From e5a2e9086b94a669020d97ccb8b127b376c8e852 Mon Sep 17 00:00:00 2001 From: Sean Parkinson Date: Fri, 20 Jan 2017 11:06:40 +1000 Subject: [PATCH] Update tests --- README.md | 27 ++++-- conf/nginx.conf | 230 +++++++++++++++++++++++++----------------------- html/index.html | 25 ++++++ nginx.diff | 63 +++++++++++++ ssl_ecc.t | 183 ++++++++++++++++++++++++++++++++++++++ test.sh | 167 ++++++++++++++++++----------------- 6 files changed, 498 insertions(+), 197 deletions(-) create mode 100644 html/index.html create mode 100644 ssl_ecc.t diff --git a/README.md b/README.md index ae9e732..c656c4d 100644 --- a/README.md +++ b/README.md @@ -16,22 +16,37 @@ They can be obtained with the following commands: - Nginx: git clone https://github.com/nginx/nginx.git - wolfSSL: git clone https://github.com/wolfSSL/wolfssl.git -First build and install wolfSSL. The default installation directory is: /usr/local. +Now build and install wolfSSL. The default installation directory is: + /usr/local. To enable wolfSSL support in Nginx the source code must be patched: 1. Change into Nginx source directory. 2. Apply patch: git apply /nginx.diff -Now rebuild Nginx and install: - 1. Configure Nginx with one of the two commands: - - ./configure --with-wolfssl=/usr/local --with-http_ssl_module +Now rebuild Nginx: + 1. Configure Nginx with this command (extra options may be added as required): - ./auto/configure --with-wolfssl=/usr/local --with-http_ssl_module 2. Build Nginx: make - 3. Install Nginx: sudo make install + +Note: The source package may also be used. In this case the configuration +program is: ./configure ### Testing -There is a test script to ensure that the Nginx is working correctly with wolfSSL. OpenSSL's superapp is required for OCSP Stapling testing. To test: +Nginx has a repository of tests that can be obtained with the following command: + - git clone https://github.com/nginx/nginx-tests.git + +To run the tests see the README. All tests are expected to pass. +There will be skips of SSL tests for the following reasons: + - no multiple certificates (ssl_certificate.t) + - many not work, leaves coredump (ssl_engine_keys.t) + +Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test +system. + +There are additional tests available in wolfssl-nginx. These are in addition +to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling +testing. To test: 1. Change into wolfssl-nginx directory. 2. Run the script: ./test.sh 3. When working, the number of FAIL and UNKNOWN will be 0. diff --git a/conf/nginx.conf b/conf/nginx.conf index 9c2c8c4..85b34e3 100644 --- a/conf/nginx.conf +++ b/conf/nginx.conf @@ -1,16 +1,7 @@ -#user nobody; worker_processes 1; -#error_log logs/error.log; -#error_log logs/error.log notice; -#error_log logs/error.log info; - -#pid logs/nginx.pid; - - events { - worker_connections 1024; } @@ -18,82 +9,16 @@ http { include mime.types; default_type application/octet-stream; - #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' - # '$status $body_bytes_sent "$http_referer" ' - # '"$http_user_agent" "$http_x_forwarded_for"'; - - #access_log logs/access.log main; - sendfile on; - #tcp_nopush on; - #keepalive_timeout 0; keepalive_timeout 65; - #gzip on; + ssl_session_tickets off; - server { - listen 80; - server_name localhost; - - #charset koi8-r; - - #access_log logs/host.access.log main; - - location / { - root html; - index index.html index.htm; - } - - #error_page 404 /404.html; - - # redirect server error pages to the static page /50x.html - # - error_page 500 502 503 504 /50x.html; - location = /50x.html { - root html; - } - - # proxy the PHP scripts to Apache listening on 127.0.0.1:80 - # - #location ~ \.php$ { - # proxy_pass http://127.0.0.1; - #} - - # pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000 - # - #location ~ \.php$ { - # root html; - # fastcgi_pass 