[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail
Maxim Dounin
mdounin at mdounin.ru
Sat Mar 18 14:14:58 UTC 2023
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1679107816 -10800
# Sat Mar 18 05:50:16 2023 +0300
# Node ID 97b09b6633f69747c0d6ef13c76739bdd6b7f3bb
# Parent 125fb8461d88a81a62ccb40d0e205a01ecc759f5
Tests: separate SSL session reuse tests in mail.
Instead of being mixed with generic SSL tests, session reuse variants
are now tested in a separate file.
diff --git a/mail_ssl.t b/mail_ssl.t
--- a/mail_ssl.t
+++ b/mail_ssl.t
@@ -37,7 +37,7 @@ eval { exists &Net::SSLeay::P_alpn_selec
plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
- ->has_daemon('openssl')->plan(22);
+ ->has_daemon('openssl')->plan(18);
$t->write_file_expand('nginx.conf', <<'EOF');
@@ -51,44 +51,25 @@ events {
mail {
ssl_certificate_key localhost.key;
ssl_certificate localhost.crt;
- ssl_session_tickets off;
ssl_password_file password;
auth_http http://127.0.0.1:8080; # unused
- ssl_session_cache none;
-
server {
listen 127.0.0.1:8143;
listen 127.0.0.1:8145 ssl;
protocol imap;
-
- ssl_session_cache builtin;
}
server {
- listen 127.0.0.1:8146 ssl;
- protocol imap;
-
- ssl_session_cache off;
- }
-
- server {
- listen 127.0.0.1:8147;
+ listen 127.0.0.1:8148;
protocol imap;
# Special case for enabled "ssl" directive.
ssl on;
- ssl_session_cache builtin:1000;
- }
- server {
- listen 127.0.0.1:8148 ssl;
- protocol imap;
-
- ssl_session_cache shared:SSL:1m;
ssl_certificate_key inherits.key;
ssl_certificate inherits.crt;
}
@@ -169,46 +150,16 @@ open STDERR, ">&", \*OLDERR;
###############################################################################
+my ($s, $ssl, $ses);
+
# simple tests to ensure that nothing broke with ssl_password_file directive
-my $s = Test::Nginx::IMAP->new();
+$s = Test::Nginx::IMAP->new();
$s->ok('greeting');
$s->send('1 AUTHENTICATE LOGIN');
$s->check(qr/\+ VXNlcm5hbWU6/, 'login');
-# ssl_session_cache
-
-my ($ssl, $ses);
-
-($s, $ssl) = get_ssl_socket(8145);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8145, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
-
-($s, $ssl) = get_ssl_socket(8146);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8146, $ses);
-is(Net::SSLeay::session_reused($ssl), 0, 'session not reused');
-
-($s, $ssl) = get_ssl_socket(8147);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8147, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
-
-($s, $ssl) = get_ssl_socket(8148);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8148, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
-
# ssl_certificate inheritance
($s, $ssl) = get_ssl_socket(8145);
