WolfSSL
/
wolfssl-nginx
mirror of https://github.com/wolfSSL/wolfssl-nginx.git
1
0
Fork 0
Code Issues Releases Wiki Activity

Update tests

pull/1/head
Sean Parkinson 2017-01-20 11:06:40 +10:00
parent bdf56e2edd
commit e5a2e9086b
6 changed files with 498 additions and 197 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
README.md
View File

@ -16,22 +16,37 @@ They can be obtained with the following commands:
- Nginx: git clone https://github.com/nginx/nginx.git - Nginx: git clone https://github.com/nginx/nginx.git
- wolfSSL: git clone https://github.com/wolfSSL/wolfssl.git - wolfSSL: git clone https://github.com/wolfSSL/wolfssl.git
First build and install wolfSSL. The default installation directory is: /usr/local. Now build and install wolfSSL. The default installation directory is:
/usr/local.
To enable wolfSSL support in Nginx the source code must be patched: To enable wolfSSL support in Nginx the source code must be patched:
1. Change into Nginx source directory. 1. Change into Nginx source directory.
2. Apply patch: git apply <wolfssl-nginx>/nginx.diff 2. Apply patch: git apply <wolfssl-nginx>/nginx.diff
Now rebuild Nginx and install: Now rebuild Nginx:
1. Configure Nginx with one of the two commands: 1. Configure Nginx with this command (extra options may be added as required):
- ./configure --with-wolfssl=/usr/local --with-http_ssl_module
- ./auto/configure --with-wolfssl=/usr/local --with-http_ssl_module - ./auto/configure --with-wolfssl=/usr/local --with-http_ssl_module
2. Build Nginx: make 2. Build Nginx: make
3. Install Nginx: sudo make install
Note: The source package may also be used. In this case the configuration
program is: ./configure
### Testing ### Testing
There is a test script to ensure that the Nginx is working correctly with wolfSSL. OpenSSL's superapp is required for OCSP Stapling testing. To test: Nginx has a repository of tests that can be obtained with the following command:
- git clone https://github.com/nginx/nginx-tests.git
To run the tests see the README. All tests are expected to pass.
There will be skips of SSL tests for the following reasons:
- no multiple certificates (ssl_certificate.t)
- many not work, leaves coredump (ssl_engine_keys.t)
Note: the file ssl_ecc.t in wolfssl-nginx can be used with the Nginx test
system.
There are additional tests available in wolfssl-nginx. These are in addition
to the Nginx tests. The OpenSSL's superapp is required for OCSP Stapling
testing. To test:
1. Change into wolfssl-nginx directory. 1. Change into wolfssl-nginx directory.
2. Run the script: ./test.sh 2. Run the script: ./test.sh
3. When working, the number of FAIL and UNKNOWN will be 0. 3. When working, the number of FAIL and UNKNOWN will be 0.

230
conf/nginx.conf
View File

@ -1,16 +1,7 @@
#user nobody;
worker_processes 1; worker_processes 1;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
#pid logs/nginx.pid;
events { events {
worker_connections 1024;
} }
@ -18,82 +9,16 @@ http {
include mime.types; include mime.types;
default_type application/octet-stream; default_type application/octet-stream;
#log_format main '$remote_addr - $remote_user [$time_local] "$request" '
# '$status $body_bytes_sent "$http_referer" '
# '"$http_user_agent" "$http_x_forwarded_for"';
#access_log logs/access.log main;
sendfile on; sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65; keepalive_timeout 65;
#gzip on; ssl_session_tickets off;
server {
listen 80;
server_name localhost;
#charset koi8-r;
#access_log logs/host.access.log main;
location / {
root html;
index index.html index.htm;
}
#error_page 404 /404.html;
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root html;
}
# proxy the PHP scripts to Apache listening on 127.0.0.1:80
#
#location ~ \.php$ {
# proxy_pass http://127.0.0.1;
#}
# pass the PHP scripts to FastCGI server listening on 127.0.0.1:9000
#
#location ~ \.php$ {
# root html;
# fastcgi_pass 127.0.0.1:9000;
# fastcgi_index index.php;
# fastcgi_param SCRIPT_FILENAME /scripts$fastcgi_script_name;
# include fastcgi_params;
#}
# deny access to .htaccess files, if Apache's document root
# concurs with nginx's one
#
#location ~ /\.ht {
# deny all;
#}
}
# another virtual host using mix of IP-, name-, and port-based configuration
#
#server {
# listen 8000;
# listen somename:8080;
# server_name somename alias another.alias;
# location / {
# root html;
# index index.html index.htm;
# }
#}
# HTTPS server # HTTPS server
#
# Using DH parameters
server { server {
listen 11443 ssl; listen 11443 ssl;
server_name localhost; server_name localhost;
@ -110,9 +35,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Verify client
server { server {
listen 11444 ssl; listen 11444 ssl;
server_name localhost; server_name localhost;
@ -131,16 +57,17 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# P384 curve with ECDHE
server { server {
listen 11445 ssl; listen 11445 ssl;
server_name localhost; server_name localhost;
ssl_certificate cert.pem; ssl_certificate cert.pem;
ssl_certificate_key cert.key; ssl_certificate_key cert.key;
ssl_ecdh_curve SECP384R1; ssl_ecdh_curve secp384r1;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -150,9 +77,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Default curve with ECDHE and ECDSA