127.0.0.1:9000; - # fastcgi_index index.php; - # fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name; - # include fastcgi_params; - #} - - # deny access to .htaccess files, if Apache's document root - # concurs with nginx's one - # - #location ~ /\.ht { - # deny all; - #} - } - - - # another virtual host using mix of IP-, name-, and port-based configuration - # - #server { - # listen 8000; - # listen somename:8080; - # server_name somename alias another.alias; - - # location / { - # root html; - # index index.html index.htm; - # } - #} # HTTPS server - # + + # Using DH parameters server { listen 11443 ssl; server_name localhost; @@ -110,9 +35,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Verify client server { listen 11444 ssl; server_name localhost; @@ -131,16 +57,17 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # P384 curve with ECDHE server { listen 11445 ssl; server_name localhost; ssl_certificate cert.pem; ssl_certificate_key cert.key; - ssl_ecdh_curve SECP384R1; + ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -150,9 +77,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Default curve with ECDHE and ECDSA server { listen 11446 ssl; server_name localhost; @@ -168,10 +96,11 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Session ticket server { listen 11450 ssl; server_name localhost; @@ -180,6 +109,7 @@ http { ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; ssl_session_ticket_key ticket_keys; + ssl_session_tickets on; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -189,10 +119,11 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Session cache off server { listen 11455 ssl; server_name localhost; @@ -202,16 +133,16 @@ http { ssl_dhparam dhparams.pem; ssl_session_cache off; - ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { root html; - index index.html index.htm; + index index.html; } } + # Session cache none server { listen 11456 ssl; server_name localhost; @@ -228,9 +159,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Session cache builtin server { listen 11457 ssl; server_name localhost; @@ -247,32 +179,97 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + + # Proxy to wolfSSL server + upstream backend { + server 127.0.0.1:12443; + } server { - listen 11458 ssl; - server_name localhost; + listen 127.0.0.1:12443 ssl; + server_name www.wolfssl.com; ssl_certificate cert.pem; ssl_certificate_key cert.key; ssl_dhparam dhparams.pem; - ssl_session_cache builtin:100; - ssl_session_timeout 0s; + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_prefer_server_ciphers on; location / { - root html; - index index.html index.htm; + root wolfssl; + index index.html; } } - - upstream www.wolfssl.com { - server localhost:11111; + upstream backend_ecdhe_rsa { + server 127.0.0.1:12444; } + server { + listen 127.0.0.1:12444 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_ecdhe_ecdsa { + server 127.0.0.1:12445; + } + server { + listen 127.0.0.1:12445 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert-ecc.pem; + ssl_certificate_key cert-ecc.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + upstream backend_crl_rev { + server 127.0.0.1:12446; + } + server { + listen 127.0.0.1:12446 ssl; + server_name www.wolfssl.com; + + ssl_certificate cert.pem; + ssl_certificate_key cert.key; + + ssl_session_cache shared:SSL:1m; + ssl_session_timeout 5m; + + ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; + ssl_prefer_server_ciphers on; + + location / { + root wolfssl; + index index.html; + } + } + # Proxy using DHE cipher suites and CRL server { listen 11460 ssl; server_name localhost; @@ -288,7 +285,9 @@ http { ssl_prefer_server_ciphers on; location / { - proxy_pass https://www.wolfssl.com; + proxy_pass https://backend; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; proxy_ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_certificate