WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Merge pull request #17 from julek-wolfssl/1.21.4 

Add Nginx 1.21.4 support
pull/19/head
Sean Parkinson 2021-12-08 08:30:57 +10:00 committed by GitHub
parent aa9a4e8512 dcf61b7ad0
commit 4a26ffc117
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 899 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
README.md
View File

@ -8,6 +8,8 @@ and recompilation is required.
The tested versions:
- wolfSSL 3.14
- wolfSSL 3.13.0 (with patch applied: wolfssl-3.13.0-nginx.patch)
- Nginx 1.21.4
- Nginx 1.19.6
- Nginx 1.17.5
- Nginx 1.16.1
- Nginx 1.15.0
@ -45,15 +47,54 @@ Now rebuild Nginx:
### Testing
#### `nginx-tests`
Nginx has a repository of tests that can be obtained with the following command:
- git clone https://github.com/nginx/nginx-tests.git
To run the tests see the README. Tests are expected to pass with exceptions. An example of running the tests:
1. Change into nginx-tests directory.
2. Run tests: TEST_NGINX_BINARY=../nginx-<nginx-version>-wolfssl/objs/nginx prove .
To run the tests see the `nginx-tests` README. Tests are expected to pass with
exceptions. An example of running the tests:
1. Change into the `nginx-tests` directory.
2. Run tests: `TEST_NGINX_BINARY=../nginx-<nginx-version>-wolfssl/objs/nginx prove .`
There will be failures of SSL tests for the following reasons:
- using non-default, insecure cipher suites, multiple certificate chains not supported (ssl_certificate.t)
There are patch sets available in the `nginx-tests-patches` directory for the
nginx-tests testsuite. These patches fix issues with running the tests against
a version of Nginx that was compiled with wolfSSL. They also add some further
debug capabilities. The patch file names are in the structure:
```
<year>-<month>-<day>-<nginx-tests commit>.patch
```
The patch should be applied before running any tests using `patch -p1 < <path/to/patch>`.
The date and commit hash in the file name refer to the version of nginx-tests
that the patch was prepared for.
#### Debugging `nginx-tests`
To use the new gdbserver feature, the Nginx configuration of the test needs to
be changed to include `master_process off;`. This can be done for all tests
with the following `sed` command. Please note that some tests rely on on a
master and worker process structure. Please check if the test passes without
configuration changes first.
```
sed -e 's/daemon off;/master_process off;\ndaemon off;/g' -i *.t
```
For an easy way to remove all of the `master_process off;` changes, please use
this `perl` command:
```
perl -0777 -i -pe 's/master_process off;\n//g' *.t
```
#### `nginx-tests` Caveats
Without applying the appropriate patchset, there will be failures of SSL tests
for the following reasons:
- using non-default, insecure cipher suites, multiple certificate chains not
supported (ssl_certificate.t)
- using non-default, insecure cipher suites (ssl_stapling.t)
Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test
@ -63,6 +104,8 @@ file in nginx-tests to work with wolfSSL. The version available in the testing
repository uses different certs on the same server. This is not supported
by wolfSSL so this patch moves the certs to separate server instances.
