
> 	or die "Can't create OCSP response: $!\n";
> 
> -like(get('RSA', 'end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
> +like(get('end', port => 8444), qr/200 OK.*SUCCESS/s, 'ocsp many');
> 
> # store into ssl_ocsp_cache
> 
> -like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
> +like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache store');
> 
> # revoke
> 
> @@ -346,23 +338,23 @@ system("openssl ocsp -index $d/certindex
> 	. ">>$d/openssl.out 2>&1") == 0
> 	or die "Can't create OCSP response: $!\n";
> 
> -like(get('RSA', 'end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
> +like(get('end'), qr/400 Bad.*FAILED:certificate revoked/s, 'revoked');
> 
> # with different responder where it's still valid
> 
> -like(get('RSA', 'end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
> +like(get('end', port => 8445), qr/200 OK.*SUCCESS/s, 'ocsp responder');
> 
> # with different context to responder where it's still valid
> 
> -like(get('RSA', 'end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
> +like(get('end', sni => 'sni'), qr/200 OK.*SUCCESS/s, 'ocsp context');
> 
> # with cached ocsp response it's still valid
> 
> -like(get('RSA', 'end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
> +like(get('end', port => 8446), qr/200 OK.*SUCCESS/s, 'cache lookup');
> 
> # ocsp end response signed with invalid (root) cert, expect HTTP 400
> 
> -like(get('ECDSA', 'ec-end'),
> +like(get('ec-end'),
> 	qr/400 Bad.*FAILED:certificate status request failed/s,
> 	'root ca not trusted');
> 
> @@ -374,12 +366,12 @@ system("openssl ocsp -index $d/certindex
> 	. ">>$d/openssl.out 2>&1") == 0
> 	or die "Can't create EC OCSP response: $!\n";
> 
> -like(get('ECDSA', 'ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
> +like(get('ec-end'), qr/200 OK.*SUCCESS/s, 'ocsp ecdsa');
> 
> -my ($s, $ssl) = get('ECDSA', 'ec-end');
> +my ($s, $ssl) = get('ec-end');
> my $ses = Net::SSLeay::get_session($ssl);
> 
> -like(get('ECDSA', 'ec-end', ses => $ses),
> +like(get('ec-end', ses => $ses),
> 	qr/200 OK.*SUCCESS:r/s, 'session reused');
> 
> # revoke with saved session
> @@ -401,19 +393,22 @@ system("openssl ocsp -index $d/certindex
> 
> # reusing session with revoked certificate
> 
> -like(get('ECDSA', 'ec-end', ses => $ses),
> +like(get('ec-end', ses => $ses),
> 	qr/400 Bad.*FAILED:certificate revoked:r/s, 'session reused - revoked');
> 
> # regression test for self-signed
> 
> -like(get('RSA', 'root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
> +like(get('root', port => 8447), qr/200 OK.*SUCCESS/s, 'ocsp one');
> +
> +# check for errors
> +
> +like(`grep -F '[crit]' ${\($t->testdir())}/error.log`, qr/^$/s, 'no crit');
> 
> ###############################################################################
> 
> sub get {
> -	my ($type, $cert, %extra) = @_;
> -	$type = 'PSS' if $type eq 'RSA' && $version > 0x0303;
> -	my ($s, $ssl) = get_ssl_socket($type, $cert, %extra);
> +	my ($cert, %extra) = @_;
> +	my ($s, $ssl) = get_ssl_socket($cert, %extra);
> 	my $cipher = Net::SSLeay::get_cipher($ssl);
> 	Test::Nginx::log_core('||', "cipher: $cipher");
> 	my $host = $extra{sni} ? $extra{sni} : 'localhost';
> @@ -428,7 +423,7 @@ sub get {
> }
> 
> sub get_ssl_socket {
> -	my ($type, $cert, %extra) = @_;
> +	my ($cert, %extra) = @_;
> 	my $ses = $extra{ses};
> 	my $sni = $extra{sni};
> 	my $port = $extra{port} || 8443;
> @@ -450,18 +445,6 @@ sub get_ssl_socket {
> 
> 	my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
> 
> -	if (defined $type) {
> -		my $ssleay = Net::SSLeay::SSLeay();
> -		if ($ssleay < 0x1000200f || $ssleay == 0x20000000) {
> -			Net::SSLeay::CTX_set_cipher_list($ctx, $type)
> -				or die("Failed to set cipher list");
> -		} else {
> -			# SSL_CTRL_SET_SIGALGS_LIST
> -			Net::SSLeay::CTX_ctrl($ctx, 98, 0, $type . '+SHA256')
> -				or die("Failed to set sigalgs");
> -		}
> -	}
> -
> 	Net::SSLeay::set_cert_and_key($ctx, "$d/$cert.crt", "$d/$cert.key")
> 		or die if $cert;
> 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");

-- 
Sergey Kandaurov

More information about the nginx-devel mailing list