client-cert.pem; @@ -297,6 +296,7 @@ http { proxy_ssl_crl crl.pem; } } + # Proxy using ECDHE cipher suites and CRL server { listen 11461 ssl; server_name localhost; @@ -312,7 +312,9 @@ http { ssl_prefer_server_ciphers on; location / { - proxy_pass https://www.wolfssl.com; + proxy_pass https://backend_ecdhe_rsa; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_certificate client-cert.pem; @@ -321,6 +323,7 @@ http { proxy_ssl_crl crl.pem; } } + # Proxy using ECDHE and ECDSA cipher suites server { listen 11462 ssl; server_name localhost; @@ -336,7 +339,9 @@ http { ssl_prefer_server_ciphers on; location / { - proxy_pass https://www.wolfssl.com; + proxy_pass https://backend_ecdhe_ecdsa; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; proxy_ssl_trusted_certificate ca-cert-ecc.pem; proxy_ssl_certificate client-cert.pem; @@ -345,6 +350,7 @@ http { proxy_ssl_session_reuse on; } } + # Proxy using revoked CRL server { listen 11465 ssl; server_name localhost; @@ -360,7 +366,9 @@ http { ssl_prefer_server_ciphers on; location / { - proxy_pass https://www.wolfssl.com; + proxy_pass https://backend_crl_rev; + proxy_ssl_name www.wolfssl.com; + proxy_ssl_server_name on; proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_certificate client-cert.pem; @@ -372,6 +380,7 @@ http { } # OCSP Stapling + # Valid server certificate - using OCSP responder server { listen 11470 ssl; server_name localhost; @@ -382,7 +391,6 @@ http { ssl_stapling_responder http://localhost:22221; ssl_stapling_verify on; ssl_trusted_certificate ocsp-root-resp-cert.pem; - ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -392,9 +400,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Revoked server certificate - using OCSP responder server { listen 11471 ssl; server_name localhost; @@ -404,7 +413,6 @@ http { ssl_stapling on; ssl_stapling_responder http://localhost:22221; ssl_trusted_certificate ocsp-root-resp-cert.pem; - ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -414,9 +422,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Valid server certificate in fixed OCSP response server { listen 11472 ssl; server_name localhost; @@ -426,7 +435,6 @@ http { ssl_stapling on; ssl_stapling_file ocsp-good-status.der; ssl_trusted_certificate ocsp-root-resp-cert.pem; - ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -436,9 +444,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # Revoked server certificate in fixed OCSP response server { listen 11473 ssl; server_name localhost; @@ -448,7 +457,6 @@ http { ssl_stapling on; ssl_stapling_file ocsp-bad-status.der; ssl_trusted_certificate ocsp-root-resp-cert.pem; - ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -458,9 +466,10 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } + # No CA to check responder certificate - using OCSP responder server { listen 11474 ssl; server_name localhost; @@ -470,7 +479,6 @@ http { ssl_stapling on; ssl_stapling_responder http://localhost:22221; ssl_stapling_verify on; - ssl_dhparam dhparams.pem; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; @@ -480,7 +488,7 @@ http { location / { root html; - index index.html index.htm; + index index.html; } } } diff --git a/html/index.html b/html/index.html new file mode 100644 index 0000000..2ca3b95 --- /dev/null +++ b/html/index.html @@ -0,0 +1,25 @@ + + + +Welcome to nginx! + + + +

Welcome to nginx!

+

If you see this page, the nginx web server is successfully installed and +working. Further configuration is required.

+ +

For online documentation and support please refer to +nginx.org.
+Commercial support is available at +nginx.com.

+ +

Thank you for using nginx.