server { server {
listen 11446 ssl; listen 11446 ssl;
server_name localhost; server_name localhost;
@ -168,10 +96,11 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Session ticket
server { server {
listen 11450 ssl; listen 11450 ssl;
server_name localhost; server_name localhost;
@ -180,6 +109,7 @@ http {
ssl_certificate_key cert.key; ssl_certificate_key cert.key;
ssl_dhparam dhparams.pem; ssl_dhparam dhparams.pem;
ssl_session_ticket_key ticket_keys; ssl_session_ticket_key ticket_keys;
ssl_session_tickets on;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -189,10 +119,11 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Session cache off
server { server {
listen 11455 ssl; listen 11455 ssl;
server_name localhost; server_name localhost;
@ -202,16 +133,16 @@ http {
ssl_dhparam dhparams.pem; ssl_dhparam dhparams.pem;
ssl_session_cache off; ssl_session_cache off;
ssl_session_timeout 5m;
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Session cache none
server { server {
listen 11456 ssl; listen 11456 ssl;
server_name localhost; server_name localhost;
@ -228,9 +159,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Session cache builtin
server { server {
listen 11457 ssl; listen 11457 ssl;
server_name localhost; server_name localhost;
@ -247,32 +179,97 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Proxy to wolfSSL server
upstream backend {
server 127.0.0.1:12443;
}
server { server {
listen 11458 ssl; listen 127.0.0.1:12443 ssl;
server_name localhost; server_name www.wolfssl.com;
ssl_certificate cert.pem; ssl_certificate cert.pem;
ssl_certificate_key cert.key; ssl_certificate_key cert.key;
ssl_dhparam dhparams.pem; ssl_dhparam dhparams.pem;
ssl_session_cache builtin:100; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 0s; ssl_session_timeout 5m;
ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {
root html; root wolfssl;
index index.html index.htm; index index.html;
} }
} }
upstream backend_ecdhe_rsa {
upstream www.wolfssl.com { server 127.0.0.1:12444;
server localhost:11111;
} }
server {
listen 127.0.0.1:12444 ssl;
server_name www.wolfssl.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on;
location / {
root wolfssl;
index index.html;
}
}
upstream backend_ecdhe_ecdsa {
server 127.0.0.1:12445;
}
server {
listen 127.0.0.1:12445 ssl;
server_name www.wolfssl.com;
ssl_certificate cert-ecc.pem;
ssl_certificate_key cert-ecc.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
ssl_prefer_server_ciphers on;
location / {
root wolfssl;
index index.html;
}
}
upstream backend_crl_rev {
server 127.0.0.1:12446;
}
server {
listen 127.0.0.1:12446 ssl;
server_name www.wolfssl.com;
ssl_certificate cert.pem;
ssl_certificate_key cert.key;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
ssl_prefer_server_ciphers on;
location / {
root wolfssl;
index index.html;
}
}
# Proxy using DHE cipher suites and CRL
server { server {
listen 11460 ssl; listen 11460 ssl;
server_name localhost; server_name localhost;
@ -288,7 +285,9 @@ http {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {
proxy_pass https://www.wolfssl.com; proxy_pass https://backend;
proxy_ssl_name www.wolfssl.com;
proxy_ssl_server_name on;
proxy_ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA; proxy_ssl_ciphers DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA;
proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_trusted_certificate ca-cert.pem;
proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate client-cert.pem;
@ -297,6 +296,7 @@ http {
proxy_ssl_crl crl.pem; proxy_ssl_crl crl.pem;
} }
} }
# Proxy using ECDHE cipher suites and CRL
server { server {
listen 11461 ssl; listen 11461 ssl;
server_name localhost; server_name localhost;
@ -312,7 +312,9 @@ http {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {
proxy_pass https://www.wolfssl.com; proxy_pass https://backend_ecdhe_rsa;
proxy_ssl_name www.wolfssl.com;
proxy_ssl_server_name on;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_trusted_certificate ca-cert.pem;
proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate client-cert.pem;
@ -321,6 +323,7 @@ http {
proxy_ssl_crl crl.pem; proxy_ssl_crl crl.pem;
} }
} }
# Proxy using ECDHE and ECDSA cipher suites
server { server {
listen 11462 ssl; listen 11462 ssl;
server_name localhost; server_name localhost;
@ -336,7 +339,9 @@ http {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {
proxy_pass https://www.wolfssl.com; proxy_pass https://backend_ecdhe_ecdsa;
proxy_ssl_name www.wolfssl.com;
proxy_ssl_server_name on;
proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA; proxy_ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
proxy_ssl_trusted_certificate ca-cert-ecc.pem; proxy_ssl_trusted_certificate ca-cert-ecc.pem;
proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate client-cert.pem;
@ -345,6 +350,7 @@ http {
proxy_ssl_session_reuse on; proxy_ssl_session_reuse on;
} }
} }
# Proxy using revoked CRL
server { server {
listen 11465 ssl; listen 11465 ssl;
server_name localhost; server_name localhost;
@ -360,7 +366,9 @@ http {
ssl_prefer_server_ciphers on; ssl_prefer_server_ciphers on;
location / { location / {
proxy_pass https://www.wolfssl.com; proxy_pass https://backend_crl_rev;