#### Internal Tests
There are additional tests available in wolfssl-nginx. These are in addition
to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling
testing. To test:

19
nginx-1.21.4-wolfssl-debug.patch 100644
View File

@ -0,0 +1,19 @@
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index b75cc503..7bada388 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -167,6 +167,11 @@ ngx_ssl_init(ngx_log_t *log)
#endif
+#ifdef WOLFSSL_NGINX
+ /* Turn on internal wolfssl debugging to stdout */
+ wolfSSL_Debugging_ON();
+#endif
+
#ifndef SSL_OP_NO_COMPRESSION
{
/*
--
2.25.1

321
nginx-1.21.4-wolfssl.patch 100644
View File

@ -0,0 +1,321 @@
diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
index 4fb52df7..4fe4b4a7 100644
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -62,8 +62,33 @@ else
ngx_feature_path=
ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL $NGX_LIBPTHREAD"
ngx_feature_test="SSL_CTX_set_options(NULL, 0)"
+
+ if [ $WOLFSSL != NONE ]; then
+ ngx_feature="wolfSSL library in $WOLFSSL"
+ ngx_feature_path="$WOLFSSL/include/wolfssl $WOLFSSL/include"
+
+ if [ $NGX_RPATH = YES ]; then
+ ngx_feature_libs="-R$WOLFSSL/lib -L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ else
+ ngx_feature_libs="-L$WOLFSSL/lib -lwolfssl $NGX_LIBDL"
+ fi
+
+ CORE_INCS="$CORE_INCS $WOLFSSL/include/wolfssl"
+ CFLAGS="$CFLAGS -DWOLFSSL_NGINX"
+ fi
+
. auto/feature
+ if [ $WOLFSSL != NONE -a $ngx_found = no ]; then
+cat << END
+
+$0: error: Could not find wolfSSL at $WOLFSSL/include/wolfssl.
+SSL modules require the wolfSSL library.
+
+END
+ exit 1
+ fi
+
if [ $ngx_found = no ]; then
# FreeBSD port
diff --git a/auto/options b/auto/options
index 80be906e..8767aa33 100644
--- a/auto/options
+++ b/auto/options
@@ -149,6 +149,7 @@ PCRE_JIT=NO
USE_OPENSSL=NO
OPENSSL=NONE
+WOLFSSL=NONE
USE_ZLIB=NO
ZLIB=NONE
@@ -358,6 +359,7 @@ use the \"--with-mail_ssl_module\" option instead"
--with-pcre-opt=*) PCRE_OPT="$value" ;;
--with-pcre-jit) PCRE_JIT=YES ;;
+ --with-wolfssl=*) WOLFSSL="$value" ;;
--with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;;
@@ -583,6 +585,7 @@ cat << END
--with-libatomic force libatomic_ops library usage
--with-libatomic=DIR set path to libatomic_ops library sources
+ --with-wolfssl=DIR set path to wolfSSL headers and library
--with-openssl=DIR set path to OpenSSL library sources
--with-openssl-opt=OPTIONS set additional build options for OpenSSL
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index 84afecd0..fe7e328e 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -353,6 +353,8 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
}
#endif
+#ifndef WOLFSSL_NGINX
+ /* These override the options set above. No need to call this. */
#ifdef SSL_CTX_set_min_proto_version
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION);
@@ -362,6 +364,7 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_min_proto_version(ssl->ctx, 0);
SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION);
#endif
+#endif
#ifdef SSL_OP_NO_COMPRESSION
SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION);
@@ -391,6 +394,12 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+ wolfSSL_CTX_allow_anon_cipher(ssl->ctx);
+ wolfSSL_CTX_set_group_messages(ssl->ctx);
+#endif
+
return NGX_OK;
}
@@ -864,6 +873,14 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
}
+ngx_int_t
+ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl)
+{
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);
+
+ return NGX_OK;
+}
+
ngx_int_t
ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
ngx_int_t depth)
@@ -1407,7 +1424,8 @@ ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
* maximum interoperability.