+ + diff --git a/nginx.diff b/nginx.diff index 6bda678..42d824d 100644 --- a/nginx.diff +++ b/nginx.diff @@ -56,6 +56,21 @@ index 43724b1..b26fd9d 100644 --with-openssl=*) OPENSSL="$value" ;; --with-openssl-opt=*) OPENSSL_OPT="$value" ;; +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index c98e3c2..1b67cbc 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -330,6 +330,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) + + SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + ++#ifdef WOLFSSL_NGINX ++ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL); ++#endif ++ + return NGX_OK; + } + diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c index d332c11..bfea170 100644 --- a/src/event/ngx_event_openssl_stapling.c @@ -71,3 +86,51 @@ index d332c11..bfea170 100644 X509_up_ref(issuer); #else CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 2771ac1..8197ad3 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" +diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c +index fbc9bc7..1fc3504 100644 +--- a/src/mail/ngx_mail_ssl_module.c ++++ b/src/mail/ngx_mail_ssl_module.c +@@ -10,7 +10,11 @@ + #include + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + +diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c +index 9191641..01c5a3a 100644 +--- a/src/stream/ngx_stream_ssl_module.c ++++ b/src/stream/ngx_stream_ssl_module.c +@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c, + ngx_pool_t *pool, ngx_str_t *s); + + ++#ifndef WOLFSSL_NGINX + #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" ++#else ++#define NGX_DEFAULT_CIPHERS "ALL" ++#endif + #define NGX_DEFAULT_ECDH_CURVE "auto" + + diff --git a/ssl_ecc.t b/ssl_ecc.t new file mode 100644 index 0000000..405d39f --- /dev/null +++ b/ssl_ecc.t @@ -0,0 +1,183 @@ +#!/usr/bin/perl + +# (C) Sean Parkinson +# (C) wolfSSL, Inc. + +# Tests for http ssl module. + +############################################################################### + +use warnings; +use strict; + +use Test::More; + +BEGIN { use FindBin; chdir($FindBin::Bin); } + +use lib 'lib'; +use Test::Nginx; + +############################################################################### + +select STDERR; $| = 1; +select STDOUT; $| = 1; + +eval { require IO::Socket::SSL; }; +plan(skip_all => 'IO::Socket::SSL not installed') if $@; +eval { IO::Socket::SSL::SSL_VERIFY_NONE(); }; +plan(skip_all => 'IO::Socket::SSL too old') if $@; + +my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/) + ->has_daemon('openssl'); + +$t->write_file_expand('nginx.conf', <<'EOF'); + +%%TEST_GLOBALS%% + +daemon off; + +events { +} + +http { + %%TEST_GLOBALS_HTTP%% + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_tickets off; + + server { + listen 127.0.0.1:8080 ssl; + server_name localhost; + + ssl_certificate_key localhost.key; + ssl_certificate localhost.crt; + ssl_session_cache shared:SSL:1m; + + ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; + + location /cipher { + return 200 "body $ssl_cipher"; + } + } +} + +EOF + +$t->write_file('openssl.conf', <testdir(); + +$t->write_file('ca.conf', <write_file('certserial', '1000'); +$t->write_file('certindex', ''); + +system("openssl ecparam -genkey -name prime256v1 -out '$d/issuer.key'") == 0 + or die "Can't create ECC public key for issuer: $!\n"; +system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=issuer/' " + . "-out '$d/issuer.crt' -key '$d/issuer.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for issuer: $!\n"; + +system("openssl ecparam -genkey -name prime256v1 -out '$d/subject.key'") == 0 + or die "Can't create ECC public key for subject: $!\n"; +system("openssl req -new " + . "-config '$d/openssl.conf' -subj '/CN=subject/' " + . "-out '$d/subject.csr' -key '$d/subject.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for subject: $!\n"; + +system("openssl ca -batch -config '$d/ca.conf' " + . "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' " + . "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't sign certificate for subject: $!