proxy_ssl_name www.wolfssl.com;
proxy_ssl_server_name on;
proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA; proxy_ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA;
proxy_ssl_trusted_certificate ca-cert.pem; proxy_ssl_trusted_certificate ca-cert.pem;
proxy_ssl_certificate client-cert.pem; proxy_ssl_certificate client-cert.pem;
@ -372,6 +380,7 @@ http {
} }
# OCSP Stapling # OCSP Stapling
# Valid server certificate - using OCSP responder
server { server {
listen 11470 ssl; listen 11470 ssl;
server_name localhost; server_name localhost;
@ -382,7 +391,6 @@ http {
ssl_stapling_responder http://localhost:22221; ssl_stapling_responder http://localhost:22221;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_trusted_certificate ocsp-root-resp-cert.pem;
ssl_dhparam dhparams.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -392,9 +400,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Revoked server certificate - using OCSP responder
server { server {
listen 11471 ssl; listen 11471 ssl;
server_name localhost; server_name localhost;
@ -404,7 +413,6 @@ http {
ssl_stapling on; ssl_stapling on;
ssl_stapling_responder http://localhost:22221; ssl_stapling_responder http://localhost:22221;
ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_trusted_certificate ocsp-root-resp-cert.pem;
ssl_dhparam dhparams.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -414,9 +422,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Valid server certificate in fixed OCSP response
server { server {
listen 11472 ssl; listen 11472 ssl;
server_name localhost; server_name localhost;
@ -426,7 +435,6 @@ http {
ssl_stapling on; ssl_stapling on;
ssl_stapling_file ocsp-good-status.der; ssl_stapling_file ocsp-good-status.der;
ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_trusted_certificate ocsp-root-resp-cert.pem;
ssl_dhparam dhparams.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -436,9 +444,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# Revoked server certificate in fixed OCSP response
server { server {
listen 11473 ssl; listen 11473 ssl;
server_name localhost; server_name localhost;
@ -448,7 +457,6 @@ http {
ssl_stapling on; ssl_stapling on;
ssl_stapling_file ocsp-bad-status.der; ssl_stapling_file ocsp-bad-status.der;
ssl_trusted_certificate ocsp-root-resp-cert.pem; ssl_trusted_certificate ocsp-root-resp-cert.pem;
ssl_dhparam dhparams.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -458,9 +466,10 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
# No CA to check responder certificate - using OCSP responder
server { server {
listen 11474 ssl; listen 11474 ssl;
server_name localhost; server_name localhost;
@ -470,7 +479,6 @@ http {
ssl_stapling on; ssl_stapling on;
ssl_stapling_responder http://localhost:22221; ssl_stapling_responder http://localhost:22221;
ssl_stapling_verify on; ssl_stapling_verify on;
ssl_dhparam dhparams.pem;
ssl_session_cache shared:SSL:1m; ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m; ssl_session_timeout 5m;
@ -480,7 +488,7 @@ http {
location / { location / {
root html; root html;
index index.html index.htm; index index.html;
} }
} }
} }

25
html/index.html 100644
View File

@ -0,0 +1,25 @@
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
body {
width: 35em;
margin: 0 auto;
font-family: Tahoma, Verdana, Arial, sans-serif;
}
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>
<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>
<p><em>Thank you for using nginx.</em></p>
</body>
</html>

63
nginx.diff
View File

@ -56,6 +56,21 @@ index 43724b1..b26fd9d 100644
--with-openssl=*) OPENSSL="$value" ;; --with-openssl=*) OPENSSL="$value" ;;
--with-openssl-opt=*) OPENSSL_OPT="$value" ;; --with-openssl-opt=*) OPENSSL_OPT="$value" ;;
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index c98e3c2..1b67cbc 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -330,6 +330,10 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data)
SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+#ifdef WOLFSSL_NGINX
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_NONE, NULL);
+#endif
+
return NGX_OK;
}
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
index d332c11..bfea170 100644 index d332c11..bfea170 100644
--- a/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c
@ -71,3 +86,51 @@ index d332c11..bfea170 100644
X509_up_ref(issuer); X509_up_ref(issuer);
#else #else
CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509); CRYPTO_add(&issuer->references, 1, CRYPTO_LOCK_X509);
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 2771ac1..8197ad3 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index fbc9bc7..1fc3504 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -10,7 +10,11 @@
#include <ngx_mail.h>
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 9191641..01c5a3a 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -14,7 +14,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
ngx_pool_t *pool, ngx_str_t *s);
+#ifndef WOLFSSL_NGINX
#define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
+#else
+#define NGX_DEFAULT_CIPHERS "ALL"
+#endif
#define NGX_DEFAULT_ECDH_CURVE "auto"

183
ssl_ecc.t 100644
View File

