From 28390677c883fcd1fa447b16bc6fd9ec4c5dafaf Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 19 Feb 2017 17:23:09 +0800 Subject: [PATCH 01/13] feature: support ssl.create_ctx and tcp:setsslctx Signed-off-by: detailyang --- lib/ngx/ssl.lua | 49 ++++ lib/resty/core.lua | 1 + lib/resty/core/socket/tcp.lua | 67 +++++ t/cert/ca-client-server/ca.crt | 18 ++ t/cert/ca-client-server/ca.key | 30 ++ t/cert/ca-client-server/client.cer | 18 ++ t/cert/ca-client-server/client.crt | 18 ++ t/cert/ca-client-server/client.csr | 17 ++ t/cert/ca-client-server/client.key | 30 ++ t/cert/ca-client-server/client.p12 | Bin 0 -> 2349 bytes t/cert/ca-client-server/client.pfx | Bin 0 -> 2349 bytes t/cert/ca-client-server/client.unsecure.key | 27 ++ t/cert/ca-client-server/ecc-server.crt | 14 + t/cert/ca-client-server/ecc-server.csr | 9 + t/cert/ca-client-server/ecc-server.key | 5 + t/cert/ca-client-server/generate-cert.sh | 39 +++ t/cert/ca-client-server/server.cer | 18 ++ t/cert/ca-client-server/server.crt | 18 ++ t/cert/ca-client-server/server.csr | 17 ++ t/cert/ca-client-server/server.key | 30 ++ t/cert/ca-client-server/server.unsecure.key | 27 ++ t/ssl-ctx.t | 290 ++++++++++++++++++++ 22 files changed, 742 insertions(+) create mode 100644 lib/resty/core/socket/tcp.lua create mode 100644 t/cert/ca-client-server/ca.crt create mode 100644 t/cert/ca-client-server/ca.key create mode 100644 t/cert/ca-client-server/client.cer create mode 100644 t/cert/ca-client-server/client.crt create mode 100644 t/cert/ca-client-server/client.csr create mode 100644 t/cert/ca-client-server/client.key create mode 100644 t/cert/ca-client-server/client.p12 create mode 100644 t/cert/ca-client-server/client.pfx create mode 100644 t/cert/ca-client-server/client.unsecure.key create mode 100644 t/cert/ca-client-server/ecc-server.crt create mode 100644 t/cert/ca-client-server/ecc-server.csr create mode 100644 t/cert/ca-client-server/ecc-server.key create mode 100755 t/cert/ca-client-server/generate-cert.sh create mode 100644 t/cert/ca-client-server/server.cer create mode 100644 t/cert/ca-client-server/server.crt create mode 100644 t/cert/ca-client-server/server.csr create mode 100644 t/cert/ca-client-server/server.key create mode 100644 t/cert/ca-client-server/server.unsecure.key create mode 100644 t/ssl-ctx.t diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 89d42a533..96d3ba164 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -58,6 +58,18 @@ int ngx_http_lua_ffi_set_priv_key(void *r, void *cdata, char **err); void ngx_http_lua_ffi_free_cert(void *cdata); void