[PATCH 0 of 6] SSL object cache

Aleksei Bavshin a.bavshin at nginx.com
Wed Aug 21 22:56:50 UTC 2024 

On 8/21/2024 3:04 PM, Sergey Kandaurov wrote:
> Largely updated series based on my comments.

Tests:

# HG changeset patch
# User Aleksei Bavshin <a.bavshin at nginx.com>
# Date 1724280833 25200
#      Wed Aug 21 15:53:53 2024 -0700
# Node ID 2a79edf2beb86ab81af8663ecd27fe632eb9e174
# Parent  f5ef37b2e2604afb0dc155e1ae92c6807f0645b9
Tests: SSL object cache tests.

diff --git a/ssl_cache.t b/ssl_cache.t
new file mode 100644
--- /dev/null
+++ b/ssl_cache.t
@@ -0,0 +1,174 @@
+#!/usr/bin/perl
+
+# (C) Nginx, Inc.
+
+# Tests for SSL object cache.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+use POSIX qw/ mkfifo /;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+plan(skip_all => 'win32') if $^O eq 'MSWin32';
+
+my $t = Test::Nginx->new();
+
+plan(skip_all => "not yet") unless $t->has_version('1.27.2');
+
+$t->has(qw/http http_ssl socket_ssl/)->has_daemon('openssl')
+	->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+    %%TEST_GLOBALS_HTTP%%
+
+    server {
+        listen       127.0.0.1:8443 ssl;
+        server_name  localhost;
+
+        ssl_certificate localhost.crt.fifo;
+        ssl_certificate_key localhost.key.fifo;
+
+        ssl_trusted_certificate root.crt.fifo;
+        ssl_crl root.crl.fifo;
+    }
+
+    server {
+        listen       127.0.0.1:8444 ssl;
+        server_name  localhost;
+
+        ssl_certificate localhost.crt.fifo;
+        ssl_certificate_key localhost.key.fifo;
+
+        ssl_verify_client on;
+        ssl_client_certificate root.crt.fifo;
+        ssl_crl root.crl.fifo;
+    }
+}
+
+EOF
+
+my $d = $t->testdir();
+
+$t->write_file('openssl.conf', <<EOF);
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
+[ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
+EOF
+
+$t->write_file('ca.conf', <<EOF);
+[ ca ]
+default_ca = myca
+
+[ myca ]
+new_certs_dir = $d
+database = $d/certindex
+default_md = sha256
+policy = myca_policy
+serial = $d/certserial
+default_days = 1
+
+[ myca_policy ]
+commonName = supplied
+EOF
+
+foreach my $name ('root', 'localhost') {
+	system('openssl req -x509 -new '
+		. "-config $d/openssl.conf -subj /CN=$name/ "
+		. "-out $d/$name.crt -keyout $d/$name.key "
+		. ">>$d/openssl.out 2>&1") == 0
+		or die "Can't create certificate for $name: $!\n";
+}
+
+$t->write_file('certserial', '1000');
+$t->write_file('certindex', '');
+
+foreach my $name ('client') {
+	system('openssl req -new '
+		. "-config $d/openssl.conf -subj /CN=$name/ "
+		. "-out $d/$name.csr -keyout $d/$name.key "
+		. ">>$d/openssl.out 2>&1") == 0
+		or die "Can't create certificate for $name: $!\n";
+
+	system("openssl ca -batch -config $d/ca.conf "
+		. "-keyfile $d/root.key -cert $d/root.crt "
+		. "-subj /CN=$name/ -in $d/$name.csr -out $d/$name.crt "
+		. ">>$d/openssl.out 2>&1") == 0
+		or die "Can't sign certificate for $name: $!\n";
+}
+
+system("openssl ca -gencrl -config $d/ca.conf "
+	. "-keyfile $d/root.key -cert $d/root.crt "
+	. "-out $d/root.crl -crldays 1 "
+	. ">>$d/openssl.out 2>&1") == 0
+	or die "Can't update crl: $!\n";
+
+foreach my $name ('root.crt', 'root.crl', 'localhost.crt', 
'localhost.key') {
+	mkfifo("$d/$name.fifo", 0700);
+	$t->run_daemon(\&fifo_writer_daemon, $t, $name);
+}
+
+$t->write_file('t', '');
+
+$t->plan(2)->run();
+
+###############################################################################
+
+like(get(8443), qr/200 OK/, 'cached certificate');
+like(get(8444, 'client'), qr/200 OK/, 'cached CA and CRL');
+
+###############################################################################
+
+sub get {
+	my ($port, $cert) = @_;
+
+	http_get('/t',
+		PeerAddr => '127.0.0.1:' . port($port),
+		SSL => 1,
+		$cert ? (
+		SSL_cert_file => "$d/$cert.crt",
+		SSL_key_file => "$d/$cert.key"
+		) : ()
+	);
+}
+
+###############################################################################
+
+sub fifo_writer_daemon {
+	my ($t, $name) = @_;
+
+	my $content = $t->read_file($name);
+
+	while (1) {
+		$t->write_file("$name.fifo", $content);
+		# reset content after the first read
+		$content = "";
+	}
+}
+
+###############################################################################

More information about the nginx-devel mailing list