\n"; + +foreach my $name ('localhost') { + system("openssl ecparam -genkey -name prime256v1 " + . "-out '$d/$name.key'") == 0 + or die "Can't create ECC public key for $name: $!\n"; + system('openssl req -x509 -new ' + . "-config '$d/openssl.conf' -subj '/CN=$name/' " + . "-out '$d/$name.crt' -key '$d/$name.key' " + . ">>$d/openssl.out 2>&1") == 0 + or die "Can't create certificate for $name: $!\n"; +} + +my $ctx = new IO::Socket::SSL::SSL_Context( + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), + SSL_session_cache_size => 100); + +$t->try_run('no ssl_ecc')->plan(1); + +############################################################################### + +like(get('/cipher', 8080), qr/^body [\w-]+$/m, 'cipher'); + +############################################################################### + +sub get { + my ($uri, $port) = @_; + my $s = get_ssl_socket($ctx, port($port)) or return; + http_get($uri, socket => $s); +} + +sub cert { + my ($uri, $port) = @_; + my $s = get_ssl_socket(undef, port($port), + SSL_cert_file => "$d/subject.crt", + SSL_key_file => "$d/subject.key") or return; + http_get($uri, socket => $s); +} + +sub get_ssl_socket { + my ($ctx, $port, %extra) = @_; + my $s; + + eval { + local $SIG{ALRM} = sub { die "timeout\n" }; + local $SIG{PIPE} = sub { die "sigpipe\n" }; + alarm(2); + $s = IO::Socket::SSL->new( + Proto => 'tcp', + PeerAddr => '127.0.0.1', + PeerPort => $port, + SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(), + SSL_reuse_ctx => $ctx, + SSL_error_trap => sub { die $_[1] }, + %extra + ); + alarm(0); + }; + alarm(0); + + if ($@) { + log_in("died: $@"); + return undef; + } + + return $s; +} + +############################################################################### diff --git a/test.sh b/test.sh index 6a47d6b..30d89d3 100755 --- a/test.sh +++ b/test.sh @@ -1,34 +1,41 @@ #!/bin/bash -INSTALL_NGINX="/usr/local/nginx" -INSTALL_NGINX_CONF="$INSTALL_NGINX/conf" -INSTALL_NGINX_CONF_BACKUP="$INSTALL_NGINX/conf_backup" -INSTALL_NGINX_BIN="$INSTALL_NGINX/sbin" +NGINX_SRC="../nginx" +if [ "$NGINX_BIN" = "" ]; then + NGINX_BIN="${NGINX_SRC}/objs/nginx" +fi WOLFSSL_SOURCE="../wolfssl" WOLFSSL_CLIENT="./examples/client/client" -WOLFSSL_SERVER="./examples/server/server" +WOLFSSL_OCSP_CERTS="${WOLFSSL_SOURCE}/certs/ocsp" NGINX_CONF="./conf" CLIENT_TMP="/tmp/nginx_client.$$" SERVER_TMP="/tmp/nginx_server.$$" +OCSP_GOOD="ocsp-good-status.der" +OCSP_BAD="ocsp-bad-status.der" WN_PATH=`pwd` +WN_OCSP_GOOD="$WN_PATH/conf/$OCSP_GOOD" +WN_OCSP_BAD="$WN_PATH/conf/$OCSP_BAD" +WN_LOGS="$WN_PATH/logs" +WN_ERROR_LOG="$WN_LOGS/error.log" -echo "Ngninx Install directory: $INSTALL_NGINX" -if [ ! -d $INSTALL_NGINX_CONF ]; then - echo "Could not find Nginx conf directory: ${INSTALL_NGINX_CONF}" - echo "Stopping - FAIL" - exit 1 -fi -if [ ! -e $INSTALL_NGINX_BIN/nginx ]; then - echo "Could not find Nginx exe: ${INSTALL_NGINX_BIN}/nginx" + +if [ ! -f $NGINX_BIN ]; then + echo "Could not find Nginx exe: ${NGINX_BIN}" echo "Stopping - FAIL" exit 1 fi +echo "Ngninx binary: $NGINX_BIN" echo "wolfSSL Source directory: $WOLFSSL_SOURCE" if [ ! -d $WOLFSSL_SOURCE ]; then echo "Could not find wolfSSL source directory: ${WOLFSSL_SOURCE}" echo "Stopping - FAIL" exit 1 fi +if [ ! -d $WOLFSSL_OCSP_CERTS ]; then + echo "Could not find OCSP certs path: ${WOLFSSL_OCSP_CERTS}" + echo "Stopping - FAIL" + exit 1 +fi echo "Changing into wolfSSL source directory" cd $WOLFSSL_SOURCE if [ ! -e $WOLFSSL_CLIENT ]; then @@ -36,11 +43,6 @@ if [ ! -e $WOLFSSL_CLIENT ]; then echo "Stopping - FAIL" exit 1 fi -if [ ! -e $WOLFSSL_SERVER ]; then - echo "Could not find wolfSSL server: ${WOLFSSL_SERVER}" - echo "Stopping - FAIL" - exit 1 -fi OPENSSL=`which openssl` if [ "$?" = "1" ]; then echo "Could not find openssl superapp" @@ -50,8 +52,13 @@ fi