ngx_http_lua_ffi_free_priv_key(void *cdata); + +void *ngx_http_lua_ffi_ssl_ctx_init(const unsigned char *method, + size_t method_len, char **err); + +void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); + +int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, + void *cdata_key, char **err); + +int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, + void *cdata_cert, char **err); + ]] @@ -261,6 +273,43 @@ function _M.set_priv_key(priv_key) end +function _M.create_ctx(options) + if type(options) ~= 'table' then + return nil, "no options found" + end + + local method = "SSLv23_method" + if options.method ~= nil then + method = options.method + end + + local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + if ctx == nil then + return nil, ffi_str(errmsg[0]) + end + + ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) + + if options.cert ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, + options.cert, errmsg) + if rc ~= FFI_OK then + return nil, ffi_str(errmsg[0]) + end + end + + if options.priv_key ~= nil then + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, + options.priv_key, errmsg) + if rc ~= FFI_OK then + return nil, ffi_str(errmsg[0]) + end + end + + return ctx +end + + do _M.SSL3_VERSION = 0x0300 _M.TLS1_VERSION = 0x0301 diff --git a/lib/resty/core.lua b/lib/resty/core.lua index 71bb94642..8ac51e5d9 100644 --- a/lib/resty/core.lua +++ b/lib/resty/core.lua @@ -14,6 +14,7 @@ require "resty.core.request" require "resty.core.response" require "resty.core.time" require "resty.core.worker" +require "resty.core.socket.tcp" local base = require "resty.core.base" diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua new file mode 100644 index 000000000..117e16eb3 --- /dev/null +++ b/lib/resty/core/socket/tcp.lua @@ -0,0 +1,67 @@ +-- Copyright (C) Yichun Zhang (agentzh) + + +local ffi = require "ffi" +local base = require "resty.core.base" + + +local C = ffi.C +local ffi_str = ffi.string +local getfenv = getfenv +local error = error +local errmsg = base.get_errmsg_ptr() +local FFI_OK = base.FFI_OK + + +ffi.cdef[[ + + int + ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, + void *u, void *cdata_ctx, char **err); + +]] + + +local function check_tcp(tcp) + if not tcp or type(tcp) ~= "table" then + return error("bad \"tcp\" argument") + end + + tcp = tcp[1] + if type(tcp) ~= "userdata" then + return error("bad \"tcp\" argument") + end + + return tcp +end + + +local function setsslctx(tcp, ssl_ctx) + tcp = check_tcp(tcp) + + local r = getfenv(0).