*/
-#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST)
+#if (defined SSL_CTX_set1_curves_list || defined SSL_CTRL_SET_CURVES_LIST) || \
+ defined(WOLFSSL_NGINX)
/*
* OpenSSL 1.0.2+ allows configuring a curve list instead of a single
@@ -1599,10 +1617,26 @@ static int
ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
{
ngx_connection_t *c;
+#ifdef WOLFSSL_NGINX
+ int len;
+#endif
c = ngx_ssl_get_connection(ssl_conn);
if (c->ssl->save_session) {
+#ifdef WOLFSSL_NGINX
+ len = i2d_SSL_SESSION(sess, NULL);
+
+ /* do not cache too big session */
+ if (len > NGX_SSL_MAX_SESSION_SIZE) {
+ return -1;
+ }
+
+ if (!(sess = SSL_SESSION_dup(sess))) {
+ return -1;
+ }
+#endif
+
c->ssl->session = sess;
c->ssl->save_session(c);
@@ -1674,7 +1708,9 @@ ngx_ssl_get_session(ngx_connection_t *c)
{
#ifdef TLS1_3_VERSION
if (c->ssl->session) {
+ #if !defined(WOLFSSL_NGINX)
SSL_SESSION_up_ref(c->ssl->session);
+ #endif
return c->ssl->session;
}
#endif
@@ -4357,7 +4393,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
return -1;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[0].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
@@ -4400,7 +4437,8 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn,
size = 32;
}
-#if OPENSSL_VERSION_NUMBER >= 0x10000000L
+#if OPENSSL_VERSION_NUMBER >= 0x10000000L && \
+ (!defined(WOLFSSL_NGINX) || !defined(HAVE_FIPS))
if (HMAC_Init_ex(hctx, key[i].hmac_key, size, digest, NULL) != 1) {
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed");
return -1;
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 4afdfad4..053999a8 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -14,6 +14,10 @@
#define OPENSSL_SUPPRESS_DEPRECATED
+#ifdef WOLFSSL_NGINX
+#include <wolfssl/options.h>
+#include <openssl/pem.h>
+#endif
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bn.h>
@@ -60,7 +64,7 @@
#define ngx_ssl_conn_t SSL
-#if (OPENSSL_VERSION_NUMBER < 0x10002000L)
+#if (OPENSSL_VERSION_NUMBER < 0x10002000L) && !defined(WOLFSSL_NGINX)
#define SSL_is_server(s) (s)->server
#endif
@@ -191,6 +195,7 @@ ngx_int_t ngx_ssl_connection_certificate(ngx_connection_t *c, ngx_pool_t *pool,
ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
ngx_uint_t prefer_server_ciphers);
+ngx_int_t ngx_ssl_set_verify_on(ngx_conf_t *cf, ngx_ssl_t *ssl);
ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_str_t *cert, ngx_int_t depth);
ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index e3fa8c4e..fb8ba0a7 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -379,7 +379,9 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
for (i = 0; i < n; i++) {
issuer = sk_X509_value(staple->chain, i);
if (X509_check_issued(issuer, cert) == X509_V_OK) {
-#if OPENSSL_VERSION_NUMBER >= 0x10100001L
+#ifdef WOLFSSL_NGINX
+ issuer = X509_dup(issuer);
+#elif OPENSSL_VERSION_NUMBER >= 0x10100001L
X509_up_ref(issuer);
#else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 7c4061c0..c541b136 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4988,7 +4988,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
-
+#ifdef WOLFSSL_NGINX
+ ngx_ssl_set_verify_on(cf, plcf->upstream.ssl);
+#endif
if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
&plcf->ssl_trusted_certificate,
plcf->ssl_verify_depth)
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index c633f346..2a5c420e 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_ALPN_PROTOS "\x08http/1.1\x08http/1.0\x08http/0.9"
@@ -845,8 +849,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
+#ifndef WOLFSSL_NGINX
ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);
+#endif
if (conf->shm_zone == NULL) {
conf->shm_zone = prev->shm_zone;
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index 2a1043e6..8012fcce 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 934e7d8f..c4c0e2e2 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -2262,7 +2262,9 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
"no proxy_ssl_trusted_certificate for proxy_ssl_verify");
return NGX_ERROR;
}
-
+#ifdef WOLFSSL_NGINX
+ ngx_ssl_set_verify_on(cf, pscf->ssl);
+#endif
if (ngx_ssl_trusted_certificate(cf, pscf->ssl,
&pscf->ssl_trusted_certificate,
pscf->ssl_verify_depth)
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 530fe8b3..77f59d04 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
--
2.25.1

511
nginx-tests-patches/2021-11-23-2786c65025940da977a65009e18aa3c5d23a92a6.patch 100644
View File

@ -0,0 +1,511 @@
From bd1628ff3da8e6700e8fea31fdff61cf35790756 Mon Sep 17 00:00:00 2001
From: Juliusz Sosinowicz <juliusz@wolfssl.com>
Date: Fri, 26 Nov 2021 16:43:18 +0100
Subject: [PATCH] Add more debugging support and fix tests for compatibility
with wolfSSL
Tested against Nginx versions:
- 1.21.4
Changes made:
- Show log location
- Add gdbserver and valgrind support
- Different ports for different certs
- ssl_certificates.t
- ssl_ocsp.t
- ssl_stapling.t
- Fix ssl_verify_depth.t test. To be able to generate intermediate certs without the keyUsage extension, wolfSSL needs to be compiled with `ALLOW_INVALID_CERTSIGN`. Otherwise such intermediate certs will be rejected.