@ -0,0 +1,183 @@
#!/usr/bin/perl
# (C) Sean Parkinson
# (C) wolfSSL, Inc.
# Tests for http ssl module.
###############################################################################
use warnings;
use strict;
use Test::More;
BEGIN { use FindBin; chdir($FindBin::Bin); }
use lib 'lib';
use Test::Nginx;
###############################################################################
select STDERR; $| = 1;
select STDOUT; $| = 1;
eval { require IO::Socket::SSL; };
plan(skip_all => 'IO::Socket::SSL not installed') if $@;
eval { IO::Socket::SSL::SSL_VERIFY_NONE(); };
plan(skip_all => 'IO::Socket::SSL too old') if $@;
my $t = Test::Nginx->new()->has(qw/http http_ssl rewrite/)
->has_daemon('openssl');
$t->write_file_expand('nginx.conf', <<'EOF');
%%TEST_GLOBALS%%
daemon off;
events {
}
http {
%%TEST_GLOBALS_HTTP%%
ssl_certificate_key localhost.key;
ssl_certificate localhost.crt;
ssl_session_tickets off;
server {
listen 127.0.0.1:8080 ssl;
server_name localhost;
ssl_certificate_key localhost.key;
ssl_certificate localhost.crt;
ssl_session_cache shared:SSL:1m;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA;
location /cipher {
return 200 "body $ssl_cipher";
}
}
}
EOF
$t->write_file('openssl.conf', <<EOF);
[ req ]
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF
my $d = $t->testdir();
$t->write_file('ca.conf', <<EOF);
[ ca ]
default_ca = myca
[ myca ]
new_certs_dir = $d
database = $d/certindex
default_md = sha256
policy = myca_policy
serial = $d/certserial
default_days = 3
[ myca_policy ]
commonName = supplied
EOF
$t->write_file('certserial', '1000');
$t->write_file('certindex', '');
system("openssl ecparam -genkey -name prime256v1 -out '$d/issuer.key'") == 0
or die "Can't create ECC public key for issuer: $!\n";
system('openssl req -x509 -new '
. "-config '$d/openssl.conf' -subj '/CN=issuer/' "
. "-out '$d/issuer.crt' -key '$d/issuer.key' "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for issuer: $!\n";
system("openssl ecparam -genkey -name prime256v1 -out '$d/subject.key'") == 0
or die "Can't create ECC public key for subject: $!\n";
system("openssl req -new "
. "-config '$d/openssl.conf' -subj '/CN=subject/' "
. "-out '$d/subject.csr' -key '$d/subject.key' "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for subject: $!\n";
system("openssl ca -batch -config '$d/ca.conf' "
. "-keyfile '$d/issuer.key' -cert '$d/issuer.crt' "
. "-subj '/CN=subject/' -in '$d/subject.csr' -out '$d/subject.crt' "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't sign certificate for subject: $!\n";
foreach my $name ('localhost') {
system("openssl ecparam -genkey -name prime256v1 "
. "-out '$d/$name.key'") == 0
or die "Can't create ECC public key for $name: $!\n";
system('openssl req -x509 -new '
. "-config '$d/openssl.conf' -subj '/CN=$name/' "
. "-out '$d/$name.crt' -key '$d/$name.key' "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for $name: $!\n";
}
my $ctx = new IO::Socket::SSL::SSL_Context(
SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
SSL_session_cache_size => 100);
$t->try_run('no ssl_ecc')->plan(1);
