[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail

Maxim Dounin mdounin at mdounin.ru
Sat Mar 18 14:14:58 UTC 2023


# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1679107816 -10800
#      Sat Mar 18 05:50:16 2023 +0300
# Node ID 97b09b6633f69747c0d6ef13c76739bdd6b7f3bb
# Parent  125fb8461d88a81a62ccb40d0e205a01ecc759f5
Tests: separate SSL session reuse tests in mail.

Instead of being mixed with generic SSL tests, session reuse variants
are now tested in a separate file.

diff --git a/mail_ssl.t b/mail_ssl.t
--- a/mail_ssl.t
+++ b/mail_ssl.t
@@ -37,7 +37,7 @@ eval { exists &Net::SSLeay::P_alpn_selec
 plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
 
 my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
-	->has_daemon('openssl')->plan(22);
+	->has_daemon('openssl')->plan(18);
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -51,44 +51,25 @@ events {
 mail {
     ssl_certificate_key localhost.key;
     ssl_certificate localhost.crt;
-    ssl_session_tickets off;
 
     ssl_password_file password;
 
     auth_http  http://127.0.0.1:8080;	# unused
 
-    ssl_session_cache none;
-
     server {
         listen             127.0.0.1:8143;
         listen             127.0.0.1:8145 ssl;
         protocol           imap;
-
-        ssl_session_cache  builtin;
     }
 
     server {
-        listen             127.0.0.1:8146 ssl;
-        protocol           imap;
-
-        ssl_session_cache  off;
-    }
-
-    server {
-        listen             127.0.0.1:8147;
+        listen             127.0.0.1:8148;
         protocol           imap;
 
         # Special case for enabled "ssl" directive.
 
         ssl on;
-        ssl_session_cache  builtin:1000;
-    }
 
-    server {
-        listen             127.0.0.1:8148 ssl;
-        protocol           imap;
-
-        ssl_session_cache shared:SSL:1m;
         ssl_certificate_key inherits.key;
         ssl_certificate inherits.crt;
     }
@@ -169,46 +150,16 @@ open STDERR, ">&", \*OLDERR;
 
 ###############################################################################
 
+my ($s, $ssl, $ses);
+
 # simple tests to ensure that nothing broke with ssl_password_file directive
 
-my $s = Test::Nginx::IMAP->new();
+$s = Test::Nginx::IMAP->new();
 $s->ok('greeting');
 
 $s->send('1 AUTHENTICATE LOGIN');
 $s->check(qr/\+ VXNlcm5hbWU6/, 'login');
 
-# ssl_session_cache
-
-my ($ssl, $ses);
-
-($s, $ssl) = get_ssl_socket(8145);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8145, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
-
-($s, $ssl) = get_ssl_socket(8146);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8146, $ses);
-is(Net::SSLeay::session_reused($ssl), 0, 'session not reused');
-
-($s, $ssl) = get_ssl_socket(8147);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8147, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
-
-($s, $ssl) = get_ssl_socket(8148);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8148, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
-
 # ssl_certificate inheritance
 
 ($s, $ssl) = get_ssl_socket(8145);
diff --git a/mail_ssl.t b/mail_ssl_session_reuse.t
copy from mail_ssl.t
copy to mail_ssl_session_reuse.t
--- a/mail_ssl.t
+++ b/mail_ssl_session_reuse.t
@@ -1,6 +1,7 @@
 #!/usr/bin/perl
 
 # (C) Andrey Zelenkov
+# (C) Maxim Dounin
 # (C) Nginx, Inc.
 
 # Tests for mail ssl module.
@@ -33,11 +34,8 @@ eval {
 };
 plan(skip_all => 'Net::SSLeay not installed') if $@;
 
-eval { exists &Net::SSLeay::P_alpn_selected or die; };
-plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
-
-my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
-	->has_daemon('openssl')->plan(22);
+my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/)
+	->has_daemon('openssl')->plan(7);
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -49,90 +47,62 @@ events {
 }
 
 mail {
-    ssl_certificate_key localhost.key;
-    ssl_certificate localhost.crt;
-    ssl_session_tickets off;
+    auth_http  http://127.0.0.1:8080;
 