---
README | 8 ++++
lib/Test/Nginx.pm | 38 ++++++++++++++--
ssl_certificates.t | 20 +++++----
ssl_ocsp.t | 106 ++++++++++++++++++++++++++++++++++++++++++---
ssl_stapling.t | 42 +++++++++++++-----
ssl_verify_depth.t | 12 +++--
6 files changed, 194 insertions(+), 32 deletions(-)
diff --git a/README b/README
index f43c586..bd259ca 100644
--- a/README
+++ b/README
@@ -52,4 +52,12 @@ TEST_NGINX_GLOBALS_STREAM
Sets additional directives in stream context.
+TEST_NGINX_GDBSERVER
+
+ Run Nginx under a gdbserver.
+
+TEST_NGINX_VALGRIND
+
+ Run Nginx under valgrind.
+
Happy testing!
diff --git a/lib/Test/Nginx.pm b/lib/Test/Nginx.pm
index d87b144..dfb709a 100644
--- a/lib/Test/Nginx.pm
+++ b/lib/Test/Nginx.pm
@@ -29,6 +29,8 @@ use POSIX qw/ waitpid WNOHANG /;
use Socket qw/ CRLF /;
use Test::More qw//;
+use Proc::Find qw(find_proc proc_exists);
+
###############################################################################
our $NGINX = defined $ENV{TEST_NGINX_BINARY} ? $ENV{TEST_NGINX_BINARY}
@@ -66,6 +68,8 @@ sub DESTROY {
$self->stop();
$self->stop_daemons();
+print('error logs at: '.$self->{_testdir}."\n");
+
if (Test::More->builder->expected_tests) {
local $Test::Nginx::TODO = 'alerts' unless $self->{_alerts};
@@ -346,15 +350,41 @@ sub run(;$) {
my $pid = fork();
die "Unable to fork(): $!\n" unless defined $pid;
+ if ($ENV{TEST_NGINX_GDBSERVER}) {
+ for (1 .. 300) {
+ last unless proc_exists(name=>'gdbserver');
+ select undef, undef, undef, 0.1;
+ }
+ }
+
if ($pid == 0) {
my @globals = $self->{_test_globals} ?
() : ('-g', "pid $testdir/nginx.pid; "
. "error_log $testdir/error.log debug;");
+ if ($ENV{TEST_NGINX_CATLOG}) {
+ print { *STDERR } "\n";
+ print { *STDERR } $NGINX . ' ';
+ print { *STDERR } '-p' . ' ';
+ print { *STDERR } $testdir . ' ';
+ print { *STDERR } '-c' . ' ';
+ print { *STDERR } 'nginx.conf' . ' ';
+ print { *STDERR } @globals;
+ print { *STDERR } "\n";
+ }
my @error = $self->has_version('1.19.5') ?