###############################################################################
like(get('/cipher', 8080), qr/^body [\w-]+$/m, 'cipher');
###############################################################################
sub get {
my ($uri, $port) = @_;
my $s = get_ssl_socket($ctx, port($port)) or return;
http_get($uri, socket => $s);
}
sub cert {
my ($uri, $port) = @_;
my $s = get_ssl_socket(undef, port($port),
SSL_cert_file => "$d/subject.crt",
SSL_key_file => "$d/subject.key") or return;
http_get($uri, socket => $s);
}
sub get_ssl_socket {
my ($ctx, $port, %extra) = @_;
my $s;
eval {
local $SIG{ALRM} = sub { die "timeout\n" };
local $SIG{PIPE} = sub { die "sigpipe\n" };
alarm(2);
$s = IO::Socket::SSL->new(
Proto => 'tcp',
PeerAddr => '127.0.0.1',
PeerPort => $port,
SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
SSL_reuse_ctx => $ctx,
SSL_error_trap => sub { die $_[1] },
%extra
);
alarm(0);
};
alarm(0);
if ($@) {
log_in("died: $@");
return undef;
}
return $s;
}
###############################################################################

167
test.sh
View File

@ -1,34 +1,41 @@
#!/bin/bash #!/bin/bash
INSTALL_NGINX="/usr/local/nginx" NGINX_SRC="../nginx"
INSTALL_NGINX_CONF="$INSTALL_NGINX/conf" if [ "$NGINX_BIN" = "" ]; then
INSTALL_NGINX_CONF_BACKUP="$INSTALL_NGINX/conf_backup" NGINX_BIN="${NGINX_SRC}/objs/nginx"
INSTALL_NGINX_BIN="$INSTALL_NGINX/sbin" fi
WOLFSSL_SOURCE="../wolfssl" WOLFSSL_SOURCE="../wolfssl"
WOLFSSL_CLIENT="./examples/client/client" WOLFSSL_CLIENT="./examples/client/client"
WOLFSSL_SERVER="./examples/server/server" WOLFSSL_OCSP_CERTS="${WOLFSSL_SOURCE}/certs/ocsp"
NGINX_CONF="./conf" NGINX_CONF="./conf"
CLIENT_TMP="/tmp/nginx_client.$$" CLIENT_TMP="/tmp/nginx_client.$$"
SERVER_TMP="/tmp/nginx_server.$$" SERVER_TMP="/tmp/nginx_server.$$"
OCSP_GOOD="ocsp-good-status.der"
OCSP_BAD="ocsp-bad-status.der"
WN_PATH=`pwd` WN_PATH=`pwd`
WN_OCSP_GOOD="$WN_PATH/conf/$OCSP_GOOD"
WN_OCSP_BAD="$WN_PATH/conf/$OCSP_BAD"
WN_LOGS="$WN_PATH/logs"
WN_ERROR_LOG="$WN_LOGS/error.log"
echo "Ngninx Install directory: $INSTALL_NGINX"
if [ ! -d $INSTALL_NGINX_CONF ]; then if [ ! -f $NGINX_BIN ]; then
echo "Could not find Nginx conf directory: ${INSTALL_NGINX_CONF}" echo "Could not find Nginx exe: ${NGINX_BIN}"
echo "Stopping - FAIL"
exit 1
fi
if [ ! -e $INSTALL_NGINX_BIN/nginx ]; then
echo "Could not find Nginx exe: ${INSTALL_NGINX_BIN}/nginx"
echo "Stopping - FAIL" echo "Stopping - FAIL"
exit 1 exit 1
fi fi
echo "Ngninx binary: $NGINX_BIN"
echo "wolfSSL Source directory: $WOLFSSL_SOURCE" echo "wolfSSL Source directory: $WOLFSSL_SOURCE"
if [ ! -d $WOLFSSL_SOURCE ]; then if [ ! -d $WOLFSSL_SOURCE ]; then
echo "Could not find wolfSSL source directory: ${WOLFSSL_SOURCE}" echo "Could not find wolfSSL source directory: ${WOLFSSL_SOURCE}"
echo "Stopping - FAIL" echo "Stopping - FAIL"
exit 1 exit 1
fi fi
if [ ! -d $WOLFSSL_OCSP_CERTS ]; then
echo "Could not find OCSP certs path: ${WOLFSSL_OCSP_CERTS}"
echo "Stopping - FAIL"
exit 1
fi
echo "Changing into wolfSSL source directory" echo "Changing into wolfSSL source directory"
cd $WOLFSSL_SOURCE cd $WOLFSSL_SOURCE