-    ssl_password_file password;
-
-    auth_http  http://127.0.0.1:8080;	# unused
-
-    ssl_session_cache none;
+    ssl_certificate localhost.crt;
+    ssl_certificate_key localhost.key;
 
     server {
-        listen             127.0.0.1:8143;
-        listen             127.0.0.1:8145 ssl;
-        protocol           imap;
-
-        ssl_session_cache  builtin;
+        listen    127.0.0.1:8993 ssl;
+        protocol  imap;
     }
 
     server {
-        listen             127.0.0.1:8146 ssl;
-        protocol           imap;
+        listen    127.0.0.1:8994 ssl;
+        protocol  imap;
 
-        ssl_session_cache  off;
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_tickets on;
     }
 
     server {
-        listen             127.0.0.1:8147;
-        protocol           imap;
+        listen    127.0.0.1:8995 ssl;
+        protocol  imap;
 
-        # Special case for enabled "ssl" directive.
-
-        ssl on;
-        ssl_session_cache  builtin:1000;
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_tickets off;
     }
 
     server {
-        listen             127.0.0.1:8148 ssl;
-        protocol           imap;
-
-        ssl_session_cache shared:SSL:1m;
-        ssl_certificate_key inherits.key;
-        ssl_certificate inherits.crt;
-    }
+        listen    127.0.0.1:8996 ssl;
+        protocol  imap;
 
-    server {
-        listen             127.0.0.1:8149;
-        protocol           imap;
-
-        starttls           on;
-    }
-
-    server {
-        listen             127.0.0.1:8150;
-        protocol           imap;
-
-        starttls           only;
+        ssl_session_cache builtin;
+        ssl_session_tickets off;
     }
 
     server {
-        listen             127.0.0.1:8151;
-        protocol           pop3;
+        listen    127.0.0.1:8997 ssl;
+        protocol  imap;
 
-        starttls           on;
+        ssl_session_cache builtin:1000;
+        ssl_session_tickets off;
     }
 
     server {
-        listen             127.0.0.1:8152;
-        protocol           pop3;
+        listen    127.0.0.1:8998 ssl;
+        protocol  imap;
 
-        starttls           only;
+        ssl_session_cache none;
+        ssl_session_tickets off;
     }
 
     server {
-        listen             127.0.0.1:8153;
-        protocol           smtp;
-
-        starttls           on;
-    }
+        listen    127.0.0.1:8999 ssl;
+        protocol  imap;
 
-    server {
-        listen             127.0.0.1:8154;
-        protocol           smtp;
-
-        starttls           only;
+        ssl_session_cache off;
+        ssl_session_tickets off;
     }
 }
 
@@ -148,181 +118,57 @@ EOF
 
 my $d = $t->testdir();
 
-foreach my $name ('localhost', 'inherits') {
-	system("openssl genrsa -out $d/$name.key -passout pass:localhost "
-		. "-aes128 2048 >>$d/openssl.out 2>&1") == 0
-		or die "Can't create private key: $!\n";
+foreach my $name ('localhost') {
 	system('openssl req -x509 -new '
 		. "-config $d/openssl.conf -subj /CN=$name/ "
-		. "-out $d/$name.crt "
-		. "-key $d/$name.key -passin pass:localhost"
+		. "-out $d/$name.crt -keyout $d/$name.key "
 		. ">>$d/openssl.out 2>&1") == 0
 		or die "Can't create certificate for $name: $!\n";
 }
 
 my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
-$t->write_file('password', 'localhost');
 
-open OLDERR, ">&", \*STDERR; close STDERR;
 $t->run();
-open STDERR, ">&", \*OLDERR;
 
 ###############################################################################
 
-# simple tests to ensure that nothing broke with ssl_password_file directive
-
-my $s = Test::Nginx::IMAP->new();
-$s->ok('greeting');
-
-$s->send('1 AUTHENTICATE LOGIN');
-$s->check(qr/\+ VXNlcm5hbWU6/, 'login');
-
-# ssl_session_cache
-
 my ($ssl, $ses);
 
