Welcome! Log In Create A New Profile

Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream

Forum List Message List New Topic Print View

Maxim Dounin

March 23, 2023 10:18AM

Hello!

On Wed, Mar 22, 2023 at 01:55:48PM +0400, Sergey Kandaurov wrote:

> > On 18 Mar 2023, at 18:15, Maxim Dounin <mdounin@mdounin.ru> wrote:
> >
> > # HG changeset patch
> > # User Maxim Dounin <mdounin@mdounin.ru>
> > # Date 1679140351 -10800
> > # Sat Mar 18 14:52:31 2023 +0300
> > # Node ID 530336cb449dcb028a55a5a401a122d07521e3a4
> > # Parent 3ab3b2d1c2e67bc1f05e386218ceb08da873a477
> > Tests: separate SSL session reuse tests in stream.
> >
> > Instead of being mixed with generic SSL tests, session reuse variants
> > are now tested in a separate file.
> >
> > diff --git a/stream_ssl.t b/stream_ssl.t
> > --- a/stream_ssl.t
> > +++ b/stream_ssl.t
> > @@ -37,7 +37,7 @@ plan(skip_all => 'win32') if $^O eq 'MSW
> >
> > my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl');
> >
> > -$t->plan(7)->write_file_expand('nginx.conf', <<'EOF');
> > +$t->plan(5)->write_file_expand('nginx.conf', <<'EOF');
> >
> > %%TEST_GLOBALS%%
> >
> > @@ -51,40 +51,35 @@ stream {
> >
> > ssl_certificate_key localhost.key;
> > ssl_certificate localhost.crt;
> > - ssl_session_tickets off;
> >
> > # inherited by server "inherits"
> > ssl_password_file password_stream;
> >
> > server {
> > - listen 127.0.0.1:8080 ssl;
> > + listen 127.0.0.1:8443 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache builtin;
> > ssl_password_file password;
> > }
> >
> > server {
> > - listen 127.0.0.1:8082 ssl;
> > + listen 127.0.0.1:8444 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache off;
> > ssl_password_file password_many;
> > }
> >
> > server {
> > - listen 127.0.0.1:8083 ssl;
> > + listen 127.0.0.1:8445 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache builtin:1000;
> > ssl_password_file password_fifo;
> > }
> >
> > server {
> > - listen 127.0.0.1:8084 ssl;
> > + listen 127.0.0.1:8446 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache shared:SSL:1m;
> > ssl_certificate_key inherits.key;
> > ssl_certificate inherits.crt;
> > }
> > @@ -138,52 +133,26 @@ kill 'INT', $p if $@;
> >
> > ###############################################################################
> >
> > -my ($s, $ssl, $ses);
> > +my ($s, $ssl);
> >
> > -($s, $ssl) = get_ssl_socket(port(8080));
> > +($s, $ssl) = get_ssl_socket(8443);
> > Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> > like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl');
> >
> > -# ssl_session_cache
> > -
> > -($s, $ssl) = get_ssl_socket(port(8080));
> > +($s, $ssl) = get_ssl_socket(8444);
> > Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> > -Net::SSLeay::read($ssl);
> > -$ses = Net::SSLeay::get_session($ssl);
> > -
> > -($s, $ssl) = get_ssl_socket(port(8080), $ses);
> > -is(Net::SSLeay::session_reused($ssl), 1, 'builtin session reused');
> > -
> > -($s, $ssl) = get_ssl_socket(port(8082));
> > -Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> > -Net::SSLeay::read($ssl);
> > -$ses = Net::SSLeay::get_session($ssl);
> > +like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many');
> >
> > -($s, $ssl) = get_ssl_socket(port(8082), $ses);
> > -isnt(Net::SSLeay::session_reused($ssl), 1, 'session not reused');
> > -
> > -($s, $ssl) = get_ssl_socket(port(8083));
> > +($s, $ssl) = get_ssl_socket(8444);
>
> should be 8445

Fixed, thanks for catching.

> > Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> > -Net::SSLeay::read($ssl);
> > -$ses = Net::SSLeay::get_session($ssl);
> > -
> > -($s, $ssl) = get_ssl_socket(port(8083), $ses);
> > -is(Net::SSLeay::session_reused($ssl), 1, 'builtin size session reused');
> > -
> > -($s, $ssl) = get_ssl_socket(port(8084));
> > -Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> > -Net::SSLeay::read($ssl);
> > -$ses = Net::SSLeay::get_session($ssl);
> > -
> > -($s, $ssl) = get_ssl_socket(port(8084), $ses);
> > -is(Net::SSLeay::session_reused($ssl), 1, 'shared session reused');
> > +like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo');
> >
> > # ssl_certificate inheritance
> >
> > -($s, $ssl) = get_ssl_socket(port(8080));
> > +($s, $ssl) = get_ssl_socket(8443);
> > like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=localhost/, 'CN');
> >
> > -($s, $ssl) = get_ssl_socket(port(8084));
> > +($s, $ssl) = get_ssl_socket(8446);
> > like(Net::SSLeay::dump_peer_certificate($ssl), qr/CN=inherits/, 'CN inner');
> >
> > ###############################################################################
> > @@ -191,7 +160,7 @@ like(Net::SSLeay::dump_peer_certificate(
> > sub get_ssl_socket {
> > my ($port, $ses) = @_;
> >
> > - my $s = IO::Socket::INET->new('127.0.0.1:' . $port);
> > + my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
> > my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
> > Net::SSLeay::set_session($ssl, $ses) if defined $ses;
>
> Session test remnants can be cleaned up.

Removed, thanks.

> > Net::SSLeay::set_fd($ssl, fileno($s));
> > diff --git a/stream_ssl.t b/stream_ssl_session_reuse.t
> > copy from stream_ssl.t
> > copy to stream_ssl_session_reuse.t
> > --- a/stream_ssl.t
> > +++ b/stream_ssl_session_reuse.t
> > @@ -1,6 +1,7 @@
> > #!/usr/bin/perl
> >
> > # (C) Sergey Kandaurov
> > +# (C) Maxim Dounin
> > # (C) Nginx, Inc.
> >
> > # Tests for stream ssl module.
> > @@ -12,7 +13,6 @@ use strict;
> >
> > use Test::More;
> >
> > -use POSIX qw/ mkfifo /;
>
> This file can be run now on win32.

Yes, thanks, removed the win32 check.

>
> > use Socket qw/ $CRLF /;
> >
> > BEGIN { use FindBin; chdir($FindBin::Bin); }
> > @@ -49,44 +49,60 @@ events {
> > stream {
> > %%TEST_GLOBALS_STREAM%%
> >
> > + ssl_certificate localhost.crt;
> > ssl_certificate_key localhost.key;
> > - ssl_certificate localhost.crt;
> > - ssl_session_tickets off;
> >
> > - # inherited by server "inherits"
> > - ssl_password_file password_stream;
> > + server {
> > + listen 127.0.0.1:8443 ssl;
> > + proxy_pass 127.0.0.1:8081;
> > + }
> >
> > server {
> > - listen 127.0.0.1:8080 ssl;
> > + listen 127.0.0.1:8444 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache builtin;
> > - ssl_password_file password;
> > + ssl_session_cache shared:SSL:1m;
> > + ssl_session_tickets on;
> > + }
> > +
> > + server {
> > + listen 127.0.0.1:8445 ssl;
> > + proxy_pass 127.0.0.1:8081;
> > +
> > + ssl_session_cache shared:SSL:1m;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8082 ssl;
> > + listen 127.0.0.1:8446 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache off;
> > - ssl_password_file password_many;
> > + ssl_session_cache builtin;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8083 ssl;
> > + listen 127.0.0.1:8447 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > ssl_session_cache builtin:1000;
> > - ssl_password_file password_fifo;
> > + ssl_session_tickets off;
> > }
> >
> > server {
> > - listen 127.0.0.1:8084 ssl;
> > + listen 127.0.0.1:8448 ssl;
> > proxy_pass 127.0.0.1:8081;
> >
> > - ssl_session_cache shared:SSL:1m;
> > - ssl_certificate_key inherits.key;
> > - ssl_certificate inherits.crt;
> > + ssl_session_cache none;
> > + ssl_session_tickets off;
> > + }
> > +
> > + server {
> > + listen 127.0.0.1:8449 ssl;
> > + proxy_pass 127.0.0.1:8081;
> > +
> > + ssl_session_cache off;
> > + ssl_session_tickets off;
> > }
> > }
> >
> > @@ -101,16 +117,11 @@ distinguished_name = req_distinguished_n
> > EOF
> >
> > my $d = $t->testdir();
> > -mkfifo("$d/password_fifo", 0700);
> >
> > -foreach my $name ('localhost', 'inherits') {
> > - system("openssl genrsa -out $d/$name.key -passout pass:$name "
> > - . "-aes128 2048 >>$d/openssl.out 2>&1") == 0
> > - or die "Can't create private key: $!\n";
> > +foreach my $name ('localhost') {
> > system('openssl req -x509 -new '
> > . "-config $d/openssl.conf -subj /CN=$name/ "
> > - . "-out $d/$name.crt "
> > - . "-key $d/$name.key -passin pass:$name"
> > + . "-out $d/$name.crt -keyout $d/$name.key "
> > . ">>$d/openssl.out 2>&1") == 0
> > or die "Can't create certificate for $name: $!\n";
> > }
> > @@ -118,80 +129,48 @@ foreach my $name ('localhost', 'inherits
> >
>
> This introduces one more occurrence of extra blank line on copy/paste,
> I'd rather fix it in both files.