diff --git a/mail_ssl.t b/mail_ssl_session_reuse.t
copy from mail_ssl.t
copy to mail_ssl_session_reuse.t
--- a/mail_ssl.t
+++ b/mail_ssl_session_reuse.t
@@ -1,6 +1,7 @@
#!/usr/bin/perl
# (C) Andrey Zelenkov
+# (C) Maxim Dounin
# (C) Nginx, Inc.
# Tests for mail ssl module.
@@ -33,11 +34,8 @@ eval {
};
plan(skip_all => 'Net::SSLeay not installed') if $@;
-eval { exists &Net::SSLeay::P_alpn_selected or die; };
-plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
-
-my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
- ->has_daemon('openssl')->plan(22);
+my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/)
+ ->has_daemon('openssl')->plan(7);
$t->write_file_expand('nginx.conf', <<'EOF');
@@ -49,90 +47,62 @@ events {
}
mail {
- ssl_certificate_key localhost.key;
- ssl_certificate localhost.crt;
- ssl_session_tickets off;
+ auth_http http://127.0.0.1:8080;
- ssl_password_file password;
-
- auth_http http://127.0.0.1:8080; # unused
-
- ssl_session_cache none;
+ ssl_certificate localhost.crt;
+ ssl_certificate_key localhost.key;
server {
- listen 127.0.0.1:8143;
- listen 127.0.0.1:8145 ssl;
- protocol imap;
-
- ssl_session_cache builtin;
+ listen 127.0.0.1:8993 ssl;
+ protocol imap;
}
server {
- listen 127.0.0.1:8146 ssl;
- protocol imap;
+ listen 127.0.0.1:8994 ssl;
+ protocol imap;
- ssl_session_cache off;
+ ssl_session_cache shared:SSL:1m;
+ ssl_session_tickets on;
}
server {
- listen 127.0.0.1:8147;
- protocol imap;
+ listen 127.0.0.1:8995 ssl;
+ protocol imap;
- # Special case for enabled "ssl" directive.
-
- ssl on;
- ssl_session_cache builtin:1000;
+ ssl_session_cache shared:SSL:1m;
+ ssl_session_tickets off;
}
server {
- listen 127.0.0.1:8148 ssl;
- protocol imap;
-
- ssl_session_cache shared:SSL:1m;
- ssl_certificate_key inherits.key;
- ssl_certificate inherits.crt;
- }
+ listen 127.0.0.1:8996 ssl;
+ protocol imap;
- server {
- listen 127.0.0.1:8149;
- protocol imap;
-
- starttls on;
- }
-
- server {
- listen 127.0.0.1:8150;
- protocol imap;
-
- starttls only;
+ ssl_session_cache builtin;
+ ssl_session_tickets off;
}
server {
- listen 127.0.0.1:8151;
- protocol pop3;
+ listen 127.0.0.1:8997 ssl;
+ protocol imap;
- starttls on;
+ ssl_session_cache builtin:1000;
+ ssl_session_tickets off;
}
server {
- listen 127.0.0.1:8152;
- protocol pop3;
+ listen 127.0.0.1:8998 ssl;
+ protocol imap;
- starttls only;
+ ssl_session_cache none;
+ ssl_session_tickets off;
}
server {
- listen 127.0.0.1:8153;
- protocol smtp;
-
- starttls on;
- }
+ listen 127.0.0.1:8999 ssl;
+ protocol imap;
- server {
- listen 127.0.0.1:8154;
- protocol smtp;
-
- starttls only;
+ ssl_session_cache off;
+ ssl_session_tickets off;
}
}
@@ -148,181 +118,57 @@ EOF
my $d = $t->testdir();
-foreach my $name ('localhost', 'inherits') {
- system("openssl genrsa -out $d/$name.key -passout pass:localhost "
- . "-aes128 2048 >>$d/openssl.out 2>&1") == 0
- or die "Can't create private key: $!\n";
+foreach my $name ('localhost') {
system('openssl req -x509 -new '
. "-config $d/openssl.conf -subj /CN=$name/ "
- . "-out $d/$name.crt "
- . "-key $d/$name.key -passin pass:localhost"
+ . "-out $d/$name.crt -keyout $d/$name.key "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for $name: $!\n";
}
my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
-$t->write_file('password', 'localhost');
-open OLDERR, ">&", \*STDERR; close STDERR;
$t->run();
-open STDERR, ">&", \*OLDERR;
###############################################################################
-# simple tests to ensure that nothing broke with ssl_password_file directive
-
-my $s = Test::Nginx::IMAP->new();
-$s->ok('greeting');
-
-$s->send('1 AUTHENTICATE LOGIN');
-$s->check(qr/\+ VXNlcm5hbWU6/, 'login');
-
-# ssl_session_cache
-
my ($ssl, $ses);
-($s, $ssl) = get_ssl_socket(8145);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8145, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
-
-($s, $ssl) = get_ssl_socket(8146);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8146, $ses);
-is(Net::SSLeay::session_reused($ssl), 0, 'session not reused');
