Welcome! Log In Create A New Profile

Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail

Forum List Message List New Topic Print View

Maxim Dounin

March 23, 2023 10:16AM

Hello!

On Wed, Mar 22, 2023 at 01:46:33PM +0400, Sergey Kandaurov wrote:

> > On 18 Mar 2023, at 18:14, Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > # HG changeset patch
> > # User Maxim Dounin <mdounin@mdounin.ru>
> > # Date 1679107816 -10800
> > # Sat Mar 18 05:50:16 2023 +0300
> > # Node ID 97b09b6633f69747c0d6ef13c76739bdd6b7f3bb
> > # Parent 125fb8461d88a81a62ccb40d0e205a01ecc759f5
> > Tests: separate SSL session reuse tests in mail.
> >
> > Instead of being mixed with generic SSL tests, session reuse variants
> > are now tested in a separate file.
> >
> > [..]
> > diff --git a/mail_ssl.t b/mail_ssl_session_reuse.t
> > copy from mail_ssl.t
> > copy to mail_ssl_session_reuse.t
> > --- a/mail_ssl.t
> > +++ b/mail_ssl_session_reuse.t
> > @@ -1,6 +1,7 @@
> > #!/usr/bin/perl
> >
> > # (C) Andrey Zelenkov
> > +# (C) Maxim Dounin
> > # (C) Nginx, Inc.
> >
> > # Tests for mail ssl module.
> > @@ -33,11 +34,8 @@ eval {
> > };
> > plan(skip_all => 'Net::SSLeay not installed') if $@;
> >
> > -eval { exists &Net::SSLeay::P_alpn_selected or die; };
> > -plan(skip_all => 'Net::SSLeay with OpenSSL ALPN support required') if $@;
> > -
> > -my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap pop3 smtp/)
> > - ->has_daemon('openssl')->plan(22);
> > +my $t = Test::Nginx->new()->has(qw/mail mail_ssl imap/)
> > + ->has_daemon('openssl')->plan(7);
> >
> > $t->write_file_expand('nginx.conf', <<'EOF');
> >
> > @@ -49,90 +47,62 @@ events {
> > }
> >
> > mail {
> > - ssl_certificate_key localhost.key;
> > - ssl_certificate localhost.crt;
> > - ssl_session_tickets off;
> > + auth_http http://127.0.0.1:8080;
> >
> > - ssl_password_file password;
> > -
> > - auth_http http://127.0.0.1:8080; # unused
> > -
> > - ssl_session_cache none;
> > + ssl_certificate localhost.crt;
> > + ssl_certificate_key localhost.key;
> >
> > server {
> > - listen 127.0.0.1:8143;
> > - listen 127.0.0.1:8145 ssl;
> > - protocol imap;
> > -
> > - ssl_session_cache builtin;
> > + listen 127.0.0.1:8993 ssl;
> > + protocol imap;
> > }
> >
> > server {
> > - listen 127.0.0.1:8146 ssl;
> > - protocol imap;
> > + listen 127.0.0.1:8994 ssl;
> > + protocol imap;
> >
> > - ssl_session_cache off;
> > + ssl_session_cache shared:SSL:1m;
> > + ssl_session_tickets on;
> > }
> >
> > server {
> > - listen 127.0.0.1:8147;
> > - protocol imap;
> > + listen 127.0.0.1:8995 ssl;
> > + protocol imap;
> >
> > - # Special case for enabled "ssl" directive.
> > -
> > - ssl on;
> > - ssl_session_cache builtin:1000;
> > + ssl_session_cache shared:SSL:1m;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8148 ssl;
> > - protocol imap;
> > -
> > - ssl_session_cache shared:SSL:1m;
> > - ssl_certificate_key inherits.key;
> > - ssl_certificate inherits.crt;
> > - }
> > + listen 127.0.0.1:8996 ssl;
> > + protocol imap;
> >
> > - server {
> > - listen 127.0.0.1:8149;
> > - protocol imap;
> > -
> > - starttls on;
> > - }
> > -
> > - server {
> > - listen 127.0.0.1:8150;
> > - protocol imap;
> > -
> > - starttls only;
> > + ssl_session_cache builtin;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8151;
> > - protocol pop3;
> > + listen 127.0.0.1:8997 ssl;
> > + protocol imap;
> >
> > - starttls on;
> > + ssl_session_cache builtin:1000;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8152;
> > - protocol pop3;
> > + listen 127.0.0.1:8998 ssl;
> > + protocol imap;
> >
> > - starttls only;
> > + ssl_session_cache none;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8153;
> > - protocol smtp;
> > -
> > - starttls on;
> > - }
> > + listen 127.0.0.1:8999 ssl;
> > + protocol imap;
> >
> > - server {
> > - listen 127.0.0.1:8154;
> > - protocol smtp;
> > -
> > - starttls only;
> > + ssl_session_cache off;
> > + ssl_session_tickets off;
> > }
> > }
> >
> > @@ -148,181 +118,57 @@ EOF
> >
> > my $d = $t->testdir();
> >
> > -foreach my $name ('localhost', 'inherits') {
> > - system("openssl genrsa -out $d/$name.key -passout pass:localhost "
> > - . "-aes128 2048 >>$d/openssl.out 2>&1") == 0
> > - or die "Can't create private key: $!\n";
> > +foreach my $name ('localhost') {
> > system('openssl req -x509 -new '
> > . "-config $d/openssl.conf -subj /CN=$name/ "
> > - . "-out $d/$name.crt "
> > - . "-key $d/$name.key -passin pass:localhost"
> > + . "-out $d/$name.crt -keyout $d/$name.key "
> > . ">>$d/openssl.out 2>&1") == 0
> > or die "Can't create certificate for $name: $!\n";
> > }
> >
> > my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
> > -$t->write_file('password', 'localhost');
> >
> > -open OLDERR, ">&", \*STDERR; close STDERR;
> > $t->run();
> > -open STDERR, ">&", \*OLDERR;
> >
> > ###############################################################################
> >
> > [..]
> > +# session reuse:
> > +#
> > +# - only tickets, the default
> > +# - tickets and shared cache
>
> "should work always", like in http and stream?