if [ ! -e $WOLFSSL_CLIENT ]; then if [ ! -e $WOLFSSL_CLIENT ]; then
@ -36,11 +43,6 @@ if [ ! -e $WOLFSSL_CLIENT ]; then
echo "Stopping - FAIL" echo "Stopping - FAIL"
exit 1 exit 1
fi fi
if [ ! -e $WOLFSSL_SERVER ]; then
echo "Could not find wolfSSL server: ${WOLFSSL_SERVER}"
echo "Stopping - FAIL"
exit 1
fi
OPENSSL=`which openssl` OPENSSL=`which openssl`
if [ "$?" = "1" ]; then if [ "$?" = "1" ]; then
echo "Could not find openssl superapp" echo "Could not find openssl superapp"
@ -50,8 +52,13 @@ fi
echo "OpenSSL superapp found: $OPENSSL" echo "OpenSSL superapp found: $OPENSSL"
echo echo
if [ ! -d $WN_LOGS ]; then
echo "Making directory: ${WN_LOGS}"
mkdir ${WN_LOGS}
fi
# Number of minutes OCSP responses will be valid for # Number of minutes OCSP responses will be valid for
VALID_MIN=1 VALID_MIN=60
declare -a EXPECT declare -a EXPECT
declare -a EXPECT_SERVER declare -a EXPECT_SERVER
@ -64,10 +71,18 @@ PASS=0
FAIL=0 FAIL=0
UNKNOWN=0 UNKNOWN=0
run_nginx() {
${NGINX_BIN} -p ${WN_PATH} \
-g "error_log ${WN_ERROR_LOG} debug;" \
${NGINX_OPTS}
RES=$?
}
do_cleanup() { do_cleanup() {
echo "# In cleanup" echo "# In cleanup"
sudo ${INSTALL_NGINX_BIN}/nginx -s stop NGINX_OPTS="-s stop"
run_nginx
rm -f $CLIENT_TMP rm -f $CLIENT_TMP
rm -f $SERVER_TMP rm -f $SERVER_TMP
@ -83,12 +98,8 @@ do_cleanup() {
kill -9 $OCSP_PID kill -9 $OCSP_PID
fi fi
if [ -e ${INSTALL_NGINX_CONF_BACKUP} ]; then
sudo rm -rf ${INSTALL_NGINX_CONF}
sudo mv ${INSTALL_NGINX_CONF_BACKUP} ${INSTALL_NGINX_CONF}
fi
cd $WN_PATH cd $WN_PATH
rm -rf client_body_temp fastcgi_temp proxy_temp scgi_temp uwsgi_temp
} }
do_trap() { do_trap() {
@ -137,56 +148,43 @@ client_test() {
OPTS="$OPTS -r -g" OPTS="$OPTS -r -g"
client client
} }
proxy_test() {
${WOLFSSL_SERVER} -g -C 2 >$SERVER_TMP 2>&1 &
SERVER_PID=$!
client_test
kill $SERVER_PID
SERVER_PID=0
echo "# Server Output"
LOG=$SERVER_TMP
EXP=("${EXPECT_SERVER[@]}")
check_log
}
proxy_test_ecdsa() {
${WOLFSSL_SERVER} -c certs/server-ecc.pem -k certs/ecc-key.pem -g -C 2 >$SERVER_TMP 2>&1 &
SERVER_PID=$!
client_test
kill $SERVER_PID
SERVER_PID=0
echo "# Server Output"
LOG=$SERVER_TMP
EXP=("${EXPECT_SERVER[@]}")
check_log
}
stapling_test() { stapling_test() {
OPTS="$OPTS -g -C -A certs/ocsp/root-ca-cert.pem -W 1" OPTS="$OPTS -g -C -A ${WOLFSSL_OCSP_CERTS}/root-ca-cert.pem -W 1"
client client
} }
sudo mv ${INSTALL_NGINX_CONF} ${INSTALL_NGINX_CONF_BACKUP}
sudo cp -r ${WN_PATH}/${NGINX_CONF} ${INSTALL_NGINX_CONF}
# Start the OSCP responder and generate the response files # Start the OSCP responder and generate the response files
${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index certs/ocsp/index1.txt -rsigner certs/ocsp/ocsp-responder-cert.pem -rkey certs/ocsp/ocsp-responder-key.pem -CA certs/ocsp/intermediate1-ca-cert.pem >/dev/null 2>&1 & ${OPENSSL} ocsp -port 22221 -nmin ${VALID_MIN} -index ${WOLFSSL_OCSP_CERTS}/index1.txt -rsigner ${WOLFSSL_OCSP_CERTS}/ocsp-responder-cert.pem -rkey ${WOLFSSL_OCSP_CERTS}/ocsp-responder-key.pem -CA ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem >/dev/null 2>&1 &
OCSP_PID=$! OCSP_PID=$!