-
-($s, $ssl) = get_ssl_socket(8147);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8147, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
-
-($s, $ssl) = get_ssl_socket(8148);
-Net::SSLeay::read($ssl);
-$ses = Net::SSLeay::get_session($ssl);
-
-($s, $ssl) = get_ssl_socket(8148, $ses);
-is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
-
-# ssl_certificate inheritance
-
-($s, $ssl) = get_ssl_socket(8145);
-like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
-
-($s, $ssl) = get_ssl_socket(8148);
-like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
-
-# alpn
-
-ok(get_ssl_socket(8148, undef, ['imap']), 'alpn');
-
-SKIP: {
-$t->{_configure_args} =~ /LibreSSL ([\d\.]+)/;
-skip 'LibreSSL too old', 1 if defined $1 and $1 lt '3.4.0';
-$t->{_configure_args} =~ /OpenSSL ([\d\.]+)/;
-skip 'OpenSSL too old', 1 if defined $1 and $1 lt '1.1.0';
-
-TODO: {
-local $TODO = 'not yet' unless $t->has_version('1.21.4');
-
-ok(!get_ssl_socket(8148, undef, ['unknown']), 'alpn rejected');
-
-}
-
-}
-
-# starttls imap
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149));
-$s->read();
-
-$s->send('1 AUTHENTICATE LOGIN');
-$s->check(qr/\+ VXNlcm5hbWU6/, 'imap auth before startls on');
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8149));
-$s->read();
+# session reuse:
+#
+# - only tickets, the default
+# - tickets and shared cache
+# - only shared cache
+# - only builtin cache
+# - only builtin cache with explicitly configured size
+# - only cache none
+# - only cache off
-$s->send('1 STARTTLS');
-$s->ok('imap starttls on');
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150));
-$s->read();
-
-$s->send('1 AUTHENTICATE LOGIN');
-$s->check(qr/^\S+ BAD/, 'imap auth before startls only');
-
-$s = Test::Nginx::IMAP->new(PeerAddr => '127.0.0.1:' . port(8150));
-$s->read();
-
-$s->send('1 STARTTLS');
-$s->ok('imap starttls only');
-
-# starttls pop3
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/\+ VXNlcm5hbWU6/, 'pop3 auth before startls on');
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8151));
-$s->read();
-
-$s->send('STLS');
-$s->ok('pop3 starttls on');
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/^-ERR/, 'pop3 auth before startls only');
-
-$s = Test::Nginx::POP3->new(PeerAddr => '127.0.0.1:' . port(8152));
-$s->read();
-
-$s->send('STLS');
-$s->ok('pop3 starttls only');
-
-# starttls smtp
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8153));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/^334 VXNlcm5hbWU6/, 'smtp auth before startls on');
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8153));
-$s->read();
-
-$s->send('STARTTLS');
-$s->ok('smtp starttls on');
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8154));
-$s->read();
-
-$s->send('AUTH LOGIN');
-$s->check(qr/^5.. /, 'smtp auth before startls only');
-
-$s = Test::Nginx::SMTP->new(PeerAddr => '127.0.0.1:' . port(8154));
-$s->read();
-
-$s->send('STARTTLS');
-$s->ok('smtp starttls only');
+is(test_reuse(8993), 1, 'tickets reused');
+is(test_reuse(8994), 1, 'tickets and cache reused');
+is(test_reuse(8995), 1, 'cache shared reused');
+is(test_reuse(8996), 1, 'cache builtin reused');
+is(test_reuse(8997), 1, 'cache builtin size reused');
+is(test_reuse(8998), 0, 'cache none not reused');
+is(test_reuse(8999), 0, 'cache off not reused');
###############################################################################
+sub test_reuse {
+ my ($port) = @_;
+ my ($s, $ssl) = get_ssl_socket($port);
+ Net::SSLeay::read($ssl);
+ my $ses = Net::SSLeay::get_session($ssl);
+ ($s, $ssl) = get_ssl_socket($port, $ses);
+ return Net::SSLeay::session_reused($ssl);
+}
+
sub get_ssl_socket {
- my ($port, $ses, $alpn) = @_;
+ my ($port, $ses) = @_;
my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
Net::SSLeay::set_session($ssl, $ses) if defined $ses;
- Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn;
Net::SSLeay::set_fd($ssl, fileno($s));
Net::SSLeay::connect($ssl) == 1 or return;
return ($s, $ssl);
More information about the nginx-devel
mailing list