-($s, $ssl) = get_ssl_socket(8145);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8145, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
-
-($s, $ssl) = get_ssl_socket(8146);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8146, $ses);
-is(Net::SSLeay::session_reused($ssl), 0, 'session not reused');
-
-($s, $ssl) = get_ssl_socket(8147);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8147, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
-
-($s, $ssl) = get_ssl_socket(8148);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8148, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
-
-# ssl_certificate inheritance
-
-($s, $ssl) = get_ssl_socket(8145);
-like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
-
-($s, $ssl) = get_ssl_socket(8148);
-like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
-
-# alpn
-
-ok(get_ssl_socket(8148, undef, ['imap']), 'alpn');
-
-SKIP: {
-$t->{_configure_args} =~ /LibreSSL ([\d\.]+)/;
-skip 'LibreSSL too old', 1 if defined $1 and $1 lt '3.4.0';
-$t->{_configure_args} =~ /OpenSSL ([\d\.]+)/;
-skip 'OpenSSL too old', 1 if defined $1 and $1 lt '1.1.0';
-
-TODO: {
-local $TODO = 'not yet' unless $t->has_version('1.21.4');
-
-ok(!get_ssl_socket(8148, undef, ['unknown']), 'alpn rejected');
-
-}
-
-}
-
-# starttls imap
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149));
-$s->read();
-
-$s->send('1 AUTHENTICATE LOGIN');
-$s->check(qr/\+ VXNlcm5hbWU6/, 'imap auth before startls on');
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149));
-$s->read();
+# session reuse:
+#
+# - only tickets, the default
+# - tickets and shared cache
+# - only shared cache
+# - only builtin cache
+# - only builtin cache with explicitly configured size
+# - only cache none
+# - only cache off
 
-$s->send('1 STARTTLS');
-$s->ok('imap starttls on');
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150));
-$s->read();
-
-$s->send('1 AUTHENTICATE LOGIN');
-$s->check(qr/^\S+ BAD/, 'imap auth before startls only');
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150));
-$s->read();
-
-$s->send('1 STARTTLS');
-$s->ok('imap starttls only');
-
-# starttls pop3
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/\+ VXNlcm5hbWU6/, 'pop3 auth before startls on');
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151));
-$s->read();
-
-$s->send('STLS');
-$s->ok('pop3 starttls on');
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/^-ERR/, 'pop3 auth before startls only');
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152));
-$s->read();
-
-$s->send('STLS');
-$s->ok('pop3 starttls only');
-
-# starttls smtp
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8153));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/^334 VXNlcm5hbWU6/, 'smtp auth before startls on');
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8153));
-$s->read();
-
-$s->send('STARTTLS');
-$s->ok('smtp starttls on');
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8154));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/^5.. /, 'smtp auth before startls only');
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8154));
-$s->read();
-
-$s->send('STARTTLS');
-$s->ok('smtp starttls only');
+is(test_reuse(8993), 1, 'tickets reused');
+is(test_reuse(8994), 1, 'tickets and cache reused');
+is(test_reuse(8995), 1, 'cache shared reused');
+is(test_reuse(8996), 1, 'cache builtin reused');
+is(test_reuse(8997), 1, 'cache builtin size reused');
+is(test_reuse(8998), 0, 'cache none not reused');
+is(test_reuse(8999), 0, 'cache off not reused');
 
 ###############################################################################
 
+sub test_reuse {
+	my ($port) = @_;
+	my ($s, $ssl) = get_ssl_socket($port);
+	Net::SSLeay::read($ssl);
+	my $ses = Net::SSLeay::get_session($ssl);
+	($s, $ssl) = get_ssl_socket($port, $ses);
+	return Net::SSLeay::session_reused($ssl);
+}
+
 sub get_ssl_socket {
-	my ($port, $ses, $alpn) = @_;
+	my ($port, $ses) = @_;
 
 	my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
 	my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
 	Net::SSLeay::set_session($ssl, $ses) if defined $ses;
-	Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn;
 	Net::SSLeay::set_fd($ssl, fileno($s));
 	Net::SSLeay::connect($ssl) == 1 or return;
 	return ($s, $ssl);


More information about the nginx-devel mailing list