echo "OpenSSL superapp found: $OPENSSL" echo +if [ ! -d $WN_LOGS ]; then + echo "Making directory: ${WN_LOGS}" + mkdir ${WN_LOGS} +fi + # Number of minutes OCSP responses will be valid for -VALID_MIN=1 +VALID_MIN=60 declare -a EXPECT declare -a EXPECT_SERVER @@ -64,10 +71,18 @@ PASS=0 FAIL=0 UNKNOWN=0 +run_nginx() { + ${NGINX_BIN} -p ${WN_PATH} \ + -g "error_log ${WN_ERROR_LOG} debug;" \ + ${NGINX_OPTS} + RES=$? +} + do_cleanup() { echo "# In cleanup" - sudo ${INSTALL_NGINX_BIN}/nginx -s stop + NGINX_OPTS="-s stop" + run_nginx rm -f $CLIENT_TMP rm -f $SERVER_TMP @@ -83,12 +98,8 @@ do_cleanup() { kill -9 $OCSP_PID fi - if [ -e ${INSTALL_NGINX_CONF_BACKUP} ]; then - sudo rm -rf ${INSTALL_NGINX_CONF} - sudo mv ${INSTALL_NGINX_CONF_BACKUP} ${INSTALL_NGINX_CONF} - fi - cd $WN_PATH + rm -rf client_body_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp } do_trap() { @@ -137,56 +148,43 @@ client_test() { OPTS="$OPTS -r -g" client } -proxy_test() { - ${WOLFSSL_SERVER} -g -C 2 >$SERVER_TMP 2>&1 & - SERVER_PID=$! - - client_test - - kill $SERVER_PID - SERVER_PID=0 - - echo "# Server Output" - LOG=$SERVER_TMP - EXP=("${EXPECT_SERVER[@]}") - check_log -} -proxy_test_ecdsa() { - ${WOLFSSL_SERVER} -c certs/server-ecc.pem -k certs/ecc-key.pem -g -C 2 >$SERVER_TMP 2>&1 & - SERVER_PID=$! - - client_test - - kill $SERVER_PID - SERVER_PID=0 - - echo "# Server Output" - LOG=$SERVER_TMP - EXP=("${EXPECT_SERVER[@]}") - check_log -} stapling_test() { - OPTS="$OPTS -g -C -A certs/ocsp/root-ca-cert.pem -W 1" + OPTS="$OPTS -g -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1" client } -sudo mv ${INSTALL_NGINX_CONF} ${INSTALL_NGINX_CONF_BACKUP} -sudo cp -r ${WN_PATH}/${NGINX_CONF} ${INSTALL_NGINX_CONF} - # Start the OSCP responder and generate the response files -${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index certs/ocsp/index1.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/intermediate1-ca-cert.pem >/dev/null 2>&1 & +${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index ${WOLFSSL_OCSP_CERTS}/index1.txt -rsigner ${WOLFSSL_OCSP_CERTS}/ocsp-responder-cert.pem -rkey ${WOLFSSL_OCSP_CERTS}/ocsp-responder-key.pem -CA ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem >/dev/null 2>&1 & OCSP_PID=$! # Generate OCSP response file that indicates certificate is good. -(${OPENSSL} ocsp -issuer certs/ocsp/intermediate1-ca-cert.pem -cert certs/ocsp/server1-cert.pem -url http://localhost:22221 -resp_text -respout ocsp-good-status.der -no_nonce; sudo mv ocsp-good-status.der ${INSTALL_NGINX_CONF}/ocsp-good-status.der) >/dev/null 2>&1 +${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server1-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_GOOD} -no_nonce >/dev/null 2>&1 # Generate OCSP response file that indicates certificate is revoked. -(${OPENSSL} ocsp -issuer certs/ocsp/intermediate1-ca-cert.pem -cert certs/ocsp/server2-cert.pem -url http://localhost:22221 -resp_text -respout ocsp-bad-status.der -no_nonce; sudo mv ocsp-bad-status.der ${INSTALL_NGINX_CONF}/ocsp-bad-status.der) >/dev/null 2>&1 +${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server2-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_BAD} -no_nonce >/dev/null 2>&1 +if [ ! -f $WN_OCSP_GOOD ]; then + echo "Could not find OCSP output file: ${WN_OCSP_GOOD}" + echo "Stopping - FAIL" + exit 1 +fi +if [ ! -f $WN_OCSP_BAD ]; then + echo "Could not find OCSP output file: ${WN_OCSP_BAD}" + echo "Stopping - FAIL" + exit 1 +fi + +echo "Stopping Nginx ..." +NGINX_OPTS="-s stop" +run_nginx echo "Starting Nginx ..." -sudo ${INSTALL_NGINX_BIN}/nginx -s stop # Start Nginx -sudo ${INSTALL_NGINX_BIN}/nginx +NGINX_OPTS= +run_nginx +if [ "$RES" != "0" ]; then + echo "Failed to start Nginx" + exit 1 +fi # Default certificate, DH KEA echo @@ -194,6 +192,7 @@ echo '#' echo '# DH Key Exchange' echo '#' PORT=11443 +echo "# Port: $PORT" OPTS= EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") client_test @@ -203,6 +202,7 @@ echo '#' echo '# DH Key Exchange verify client' echo '#' PORT=11444 +echo "# Port: $PORT" OPTS="-x" EXPECT=("400 No required SSL certificate was sent") client_test @@ -212,6 +212,7 @@ echo '#' echo '# ECDH Key Exchange: SECP384R1' echo '#' PORT=11445 +echo "# Port: $PORT" OPTS= EXPECT=("SECP384R1" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") client_test @@ -221,6 +222,7 @@ echo '#' echo '# ECC Certificate, ECDH Key Exchange: default curve (prime256v1)' echo '#' PORT=11446 +echo "# Port: $PORT" OPTS= EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") client_test @@ -230,6 +232,7 @@ echo '#' echo '# Session ticket file' echo '#' PORT=11450 +echo "# Port: $PORT" OPTS= EXPECT=("Session Ticket CB" "HTTP/1.1 200 OK") client_test @@ -239,33 +242,28 @@ echo '#' echo '# Session cache off' echo '#' PORT=11455 +echo "# Port: $PORT" OPTS= EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK") client_test echo echo '#' -echo '# Session cache none - still does it' +echo '# Session cache none' echo '#' PORT=11456 +echo "# Port: $PORT" OPTS= -EXPECT=("reused session id" "HTTP/1.1 200 OK") +EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK") client_test echo echo '#' echo '# Session cache builtin' echo '#' PORT=11457 +echo "# Port: $PORT" OPTS= EXPECT=("reused session id" "HTTP/1.1 200 OK") client_test -echo -echo '#' -echo '# Session cache timeout 1 second' -echo '#' -PORT=11458 -OPTS= -EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK") -client_test # Proxy to localhost:11111 - DHE-RSA echo @@ -273,40 +271,44 @@ echo '#' echo '# Proxy - DHE-RSA' echo '#' PORT=11460 +echo "# Port: $PORT" OPTS= +SERVER_OPTS= EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") -EXPECT_SERVER=("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256") -proxy_test +client_test # Proxy to localhost:11111 - ECDHE-RSA echo echo '#' echo '# Proxy - ECDHE-RSA' echo '#' PORT=11461 +echo "# Port: $PORT" OPTS= +SERVER_OPTS= EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") -EXPECT_SERVER=("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "SSL reused session") -proxy_test +client_test # Proxy to localhost:11111 - ECDHE-ECDSA echo echo '#' echo '# Proxy - ECDHE-ECDSA' echo '#' PORT=11462 +echo "# Port: $PORT" OPTS= +SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem" EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") -EXPECT_SERVER=("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "SSL reused session") -proxy_test_ecdsa +client_test # Proxy to localhost:11111 - Revoked certificate in CRL echo echo '#' echo '# Proxy - Revoked certificate in CRL' echo '#' PORT=11465 +echo "# Port: $PORT" OPTS= +SERVER_OPTS= EXPECT=("HTTP/1.1 502") -EXPECT_SERVER=("error = -308") -proxy_test +client_test # OCSP Stapling # Good certificate @@ -315,6 +317,7 @@ echo '#' echo '# OCSP Stapling - Good Certificate (Using OCSP Responder)' echo '#' PORT=11470 +echo "# Port: $PORT" OPTS= EXPECT=("HTTP/1.1 200 OK") stapling_test @@ -325,6 +328,7 @@ echo '#' echo '# OCSP Stapling - Revoked Certificate (Using OCSP Responder)' echo '#' PORT=11471 +echo "# Port: $PORT" OPTS= EXPECT=("err = -360") stapling_test @@ -335,6 +339,7 @@ echo '#' echo '# OCSP Stapling - Good Certificate (Using pre-generated file)' echo '#' PORT=11472 +echo "# Port: $PORT" OPTS= EXPECT=("HTTP/1.1 200 OK") stapling_test @@ -344,6 +349,7 @@ echo '#' echo '# OCSP Stapling - Revoked Certificate (Using pre-generated file)' echo '#' PORT=11473 +echo "# Port: $PORT" OPTS= EXPECT=("err = -360") stapling_test @@ -353,6 +359,7 @@ echo '#' echo '# OCSP Stapling - Using OCSP Responder but no cert to verify' echo '#' PORT=11474 +echo "# Port: $PORT" OPTS= EXPECT=("HTTP/1.1 200 OK") stapling_test