Multiple blank lines not exactly violate style, but I agree that
it's probably better to remove these. Removed.

>
> [..]
>
> diff --git a/stream_ssl.t b/stream_ssl.t
> --- a/stream_ssl.t
> +++ b/stream_ssl.t
> @@ -110,7 +110,6 @@ foreach my $name ('localhost', 'inherits
> or die "Can't create certificate for $name: $!\n";
> }
>
> -
> my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
>
> $t->write_file('password', 'localhost');
> @@ -143,7 +142,7 @@ like(Net::SSLeay::read($ssl), qr/200 OK/
> Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password many');
>
> -($s, $ssl) = get_ssl_socket(8444);
> +($s, $ssl) = get_ssl_socket(8445);
> Net::SSLeay::write($ssl, "GET / HTTP/1.0$CRLF$CRLF");
> like(Net::SSLeay::read($ssl), qr/200 OK/, 'ssl password fifo');
>
> @@ -158,11 +157,10 @@ like(Net::SSLeay::dump_peer_certificate(
> ###############################################################################
>
> sub get_ssl_socket {
> - my ($port, $ses) = @_;
> + my ($port) = @_;
>
> my $s = IO::Socket::INET->new('127.0.0.1:' . port($port));
> my $ssl = Net::SSLeay::new($ctx) or die("Failed to create SSL $!");
> - Net::SSLeay::set_session($ssl, $ses) if defined $ses;
> Net::SSLeay::set_fd($ssl, fileno($s));
> Net::SSLeay::connect($ssl) or die("ssl connect");
> return ($s, $ssl);
> diff --git a/stream_ssl_session_reuse.t b/stream_ssl_session_reuse.t
> --- a/stream_ssl_session_reuse.t
> +++ b/stream_ssl_session_reuse.t
> @@ -33,8 +33,6 @@ eval {
> };
> plan(skip_all => 'Net::SSLeay not installed') if $@;
>
> -plan(skip_all => 'win32') if $^O eq 'MSWin32';
> -
> my $t = Test::Nginx->new()->has(qw/stream stream_ssl/)->has_daemon('openssl');
>
> $t->plan(7)->write_file_expand('nginx.conf', <<'EOF');
> @@ -126,7 +124,6 @@ foreach my $name ('localhost') {
> or die "Can't create certificate for $name: $!\n";
> }
>
> -
> my $ctx = Net::SSLeay::CTX_new() or die("Failed to create SSL_CTX $!");
>
> $t->run_daemon(\&http_daemon);

My diff matches, thanks.

