[PATCH 0 of 6] SSL object cache
Aleksei Bavshin
a.bavshin at nginx.com
Wed Aug 21 22:56:50 UTC 2024
On 8/21/2024 3:04 PM, Sergey Kandaurov wrote:
> Largely updated series based on my comments.
Tests:
# HG changeset patch
# User Aleksei Bavshin <a.bavshin at nginx.com>
# Date 1724280833 25200
# Wed Aug 21 15:53:53 2024 -0700
# Node ID 2a79edf2beb86ab81af8663ecd27fe632eb9e174
# Parent f5ef37b2e2604afb0dc155e1ae92c6807f0645b9
Tests: SSL object cache tests.
diff --git a/ssl_cache.t b/ssl_cache.t
new file mode 100644
--- /dev/null
+++ b/ssl_cache.t
@@ -0,0 +1,174 @@
+#!/usr/bin/perl
+
+# (C) Nginx, Inc.
+
+# Tests for SSL object cache.
+
+###############################################################################
+
+use warnings;
+use strict;
+
+use Test::More;
+
+use POSIX qw/ mkfifo /;
+
+BEGIN { use FindBin; chdir($FindBin::Bin); }
+
+use lib 'lib';
+use Test::Nginx;
+
+###############################################################################
+
+select STDERR; $| = 1;
+select STDOUT; $| = 1;
+
+plan(skip_all => 'win32') if $^O eq 'MSWin32';
+
+my $t = Test::Nginx->new();
+
+plan(skip_all => "not yet") unless $t->has_version('1.27.2');
+
+$t->has(qw/http http_ssl socket_ssl/)->has_daemon('openssl')
+ ->write_file_expand('nginx.conf', <<'EOF');
+
+%%TEST_GLOBALS%%
+
+daemon off;
+
+events {
+}
+
+http {
+ %%TEST_GLOBALS_HTTP%%
+
+ server {
+ listen 127.0.0.1:8443 ssl;
+ server_name localhost;
+
+ ssl_certificate localhost.crt.fifo;
+ ssl_certificate_key localhost.key.fifo;
+
+ ssl_trusted_certificate root.crt.fifo;
+ ssl_crl root.crl.fifo;
+ }
+
+ server {
+ listen 127.0.0.1:8444 ssl;
+ server_name localhost;
+
+ ssl_certificate localhost.crt.fifo;
+ ssl_certificate_key localhost.key.fifo;
+
+ ssl_verify_client on;
+ ssl_client_certificate root.crt.fifo;
+ ssl_crl root.crl.fifo;
+ }
+}
+
+EOF
+
+my $d = $t->testdir();
+
+$t->write_file('openssl.conf', <<EOF);
+[ req ]
+default_bits = 2048
+encrypt_key = no
+distinguished_name = req_distinguished_name
+x509_extensions = myca_extensions
+[ req_distinguished_name ]
+[ myca_extensions ]
+basicConstraints = critical,CA:TRUE
+EOF
+
+$t->write_file('ca.conf', <<EOF);
+[ ca ]
+default_ca = myca
+
+[ myca ]
+new_certs_dir = $d
+database = $d/certindex
+default_md = sha256
+policy = myca_policy
+serial = $d/certserial
+default_days = 1
+
+[ myca_policy ]
+commonName = supplied
+EOF
+
+foreach my $name ('root', 'localhost') {
+ system('openssl req -x509 -new '
+ . "-config $d/openssl.conf -subj /CN=$name/ "
+ . "-out $d/$name.crt -keyout $d/$name.key "
+ . ">>$d/openssl.out 2>&1") == 0
+ or die "Can't create certificate for $name: $!\n";
+}
+
+$t->write_file('certserial', '1000');
+$t->write_file('certindex', '');
+
+foreach my $name ('client') {
+ system('openssl req -new '
+ . "-config $d/openssl.conf -subj /CN=$name/ "
+ . "-out $d/$name.csr -keyout $d/$name.key "
+ . ">>$d/openssl.out 2>&1") == 0
+ or die "Can't create certificate for $name: $!\n";
+
+ system("openssl ca -batch -config $d/ca.conf "
+ . "-keyfile $d/root.key -cert $d/root.crt "
+ . "-subj /CN=$name/ -in $d/$name.csr -out $d/$name.crt "
+ . ">>$d/openssl.out 2>&1") == 0
+ or die "Can't sign certificate for $name: $!\n";
+}
+
+system("openssl ca -gencrl -config $d/ca.conf "
+ . "-keyfile $d/root.key -cert $d/root.crt "
+ . "-out $d/root.crl -crldays 1 "
+ . ">>$d/openssl.out 2>&1") == 0
+ or die "Can't update crl: $!\n";
+
+foreach my $name ('root.crt', 'root.crl', 'localhost.crt',
'localhost.key') {
+ mkfifo("$d/$name.fifo", 0700);
+ $t->run_daemon(\&fifo_writer_daemon, $t, $name);
+}
+
+$t->write_file('t', '');
+
+$t->plan(2)->run();
+
+###############################################################################
+
+like(get(8443), qr/200 OK/, 'cached certificate');
+like(get(8444, 'client'), qr/200 OK/, 'cached CA and CRL');
+
+###############################################################################
+
+sub get {
+ my ($port, $cert) = @_;
+
+ http_get('/t',
+ PeerAddr => '127.0.0.1:' . port($port),
+ SSL => 1,
+ $cert ? (
+ SSL_cert_file => "$d/$cert.crt",
+ SSL_key_file => "$d/$cert.key"
+ ) : ()
+ );
+}
+
+###############################################################################
+
+sub fifo_writer_daemon {
+ my ($t, $name) = @_;
+
+ my $content = $t->read_file($name);
+
+ while (1) {
+ $t->write_file("$name.fifo", $content);
+ # reset content after the first read
+ $content = "";
+ }
+}
+
+###############################################################################
More information about the nginx-devel
mailing list