('-e', 'error.log') : ();
- exec($NGINX, '-p', "$testdir/", '-c', 'nginx.conf',
- @error, @globals)
- or die "Unable to exec(): $!\n";
+ if ($ENV{TEST_NGINX_VALGRIND}) {
+ exec('valgrind', '--leak-check=full', '--log-file=' . "$testdir/valgrind.log", $NGINX, '-p', "$testdir/", '-c', 'nginx.conf', @error, @globals),
+ or die "Unable to exec(): $!\n";
+ }
+ elsif ($ENV{TEST_NGINX_GDBSERVER}) {
+ exec('gdbserver', ':2345', $NGINX, '-p', "$testdir/", '-c', 'nginx.conf', @error, @globals),
+ or die "Unable to exec(): $!\n";
+ }
+ else {
+ exec($NGINX, '-p', "$testdir/", '-c', 'nginx.conf', @error, @globals),
+ or die "Unable to exec(): $!\n";
+ }
}
# wait for nginx to start
@@ -440,7 +470,7 @@ sub waitforfile($;$) {
# wait for file to appear
# or specified process to exit
- for (1 .. 50) {
+ for (1 .. 300) {
return 1 if -e $file;
return 0 if $exited;
$exited = waitpid($pid, WNOHANG) != 0 if $pid;
diff --git a/ssl_certificates.t b/ssl_certificates.t
index a6ec6ad..be94ea3 100644
--- a/ssl_certificates.t
+++ b/ssl_certificates.t
@@ -47,22 +47,22 @@ events {
http {
%%TEST_GLOBALS_HTTP%%
- ssl_certificate_key rsa.key;
- ssl_certificate rsa.crt;
ssl_ciphers DEFAULT:ECCdraft;
server {
listen 127.0.0.1:8080 ssl;
server_name localhost;
- ssl_certificate_key ec.key;
- ssl_certificate ec.crt;
-
ssl_certificate_key rsa.key;
ssl_certificate rsa.crt;
+ }
- ssl_certificate_key rsa.key;
- ssl_certificate rsa.crt;
+ server {
+ listen 127.0.0.1:8081 ssl;
+ server_name localhost;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
}
}
@@ -122,7 +122,11 @@ sub get_ssl_socket {
local $SIG{ALRM} = sub { die "timeout\n" };
local $SIG{PIPE} = sub { die "sigpipe\n" };
alarm(8);
- $s = IO::Socket::INET->new('127.0.0.1:' . port(8080));
+ if ($type eq 'RSA') {
+ $s = IO::Socket::INET->new('127.0.0.1:' . port(8080));
+ } else {
+ $s = IO::Socket::INET->new('127.0.0.1:' . port(8081));
+ }
alarm(0);
};
alarm(0);
diff --git a/ssl_ocsp.t b/ssl_ocsp.t
index 9769bf2..0dde156 100644
--- a/ssl_ocsp.t
+++ b/ssl_ocsp.t
@@ -64,20 +64,19 @@ http {
ssl_ciphers DEFAULT:ECCdraft;
- ssl_certificate_key ec.key;
- ssl_certificate ec.crt;
-
- ssl_certificate_key rsa.key;
- ssl_certificate rsa.crt;
-
ssl_session_cache shared:SSL:1m;
ssl_session_tickets off;
add_header X-Verify x${ssl_client_verify}:${ssl_session_reused}x always;
+ # RSA servers
+
server {
listen 127.0.0.1:8443 ssl;
server_name localhost;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
}
server {
@@ -85,6 +84,9 @@ http {
server_name sni;
ssl_ocsp_responder http://127.0.0.1:8082;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
}
server {
@@ -92,6 +94,9 @@ http {
server_name resolver;
ssl_ocsp on;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
}
server {
@@ -100,6 +105,9 @@ http {
ssl_ocsp_responder http://127.0.0.1:8081;
ssl_ocsp on;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
}
server {
@@ -107,6 +115,9 @@ http {
server_name localhost;
ssl_ocsp_responder http://127.0.0.1:8082;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
}
server {
@@ -114,6 +125,9 @@ http {