# Generate OCSP response file that indicates certificate is good. # Generate OCSP response file that indicates certificate is good.
(${OPENSSL} ocsp -issuer certs/ocsp/intermediate1-ca-cert.pem -cert certs/ocsp/server1-cert.pem -url http://localhost:22221 -resp_text -respout ocsp-good-status.der -no_nonce; sudo mv ocsp-good-status.der ${INSTALL_NGINX_CONF}/ocsp-good-status.der) >/dev/null 2>&1 ${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server1-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_GOOD} -no_nonce >/dev/null 2>&1
# Generate OCSP response file that indicates certificate is revoked. # Generate OCSP response file that indicates certificate is revoked.
(${OPENSSL} ocsp -issuer certs/ocsp/intermediate1-ca-cert.pem -cert certs/ocsp/server2-cert.pem -url http://localhost:22221 -resp_text -respout ocsp-bad-status.der -no_nonce; sudo mv ocsp-bad-status.der ${INSTALL_NGINX_CONF}/ocsp-bad-status.der) >/dev/null 2>&1 ${OPENSSL} ocsp -issuer ${WOLFSSL_OCSP_CERTS}/intermediate1-ca-cert.pem -cert ${WOLFSSL_OCSP_CERTS}/server2-cert.pem -url http://localhost:22221 -resp_text -respout ${WN_OCSP_BAD} -no_nonce >/dev/null 2>&1
if [ ! -f $WN_OCSP_GOOD ]; then
echo "Could not find OCSP output file: ${WN_OCSP_GOOD}"
echo "Stopping - FAIL"
exit 1
fi
if [ ! -f $WN_OCSP_BAD ]; then
echo "Could not find OCSP output file: ${WN_OCSP_BAD}"
echo "Stopping - FAIL"
exit 1
fi
echo "Stopping Nginx ..."
NGINX_OPTS="-s stop"
run_nginx
echo "Starting Nginx ..." echo "Starting Nginx ..."
sudo ${INSTALL_NGINX_BIN}/nginx -s stop
# Start Nginx # Start Nginx
sudo ${INSTALL_NGINX_BIN}/nginx NGINX_OPTS=
run_nginx
if [ "$RES" != "0" ]; then
echo "Failed to start Nginx"
exit 1
fi
# Default certificate, DH KEA # Default certificate, DH KEA
echo echo
@ -194,6 +192,7 @@ echo '#'
echo '# DH Key Exchange' echo '# DH Key Exchange'
echo '#' echo '#'
PORT=11443 PORT=11443
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response") EXPECT=("SSL DH size is 2048 bits" "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK" "resume response")
client_test client_test
@ -203,6 +202,7 @@ echo '#'
echo '# DH Key Exchange verify client' echo '# DH Key Exchange verify client'
echo '#' echo '#'
PORT=11444 PORT=11444
echo "# Port: $PORT"
OPTS="-x" OPTS="-x"
EXPECT=("400 No required SSL certificate was sent") EXPECT=("400 No required SSL certificate was sent")
client_test client_test
@ -212,6 +212,7 @@ echo '#'
echo '# ECDH Key Exchange: SECP384R1' echo '# ECDH Key Exchange: SECP384R1'
echo '#' echo '#'
PORT=11445 PORT=11445
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("SECP384R1" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") EXPECT=("SECP384R1" "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
client_test client_test
@ -221,6 +222,7 @@ echo '#'
echo '# ECC Certificate, ECDH Key Exchange: default curve (prime256v1)' echo '# ECC Certificate, ECDH Key Exchange: default curve (prime256v1)'
echo '#' echo '#'
PORT=11446 PORT=11446
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK") EXPECT=("SECP256R1" "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "HTTP/1.1 200 OK")
client_test client_test
@ -230,6 +232,7 @@ echo '#'
echo '# Session ticket file' echo '# Session ticket file'
echo '#' echo '#'
PORT=11450 PORT=11450
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("Session Ticket CB" "HTTP/1.1 200 OK") EXPECT=("Session Ticket CB" "HTTP/1.1 200 OK")
client_test client_test
@ -239,33 +242,28 @@ echo '#'
echo '# Session cache off' echo '# Session cache off'
echo '#' echo '#'
PORT=11455 PORT=11455
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK") EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
client_test client_test
echo echo
echo '#' echo '#'
echo '# Session cache none - still does it' echo '# Session cache none'
echo '#' echo '#'
PORT=11456 PORT=11456
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("reused session id" "HTTP/1.1 200 OK") EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