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
[PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	535	March 18, 2023 10:18AM
[PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	154	March 18, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	130	March 22, 2023 05:22AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	122	March 23, 2023 10:18AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	144	March 22, 2023 05:48AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Maxim Dounin	129	March 23, 2023 10:16AM
Re: [PATCH 03 of 20] Tests: separate SSL session reuse tests in mail	Sergey Kandaurov	125	March 23, 2023 12:00PM
[PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	203	March 18, 2023 10:18AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	189	March 22, 2023 04:58AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	131	March 23, 2023 10:12AM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	123	March 23, 2023 12:00PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Maxim Dounin	172	March 23, 2023 01:26PM
Re: [PATCH 01 of 20] Tests: separate SSL session reuse tests	Sergey Kandaurov	185	March 24, 2023 08:40AM
[PATCH 08 of 20] Tests: enabled session reuse via TLS session tickets	Maxim Dounin	130	March 18, 2023 10:20AM
[PATCH 07 of 20] Tests: BoringSSL does not provide session ids with TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
[PATCH 09 of 20] Tests: restored proper port numbers in ssl_sni_sessions.t	Maxim Dounin	132	March 18, 2023 10:20AM
[PATCH 10 of 20] Tests: disabled ssl_sni_sessions.t with LibreSSL and BoringSSL	Maxim Dounin	149	March 18, 2023 10:20AM
[PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	145	March 18, 2023 10:20AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Sergey Kandaurov	141	March 22, 2023 05:56AM
Re: [PATCH 05 of 20] Tests: separate SSL session reuse tests in stream	Maxim Dounin	122	March 23, 2023 10:18AM
[PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	131	March 18, 2023 10:20AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Sergey Kandaurov	129	March 22, 2023 06:00AM
Re: [PATCH 06 of 20] Tests: LibreSSL and BoringSSL session reuse with TLSv1.3 in mail	Maxim Dounin	118	March 23, 2023 10:18AM
[PATCH 12 of 20] Tests: fixed ssl_session_ticket_key.t with LibreSSL and TLSv1.3	Maxim Dounin	113	March 18, 2023 10:20AM
[PATCH 13 of 20] Tests: fixed ssl_sni.t with LibreSSL and TLSv1.3	Maxim Dounin	170	March 18, 2023 10:20AM
[PATCH 11 of 20] Tests: fixed proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	161	March 18, 2023 10:20AM
[PATCH 14 of 20] Tests: LibreSSL certificate negotiation with TLSv1.3	Maxim Dounin	200	March 18, 2023 10:20AM
[PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Maxim Dounin	160	March 18, 2023 10:20AM
Re: [PATCH 15 of 20] Tests: LibreSSL does not send CA lists with TLSv1.3	Sergey Kandaurov	144	March 22, 2023 06:40AM
[PATCH 16 of 20] Tests: fixed stream_proxy_ssl.t with LibreSSL and TLSv1.3	Maxim Dounin	193	March 18, 2023 10:20AM
[PATCH 18 of 20] Tests: cleaned up ssl_ocsp.t	Maxim Dounin	159	March 18, 2023 10:20AM
[PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	166	March 18, 2023 10:20AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Sergey Kandaurov	152	March 22, 2023 07:12AM
Re: [PATCH 20 of 20] Tests: fixed ssl_ocsp.t with LibreSSL and TLSv1.3	Maxim Dounin	134	March 23, 2023 10:20AM
[PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	150	March 18, 2023 10:20AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Sergey Kandaurov	135	March 22, 2023 07:06AM
Re: [PATCH 19 of 20] Tests: removed multiple server certificates from ssl_ocsp.t	Maxim Dounin	127	March 23, 2023 10:18AM
[PATCH 17 of 20] Tests: fixed stream_ssl_variables.t.t with LibreSSL and TLSv1.3	Maxim Dounin	139	March 18, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	120	March 22, 2023 07:44AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	143	March 23, 2023 10:20AM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Sergey Kandaurov	120	March 23, 2023 12:02PM
Re: [PATCH 00 of 20] tests suite fixes for TLSv1.3	Maxim Dounin	116	March 23, 2023 12:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 286

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018