server_name localhost;
ssl_ocsp_cache shared:OCSP:1m;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
}
server {
@@ -122,6 +136,81 @@ http {
ssl_ocsp_responder http://127.0.0.1:8082;
ssl_client_certificate root.crt;
+
+ ssl_certificate_key rsa.key;
+ ssl_certificate rsa.crt;
+ }
+
+ # ECC servers
+
+ server {
+ listen 127.0.0.1:8543 ssl;
+ server_name localhost;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
+ }
+
+ server {
+ listen 127.0.0.1:8543 ssl;
+ server_name sni;
+
+ ssl_ocsp_responder http://127.0.0.1:8082;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
+ }
+
+ server {
+ listen 127.0.0.1:8543 ssl;
+ server_name resolver;
+
+ ssl_ocsp on;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
+ }
+
+ server {
+ listen 127.0.0.1:8544 ssl;
+ server_name localhost;
+
+ ssl_ocsp_responder http://127.0.0.1:8081;
+ ssl_ocsp on;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
+ }
+
+ server {
+ listen 127.0.0.1:8545 ssl;
+ server_name localhost;
+
+ ssl_ocsp_responder http://127.0.0.1:8082;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
+ }
+
+ server {
+ listen 127.0.0.1:8546 ssl;
+ server_name localhost;
+
+ ssl_ocsp_cache shared:OCSP:1m;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
+ }
+
+ server {
+ listen 127.0.0.1:8547 ssl;
+ server_name localhost;
+
+ ssl_ocsp_responder http://127.0.0.1:8082;
+ ssl_client_certificate root.crt;
+
+ ssl_certificate_key ec.key;
+ ssl_certificate ec.crt;
}
}
@@ -431,6 +520,11 @@ sub get_ssl_socket {
my $port = $extra{port} || 8443;
my $s;
+
+ if (defined $type && $type eq 'ECDSA') {
+ $port = $port + 100;
+ }
+
eval {
local $SIG{ALRM} = sub { die "timeout\n" };
local $SIG{PIPE} = sub { die "sigpipe\n" };
diff --git a/ssl_stapling.t b/ssl_stapling.t
index d5f2a61..b31b237 100644
--- a/ssl_stapling.t
+++ b/ssl_stapling.t
@@ -53,18 +53,21 @@ http {
ssl_stapling on;
ssl_trusted_certificate trusted.crt;
- ssl_certificate ec-end-int.crt;
- ssl_certificate_key ec-end.key;
-
- ssl_certificate end-int.crt;
- ssl_certificate_key end.key;
-
ssl_ciphers DEFAULT:ECCdraft;
server {
listen 127.0.0.1:8443 ssl;
listen 127.0.0.1:8080;
server_name localhost;
+ ssl_certificate end-int.crt;
+ ssl_certificate_key end.key;
+ }
+ server {
+ listen 127.0.0.1:8453 ssl;
+ listen 127.0.0.1:8090;
+ server_name localhost;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -72,6 +75,17 @@ http {
server_name localhost;
ssl_stapling_responder http://127.0.0.1:8081/;
+ ssl_certificate end-int.crt;
+ ssl_certificate_key end.key;
+ }
+
+ server {
+ listen 127.0.0.1:8454 ssl;
+ server_name localhost;
+
+ ssl_stapling_responder http://127.0.0.1:8081/;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -79,6 +93,8 @@ http {
server_name localhost;
ssl_stapling_verify on;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -87,6 +103,8 @@ http {
ssl_certificate ec-end.crt;
ssl_certificate_key ec-end.key;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
server {
@@ -97,6 +115,8 @@ http {
ssl_certificate_key end.key;
ssl_stapling_file %%TESTDIR%%/resp.der;