client_test client_test
echo echo
echo '#' echo '#'
echo '# Session cache builtin' echo '# Session cache builtin'
echo '#' echo '#'
PORT=11457 PORT=11457
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("reused session id" "HTTP/1.1 200 OK") EXPECT=("reused session id" "HTTP/1.1 200 OK")
client_test client_test
echo
echo '#'
echo '# Session cache timeout 1 second'
echo '#'
PORT=11458
OPTS=
EXPECT=("didn't reuse session id!!!" "HTTP/1.1 200 OK")
client_test
# Proxy to localhost:11111 - DHE-RSA # Proxy to localhost:11111 - DHE-RSA
echo echo
@ -273,40 +271,44 @@ echo '#'
echo '# Proxy - DHE-RSA' echo '# Proxy - DHE-RSA'
echo '#' echo '#'
PORT=11460 PORT=11460
echo "# Port: $PORT"
OPTS= OPTS=
SERVER_OPTS=
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
EXPECT_SERVER=("TLS_DHE_RSA_WITH_AES_128_GCM_SHA256") client_test
proxy_test
# Proxy to localhost:11111 - ECDHE-RSA # Proxy to localhost:11111 - ECDHE-RSA
echo echo
echo '#' echo '#'
echo '# Proxy - ECDHE-RSA' echo '# Proxy - ECDHE-RSA'
echo '#' echo '#'
PORT=11461 PORT=11461
echo "# Port: $PORT"
OPTS= OPTS=
SERVER_OPTS=
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
EXPECT_SERVER=("TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256" "SSL reused session") client_test
proxy_test
# Proxy to localhost:11111 - ECDHE-ECDSA # Proxy to localhost:11111 - ECDHE-ECDSA
echo echo
echo '#' echo '#'
echo '# Proxy - ECDHE-ECDSA' echo '# Proxy - ECDHE-ECDSA'
echo '#' echo '#'
PORT=11462 PORT=11462
echo "# Port: $PORT"
OPTS= OPTS=
SERVER_OPTS="-c certs/server-ecc.pem -k certs/ecc-key.pem"
EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf") EXPECT=("HTTP/1.1 200 OK" "Welcome to wolf")
EXPECT_SERVER=("TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256" "SSL reused session") client_test
proxy_test_ecdsa
# Proxy to localhost:11111 - Revoked certificate in CRL # Proxy to localhost:11111 - Revoked certificate in CRL
echo echo
echo '#' echo '#'
echo '# Proxy - Revoked certificate in CRL' echo '# Proxy - Revoked certificate in CRL'
echo '#' echo '#'
PORT=11465 PORT=11465
echo "# Port: $PORT"
OPTS= OPTS=
SERVER_OPTS=
EXPECT=("HTTP/1.1 502") EXPECT=("HTTP/1.1 502")
EXPECT_SERVER=("error = -308") client_test
proxy_test
# OCSP Stapling # OCSP Stapling
# Good certificate # Good certificate
@ -315,6 +317,7 @@ echo '#'
echo '# OCSP Stapling - Good Certificate (Using OCSP Responder)' echo '# OCSP Stapling - Good Certificate (Using OCSP Responder)'
echo '#' echo '#'
PORT=11470 PORT=11470
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("HTTP/1.1 200 OK") EXPECT=("HTTP/1.1 200 OK")
stapling_test stapling_test
@ -325,6 +328,7 @@ echo '#'
echo '# OCSP Stapling - Revoked Certificate (Using OCSP Responder)' echo '# OCSP Stapling - Revoked Certificate (Using OCSP Responder)'
echo '#' echo '#'
PORT=11471 PORT=11471
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("err = -360") EXPECT=("err = -360")
stapling_test stapling_test
@ -335,6 +339,7 @@ echo '#'
echo '# OCSP Stapling - Good Certificate (Using pre-generated file)' echo '# OCSP Stapling - Good Certificate (Using pre-generated file)'
echo '#' echo '#'
PORT=11472 PORT=11472
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("HTTP/1.1 200 OK") EXPECT=("HTTP/1.1 200 OK")
stapling_test stapling_test
@ -344,6 +349,7 @@ echo '#'
echo '# OCSP Stapling - Revoked Certificate (Using pre-generated file)' echo '# OCSP Stapling - Revoked Certificate (Using pre-generated file)'
echo '#' echo '#'
PORT=11473 PORT=11473
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("err = -360") EXPECT=("err = -360")
stapling_test stapling_test
@ -353,6 +359,7 @@ echo '#'
echo '# OCSP Stapling - Using OCSP Responder but no cert to verify' echo '# OCSP Stapling - Using OCSP Responder but no cert to verify'
echo '#' echo '#'
PORT=11474 PORT=11474
echo "# Port: $PORT"
OPTS= OPTS=
EXPECT=("HTTP/1.1 200 OK") EXPECT=("HTTP/1.1 200 OK")
stapling_test stapling_test