Added, thanks.

> > +# - only shared cache
> > +# - only builtin cache
> > +# - only builtin cache with explicitly configured size
> > +# - only cache none
> > +# - only cache off
> >
> > [..]
> > +is(test_reuse(8993), 1, 'tickets reused');
> > +is(test_reuse(8994), 1, 'tickets and cache reused');
> > +is(test_reuse(8995), 1, 'cache shared reused');
> > +is(test_reuse(8996), 1, 'cache builtin reused');
> > +is(test_reuse(8997), 1, 'cache builtin size reused');
> > +is(test_reuse(8998), 0, 'cache none not reused');
> > +is(test_reuse(8999), 0, 'cache off not reused');
> >
> > ###############################################################################
> >
> > +sub test_reuse {
> > + my ($port) = @_;
> > + my ($s, $ssl) = get_ssl_socket($port);
> > + Net::SSLeay::read($ssl);
> > + my $ses = Net::SSLeay::get_session($ssl);
> > + ($s, $ssl) = get_ssl_socket($port, $ses);
> > + return Net::SSLeay::session_reused($ssl);
> > +}
> > +
> > sub get_ssl_socket {
> > - my ($port, $ses, $alpn) = @_;
> > + my ($port, $ses) = @_;
> >
> > my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
> > my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
> > Net::SSLeay::set_session($ssl, $ses) if defined $ses;
> > - Net::SSLeay::set_alpn_protos($ssl, $alpn) if defined $alpn;
> > Net::SSLeay::set_fd($ssl, fileno($s));
> > Net::SSLeay::connect($ssl) == 1 or return;
>
> Since this won't fail anymore on ALPN checks,
> you can convert this back to die.

Strictly speaking, it shouldn't die regardless of whether
connect() can legitimately fail during tests or not. If connect()
fails (for example, due to a bug in some of the session reuse
variants), it still should run other tests.

Fixing this (and other issues, such as missing timeout and SIGPIPE
handling) is out of the scope of this patch series though.

> > return ($s, $ssl);

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	535	March 18, 2023 10:18AM
[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	154	March 18, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	130	March 22, 2023 05:22AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	123	March 23, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	145	March 22, 2023 05:48AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	129	March 23, 2023 10:16AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	125	March 23, 2023 12:00PM
[PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	203	March 18, 2023 10:18AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	190	March 22, 2023 04:58AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	131	March 23, 2023 10:12AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	124	March 23, 2023 12:00PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	172	March 23, 2023 01:26PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	189	March 24, 2023 08:40AM
[PATCH 08 of 20] Tests: enabled session reuse via TLS session tickets	Maxim Dounin	131	March 18, 2023 10:20AM
[PATCH 07 of 20] Tests: BoringSSL does not provide session ids with TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
[PATCH 09 of 20] Tests: restored proper port numbers in ssl_sni_sessions.t	Maxim Dounin	133	March 18, 2023 10:20AM
[PATCH 10 of 20] Tests: disabled ssl_sni_sessions.t with LibreSSL and BoringSSL	Maxim Dounin	149	March 18, 2023 10:20AM
[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	145	March 18, 2023 10:20AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Sergey Kandaurov	141	March 22, 2023 05:56AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	123	March 23, 2023 10:18AM
[PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	132	March 18, 2023 10:20AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Sergey Kandaurov	129	March 22, 2023 06:00AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	119	March 23, 2023 10:18AM
[PATCH 12 of 20] Tests: fixed ssl_session_ticket_key.t with LibreSSL and TLSv1.3	Maxim Dounin	114	March 18, 2023 10:20AM
[PATCH 13 of 20] Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3	Maxim Dounin	171	March 18, 2023 10:20AM
[PATCH 11 of 20] Tests: fixed proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	161	March 18, 2023 10:20AM
[PATCH 14 of 20] Tests: LibreSSL certificate negotiation with TLSv1.3	Maxim Dounin	200	March 18, 2023 10:20AM
[PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Maxim Dounin	161	March 18, 2023 10:20AM
Re: [PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Sergey Kandaurov	145	March 22, 2023 06:40AM
[PATCH 16 of 20] Tests: fixed stream_proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	193	March 18, 2023 10:20AM
[PATCH 18 of 20] Tests: cleaned up ssl_ocsp.t	Maxim Dounin	161	March 18, 2023 10:20AM
[PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	166	March 18, 2023 10:20AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Sergey Kandaurov	153	March 22, 2023 07:12AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	135	March 23, 2023 10:20AM
[PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	150	March 18, 2023 10:20AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Sergey Kandaurov	136	March 22, 2023 07:06AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	127	March 23, 2023 10:18AM
[PATCH 17 of 20] Tests: fixed stream_ssl_variables.t.t with LibreSSL and TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	120	March 22, 2023 07:44AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	144	March 23, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	120	March 23, 2023 12:02PM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	117	March 23, 2023 12:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 306

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018