forked from nginx/nginx-tests
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathh2_ssl.t
More file actions
148 lines (102 loc) · 3.45 KB
/
Copy pathh2_ssl.t
File metadata and controls
148 lines (102 loc) · 3.45 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
#!/usr/bin/perl
# (C) Sergey Kandaurov
# (C) Nginx, Inc.
# Tests for HTTP/2 protocol with ssl.
###############################################################################
use warnings;
use strict;
use Test::More;
use Socket qw/ SOL_SOCKET SO_RCVBUF /;
BEGIN { use FindBin; chdir($FindBin::Bin); }
use lib 'lib';
use Test::Nginx;
use Test::Nginx::HTTP2;
###############################################################################
select STDERR; $| = 1;
select STDOUT; $| = 1;
my $t = Test::Nginx->new()->has(qw/http http_ssl http_v2 socket_ssl_alpn/)
->has_daemon('openssl');
plan(skip_all => 'no ALPN support in OpenSSL')
if $t->has_module('OpenSSL') and not $t->has_feature('openssl:1.0.2');
$t->write_file_expand('nginx.conf', <<'EOF');
%%TEST_GLOBALS%%
daemon off;
events {
}
http {
%%TEST_GLOBALS_HTTP%%
server {
listen 127.0.0.1:8443 ssl;
server_name localhost;
http2 on;
ssl_certificate_key localhost.key;
ssl_certificate localhost.crt;
lingering_close off;
location / { }
}
}
EOF
$t->write_file('openssl.conf', <<EOF);
[ req ]
default_bits = 2048
encrypt_key = no
distinguished_name = req_distinguished_name
[ req_distinguished_name ]
EOF
my $d = $t->testdir();
foreach my $name ('localhost') {
system('openssl req -x509 -new '
. "-config $d/openssl.conf -subj /CN=$name/ "
. "-out $d/$name.crt -keyout $d/$name.key "
. ">>$d/openssl.out 2>&1") == 0
or die "Can't create certificate for $name: $!\n";
}
$t->write_file('index.html', '');
$t->write_file('tbig.html',
join('', map { sprintf "XX%06dXX", $_ } (1 .. 500000)));
$t->run()->plan(4);
###############################################################################
SKIP: {
skip 'LibreSSL too old', 1
if $t->has_module('LibreSSL')
and not $t->has_feature('libressl:3.4.0');
skip 'OpenSSL too old', 1
if $t->has_module('OpenSSL')
and not $t->has_feature('openssl:1.1.0');
ok(!get_ssl_socket(['unknown']), 'alpn rejected');
}
like(http_get('/', socket => get_ssl_socket(['http/1.1'])),
qr/200 OK/, 'alpn to HTTP/1.1 fallback');
my $s = getconn(['http/1.1', 'h2']);
my $sid = $s->new_stream();
my $frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
my ($frame) = grep { $_->{type} eq "HEADERS" } @$frames;
is($frame->{headers}->{':status'}, 200, 'alpn to HTTP/2');
# h2c preface on ssl-enabled socket is rejected as invalid HTTP/1.x request,
# ensure that HTTP/2 auto-detection doesn't kick in
like(http("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n",
PeerAddr => '127.0.0.1:' . port(8443)), qr/Bad Request/,
'no h2c on ssl socket');
# client cancels last stream after HEADERS has been created,
# while some unsent data was left in the SSL buffer
# HEADERS frame may stuck in SSL buffer and won't be sent producing alert
$s = getconn(['http/1.1', 'h2']);
$s->{socket}->setsockopt(SOL_SOCKET, SO_RCVBUF, 1024*1024) or die $!;
$sid = $s->new_stream({ path => '/tbig.html' });
select undef, undef, undef, 0.2;
$s->h2_rst($sid, 8);
$sid = $s->new_stream({ path => '/tbig.html' });
select undef, undef, undef, 0.2;
$s->h2_rst($sid, 8);
$t->stop();
###############################################################################
sub getconn {
my ($alpn) = @_;
my $sock = get_ssl_socket($alpn);
Test::Nginx::HTTP2->new(undef, socket => $sock);
}
sub get_ssl_socket {
my ($alpn) = @_;
return http('', start => 1, SSL => 1, SSL_alpn_protocols => $alpn);
}
###############################################################################