+ ssl_certificate end-int.crt;
+ ssl_certificate_key end.key;
}
server {
@@ -114,6 +134,8 @@ http {
server_name localhost;
ssl_stapling_responder http://127.0.0.1:8080/;
+ ssl_certificate ec-end-int.crt;
+ ssl_certificate_key ec-end.key;
}
}
@@ -249,9 +271,9 @@ $t->waitforsocket("127.0.0.1:" . port(8081));
my $version = get_version();
staple(8443, 'RSA');
-staple(8443, 'ECDSA');
+staple(8453, 'ECDSA');
staple(8444, 'RSA');
-staple(8444, 'ECDSA');
+staple(8454, 'ECDSA');
staple(8445, 'ECDSA');
staple(8446, 'ECDSA');
staple(8449, 'ECDSA');
@@ -259,10 +281,10 @@ staple(8449, 'ECDSA');
sleep 1;
ok(!staple(8443, 'RSA'), 'staple revoked');
-ok(staple(8443, 'ECDSA'), 'staple success');
+ok(staple(8453, 'ECDSA'), 'staple success');
ok(!staple(8444, 'RSA'), 'responder revoked');
-ok(staple(8444, 'ECDSA'), 'responder success');
+ok(staple(8454, 'ECDSA'), 'responder success');
ok(!staple(8445, 'ECDSA'), 'verify - root not trusted');
diff --git a/ssl_verify_depth.t b/ssl_verify_depth.t
index 5ec5057..cadfed4 100644
--- a/ssl_verify_depth.t
+++ b/ssl_verify_depth.t
@@ -46,7 +46,7 @@ http {
ssl_certificate_key localhost.key;
ssl_verify_client on;
- ssl_client_certificate root-int.crt;
+ ssl_client_certificate root.crt;
add_header X-Client $ssl_client_s_dn always;
add_header X-Verify $ssl_client_verify always;
@@ -100,6 +100,7 @@ commonName = supplied
[ myca_extensions ]
basicConstraints = critical,CA:TRUE
+keyUsage = keyCertSign
EOF
foreach my $name ('root', 'localhost') {
@@ -135,6 +136,9 @@ system("openssl ca -batch -config $d/ca.conf "
$t->write_file('root-int.crt', $t->read_file('root.crt')
. $t->read_file('int.crt'));
+$t->write_file('end-int.crt', $t->read_file('end.crt')
+ . $t->read_file('int.crt'));
+$t->write_file('end-int.key', $t->read_file('end.key'));
$t->write_file('t', '');
$t->run();
@@ -150,7 +154,7 @@ $t->run();
like(get(8080, 'root'), qr/SUCCESS/, 'verify depth 0 - root');
like(get(8080, 'int'), qr/FAI|SUC/, 'verify depth 0 - no int');
-like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end');
+like(get(8080, 'end-int'), qr/FAILED/, 'verify depth 0 - no end');
# with verify depth 1 (the default), one signature is
# expected to be checked, so certificates directly signed
@@ -162,14 +166,14 @@ like(get(8080, 'end'), qr/FAILED/, 'verify depth 0 - no end');
like(get(8081, 'root'), qr/SUCCESS/, 'verify depth 1 - root');
like(get(8081, 'int'), qr/SUCCESS/, 'verify depth 1 - int');
-like(get(8081, 'end'), qr/FAI|SUC/, 'verify depth 1 - no end');
+like(get(8081, 'end-int'), qr/FAI|SUC/, 'verify depth 1 - no end');
# with verify depth 2 it is also possible to validate up to two signatures,
# so chains with one intermediate certificate are allowed
like(get(8082, 'root'), qr/SUCCESS/, 'verify depth 2 - root');
like(get(8082, 'int'), qr/SUCCESS/, 'verify depth 2 - int');
-like(get(8082, 'end'), qr/SUCCESS/, 'verify depth 2 - end');
+like(get(8082, 'end-int'), qr/SUCCESS/, 'verify depth 2 - end');
###############################################################################
--
2.25.1