__ngx_req + if not r then + return error("no request found") + end + + local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) + if rc ~= FFI_OK then + return false, ffi_str(errmsg[0]) + end + + return true +end + + +local mt = getfenv(0).__ngx_socket_tcp_mt +if mt then + mt = mt.__index + if mt then + mt.setsslctx = setsslctx + end +end + + +return { + version = base.version +} diff --git a/t/cert/ca-client-server/ca.crt b/t/cert/ca-client-server/ca.crt new file mode 100644 index 000000000..075fb9fb4 --- /dev/null +++ b/t/cert/ca-client-server/ca.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7TCCAdWgAwIBAgIJAPQtwgjj8kufMA0GCSqGSIb3DQEBCwUAMA0xCzAJBgNV +BAMMAmNhMB4XDTE3MDIxOTE1MTYwNVoXDTE3MDMyMTE1MTYwNVowDTELMAkGA1UE +AwwCY2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVINQ5PqDbYUz+ +g9sxuJWC87leChR0EwoT6NwVBFEQiqtFSBK17gN1kYTez2qFIeqjwoAL3K2VNTlP +g/79E501HynND8vQG7cBQGX/GRtQoU8aCp/DgmkzNeLudlu8Rgp3mhQY+DLMQkXs +mUsmcjVpx6+tPXsnxAnbQ7DdH8gD+XaECoGH39FIdGiwmZY5Y/PjPYUk36qknkfm +pUem7GSVPbG5Etxbk0Q4jAjL8JrN6wBtj4HiX9LLW+o8b/nNypf2HkDObV1DliPx +S1A9lbYcq+X/uXlq67uzMO/8Xy1optJNe4AMsUp7VWIqMCJ2e2q0c7jULJGNdmUz +EO0fAopjAgMBAAGjUDBOMB0GA1UdDgQWBBReqrUnkoVTa1qkVBdIbTR0c15/NDAf +BgNVHSMEGDAWgBReqrUnkoVTa1qkVBdIbTR0c15/NDAMBgNVHRMEBTADAQH/MA0G +CSqGSIb3DQEBCwUAA4IBAQBGEec8MWgYkj4JzKeHUF6q5Vw2fyD6lZZsv7NmSnkb +jUhe+mKxgvwn82lKiGcyQth9OQtVQ7j6Q3gHfcLSqHNhQGjZA1/tgHGjHH9yK3Lw +69dRgQZFT/1IP84qrU/TVVY2tsVlO00BTfDbPgHvQTMkoRneN36l8P8gmwAzOG4h +R/z7c3bExwy/liAPtbKCXW9tZkJ72x7jLPgLk+NBw0heH6Sank46eMvg9c8H2HXD +oF1dPlaNZXqoeIIMGAWzxLOF8gl3F2+tFM1qpjdg+kFaK+bh9W59MefDoVZ+r+f1 +GP1cO7cbo8hn2rFf/LT3JFiU+uS5nmoAKJF0w5u5O1YY +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ca.key b/t/cert/ca-client-server/ca.key new file mode 100644 index 000000000..4c98e236c --- /dev/null +++ b/t/cert/ca-client-server/ca.key @@ -0,0 +1,30 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDgQIeyaHYkkMvlQCAggA +MBQGCCqGSIb3DQMHBAiAPxNz0HpLxQSCBMh8p/EASfeEFeHqX4ZYiIwBRnGvX5PB +jTCxNQkBeDB5OP+3LS0jNIpr8ynEYCER6cCo46PUve0oWqszItfoOgZ0yAaiak4h +k/foVMX8WSDN+9yMYRfF0T1ia6yvJDxJYneVt+azF5a5Mz3PdGuz9CKdgU0+9gMY +AnW35Imx0lp7R+qa23fmDDGFbFaBvyAymCyF/nE1yq7Y4HrmxQxM9ZgB+1HO2Xff +PHlU+M+bH66P7MkoQmwMourWP0DT5OuWUppjN5DMz5FejdzdWtkJ8ZHfnm1t0J0w +/o+xjKzbCmODKLBGSrig5Wy0wBN1aseHModNBBiYX/hcuYjdl8smlewtpD5mxm6L +fgjxW7/q1aut3bTtK1wLI4UY/exj06umYzNqcS3Uv9rDEOJHen/yfXzOiWz5onBr +Cl6WPN5+SiAT1buRRY7G3HDmur2ehA9FDWz+5udMfwQFFc+qHJCDnzcymE64yOVe +YL5fJNyubysAERx2RA/HaqjP7gLyx3YjZSEmsta1esu6zYreNlrBSrulRwKa/vBN +CsKDsHl+zSSzyT8nuZVBCWKgUvzpndCyrQ7DnBiiNZHdbFeT5FMd+Px77RNSI+4P +ga5r/ksDUHY/OYQILGwrG5fpUE9Ag1VId+FhkHJXcQD58YyYvwysBpeQnnc/cQDV +yl1q6RL7J4sJbZTLATTUnsqDXg88p+4/mVEdCF2KxLl/mnc80UQ/GZ375y43y5Du +RqZBaTt6HWsp9m7Q/zi/6F4mKP3JjaGwVny8VWftB5Wcd+p2LeR0xq7uuUo70mwA +rtgZFqIuzio5xQK3u+GxOGAk8G9SMzt4BeQeAnh9Q9sL1nbNdX60SaXZRhVeXxeQ +1ISW0JOqhCgL2Zp0Gro8uDLe4S6DlOXMVlh1PBp5oAI9yJeexnCFLYN8lAuM1iq0 +KwrVEEzlhBc+VlqDeP66sKfE8nXKPH6iWSguiTn9ydXFU8Y+osr9g5s9z86L4smn +RjiXH9h1DbgMh+3wROCmLQ9Zl8Gdcf5T5JjiDwsn0BWeSOePjJ2Utg9XUOZnU6Ze +AEqI14bSNBSdjIrfhJsbxVshYkuySNKzBIX4fO483BTsQQRO+KtFMxlVHvCLAy6g +pyeHtaouThNqGysYPoqDnUqhVKiVc/bD+0DyU4sXDXkqW4ooHfH/ubicAYbj0aFl +4rpQQowNPJ7Cb2/ksHL/Wr9AZSCtyDseaM9wNW+6FEg/GaCdDr66j0SGfrN1rmmo +yeFamnsdyqXhrKGq2aStUslW6ZL+lWJJVMLqZ1Ebbc6MqTdulfv/mf9mtlEKDHJy +uKcQOo7dmoOiQpV+BEEpJlQeIMm5fGLecqxQ5+r1szFKhEKeAEDemqn/ch/MZMS2 +4kDgnM7lWZMPCaE2Rnso/BqDgkzKyZl3clYw2K16Tp69iEOGHpVtNfIXj5XFZCqy +33V0LgDYcGVJVIR3fF7zeXCkJ3cYwG0LOxzP2HzrOgZ6OShPZ8o7yfZTctJs0N86 +AvqegXEtmPoHID7lsZyITzl9b8CsqnkzpL1+9Z2HyRCTcGJUxsYJ1LrKiinXO3hN +XNuKfkx5Ku8AaoBAsnWN7o5wxv774MoWgXKYHnSChu+tPgMQZKn9mBlmx6HsjYXK +dk8= +-----END ENCRYPTED PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.cer b/t/cert/ca-client-server/client.cer new file mode 100644 index 000000000..5de531e80 --- /dev/null +++ b/t/cert/ca-client-server/client.cer @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc +18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB +VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y +D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG +jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy +VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla +gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d +5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm +YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs +pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt +yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.crt b/t/cert/ca-client-server/client.crt new file mode 100644 index 000000000..5de531e80 --- /dev/null +++ b/t/cert/ca-client-server/client.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQEwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZjbGllbnQwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDn54uRvvZ+pNcX7pLcyWgLtuvLSyOy2yx7D7eaf7zc +18fekOKSOmCMkGsbaB+Q5G1TmQa4B/79ajpu8xSxVPNyiRbKv+c8dNhfCBVglHmB +VbnULLQxpAYWUG865QCpbqap1sa5VDPWG9wISCSGLbVOpF7cU7FKFRqW1j+kwM5y +D6HQ0bZaM6eVMoNTiVzLOw8AjoEMlF9JvYjCQ++UkNl2/vvlqg92suv+YmAUVMHG +jcz3yZ86djj4LcvJkAskgwgHf8uzeyiqe8aWHOXFvIbpa3YY8XEZBusePvkNFhBy +VJDi4T2sHTNqOuzNwSG90L8bwNp9REGYP9YW6ZoBTibXAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBAKaqvxiiT87tnsMkXMbUlYwPm1ku4vi38lANEakTEkxnyMoxRNla +gdy/lQ3+YSL7XdLZ6mBwfFSNDBy9PN+rzEWZyXS1kJKp3MAvbJcIjp2+Zzwnc/2d +5iZzITrUg6Lx2X99GHNamOCidnQXR4ifGauVvG14g8nVAiHbKnXNyZn3qptPSAXm +YLidPBeDVtF9vnF8VmajLBmCxklIxo30E1HhuZNZsViKeJsH85Y8GYyYJeA/WaJs +pzOSesQQCJGYtHwyTJVEnqP3EJq+wcj+JaezVP++NeyfqxjeHAJZElqf0k3QBhWt +yk6Mo8iri3milOUQOokidQhMZ49wtnelu7o= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/client.csr b/t/cert/ca-client-server/client.csr new file mode 100644 index 000000000..1cb7db1f8 --- /dev/null +++ b/t/cert/ca-client-server/client.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx +FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMMBmNsaWVudDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOfni5G+9n6k1xfuktzJaAu268tLI7LbLHsPt5p/vNzXx96Q4pI6YIyQaxtoH5Dk +bVOZBrgH/v1qOm7zFLFU83KJFsq/5zx02F8IFWCUeYFVudQstDGkBhZQbzrlAKlu +pqnWxrlUM9Yb3AhIJIYttU6kXtxTsUoVGpbWP6TAznIPodDRtlozp5Uyg1OJXMs7 +DwCOgQyUX0m9iMJD75SQ2Xb+++WqD3ay6/5iYBRUwcaNzPfJnzp2OPgty8mQCySD +CAd/y7N7KKp7xpYc5cW8hulrdhjxcRkG6x4++Q0WEHJUkOLhPawdM2o67M3BIb3Q +vxvA2n1EQZg/1hbpmgFOJtcCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB7hFKK +OJw3pyRJmS7CCpY3ZA2V9MdrONdKVaAGCCp8RiOplixHCr1tIXjaOCpv1EVA2+Ne +UvOFCsDTWUQm3OHocyIiz6jlClzcY0iGqHWjz4CBqe1ZefQ9tPpH6YfXj//G1rb0 +Nvo8mjI4IvzJUm+63VFUYPHMoVu81KCZtIlI4m8gU1ErTDTt2FSrv8ZOfbYpGQ7g +R4XnZfAgLlfnLdkg0NDnWNlcyWen8HcImW7GthvNG4fHLe19eaZnzYX67xg/jCxq +MSOuZukAi/z2wZV/w24QO9YrQBkuWaugv7DoYnokOk0zEpifii/deKSgSrFe8Xqn +YOcXEnskm0YqxoBJ +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/client.key b/t/cert/ca-client-server/client.key new file mode 100644 index 000000000..41bcad398 --- /dev/null +++ b/t/cert/ca-client-server/client.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,61C44F36123FA0E6 + +u9eMJqZr0XGsWx00JhOL/iZmnPZftVq0cCkrz7YWRwAEFTf7AV1HKVC6DhOFGDBL +mJLMlbXTxWo3pai012QJAkjUnXfa/DB5KnnUiRMu57mgYc27Hik9R968QbAjKT8E +4O3t6LayGkLGwoH8Hh9/V5HgDdFRnQLJsgVLkDOmv4TiybZ/1fV1ON8Mar5ThNiK +Rxr1k047nLP4STSm6RshTWe55Nbm5h4DBR5jk2REV6JneCDxx7Mdh+LyzKIiVGlO +TI5L3bGaBXVv5+/9B+dW/CFOsteG342VmtEoJYqJXe1lDkfMc3RD66pGQe450r6e +exmwZl0yCIjD1xxBFQE8qYWsQqtg65v9APN3eijaga6a8MImvpptbSdE15SitR7y +vgl5g0CdvVoAFPsBFFwlsUQZex2Q7BR1kw1nwUibYzDUjIdhTr50k7GPaHT11GXs +D2jAYyB02sfT1VXZaVYzOPTKvqv3BBaBjr8+5zoV/9VHPLVcaAq5SIeLjd1t9FWZ +NR0jmiaSTN7sSjtFK0KUmTqzoPpHk4oujPbklwFRJXc+r9eAkRmlIvM0gMv8kkF/ +gsH4OiZBvE7AivFrtizTdco4PdAhqZ0cRm1+3Tjks4zoD67OkeD6n05hPqqms8fC +mIOnyGNLywwz0G5QwpO+9xXUvu6QueqmYTgy5uDZmjO0rnyUyYfUbMix6J4qkaMs +y4Q37udBbSAdLkIFw7LF34VvBUmGpXKKrvtm+bt5wYfa/91EYe7lW/72elZQ4S5z +ty7zxaTUFlI+E4kLZeO02EKtkeNImX/X3bYmH1DkjH/SuRgpxCgbbbd24AQLLugO +VRt+E54J/JsIDLl9Mv6FwKXB/GY+3NEsOzlsdPCEJlY5UyGkoRmg9zDlpVjCYRop +OIxg0nSTaf8n9cPK3Jv9OxFkMVPrbJpHCLlN591CYFDne0uiuJ6BAmhM0f67y0On +ejxv0N4yG7BrmeVTygA0f1QuiRXwqFK4IuAH/B0psc+UlrRVOSNPSMrvcS/GGXqr +VX+9e9exV8V3vRcywd/wnN905c/XPLZ6+I0nH0DqwFDHbpW9QD7KcoUsdk2Lk/ns +87gX+LYrCq2Psolf25dVV7VUquXUrvUByfL2O31qg7IQS8aehYec7snHijYWY+RW +fiuF6rckB+4euye2SGY+7qeyFIbdJq1y32TKI30aDKLTprbx1wGk6EFtVGloeRd+ +BP80ExwLDkxo7n+VSsaAyvXAg7sIu4Gc3VBo5k0ZBT/gWgaceWsn8yXnDinTlVaE +t8dT5WaPJQCU86xUoGhddrO1DloZMyoWp42pM3sCZoWvR+MtO/xHQKVVmfg4suT/ +9nYJbJBc/YJ04Yc4GdnDmtPJH29gLbOewEgdyVmmpsEG4Aw3Dh12/ls5FAEcD7zV +ToZoYaOC+TABmemNtIxuJ/HBa7GKvopEhbZbgoNvRYv+5XNxH3JvSrj9kW0t3h9R +06cMKyNpX3wuosLMHWWoyBDkwoK+Ir78TgKF8iB11IPssIoe23oUV6/tt5NdPMh+ +s61D6fUHZtPN9ZyIgnI0ewQZdnbnG/M6hn7/kb8PEeLmIQquW2EfWr9+2LGzQN5Y +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/client.p12 b/t/cert/ca-client-server/client.p12 new file mode 100644 index 0000000000000000000000000000000000000000..dfacf68ab0dc463707fb4a9dec910d20b1ee18b8 GIT binary patch literal 2349 zcmV+|3DWj3f(a=C0Ru3C2=4|7Duzgg_YDCD0ic2i-~@sQ+%SR&*f4?vj|K@UhDe6@ z4FLxRpn?N{FoFYo0s#Opf&+C12`Yw2hW8Bt2LUh~1_~;MNQUvvGf+pS)4qG2kVh}|Qs zR0ADCeR+C({&X{IaWKxykd(eVWQ48Qxgo>V{}MlY6HapTuUO;iE{Yg-af<02IcNyD z<8Guo_TgR0z|9IzRFa#@rQE88#Rv(GYN?cU>r?4|kvuh@s}zZaR6#m)tGAL*~IE|F&rCN40x=bzYF} zkhNbaGBDxx7T9JsXO=k%-xt7JVUy~aT%v;v%AiZJn=rIyM0QEn$F*(4uYp~830Jv} z?_b>WK@ruhBR~fom$iU3pAP~>9?)RImI`X7hz}Gm2B2WsN=UjMKQ2dsJgLzjCyP}3 zR}0E<0PSNWZq2?tXOX-8Kw`=qNO??!C`8?I6!I|x#1WzwvlW7Zs+^dZwgZ~R^ASNW}!UB=DDYeIh3Xyw*!Bx z{gFW~U6jZW&k0U}V{;T)E%UqC$2JhbZT#`M*l$_>%m|Cj^YEsdyPQgWw z^u~$`A5J_~;&NP9Gff0n6^fvL@2YlXM@5$h#GnV}WI@V}felQ9!#9+Y|E)S^>l7=5 zmP^7F31THx!&c$FZf_)vc9Bl@Sjxv);MX>$nSwW@yF10)AG;pJl%Zi(|BR|J9d$-b zOVBCddoHPB?I2_$s=gj}#22-EG9|`haFRx>y~THzPIIl4@}*7y9r`#VVbGP%B={2P zsP9XP;?x=D$**z$V2MDEf4}&iFoFd^1_>&LNQUTgnaN27m8=4K-y=%%Wm@CftxkB?=hIsdjssY5)EIvos(NxOsS4+C=DxqHTDw z9gS+5DK_rxW2(IC{i5Q)7DnD};ULOnj{3h6mh5g3h6eeydg89dCcTSS`!B2IX{SNDEm*lRFtO#_TmU1!OrPrW2Zvs4$xdD zaOr$~5Oq{!6kC?{I#^+OLdw?@U{Zh}`tMn9n9@ zYT934Ud~}odgIbl%|eLjns~}+m?(R7TijA|odtbI4xFfQ=}kIX6o^=h=L&soZ!F%& zD~VmMStVhS%C&m;pQ!%jxPW8LRt5Zb?D?7HR<+e$mB>F*8ji!CwzHhb{Eb+hwg(Mqofa&HStPt|ZSf&ghI>oUDI>%=O{#BW^Tr0WrtwXBPLE0?RKT@cfvb2#;!93s4Av6D6V!`%U-CFEyjpkE^RI$ch3VmCjpCBmkz#hd$ z?4Lx_IgwueEXZ9oCeHjqfCinue5X1bh0ONH`s1k-vwL>!$TO5S60TgWdVa|`vQ*9n zJ%+#!fd#msiGOF&o6$dovJv3v-pEVS&>++|M1e}1A43o}rHO?<$F4dNdy5+im{v14 zoxzB?81Qf^7EG&t!OrvxRA-`s4!Hrvg>URTAG8$1t|OaMHtr0WPlEuhv zOnrxQtX^1S8fX5^Ljqgo@8PwLgp5LpHN?w}y4@I_kmTT9ticrM_{LWkM?;_98+2h- z2Gj{tTrqwN$V26Govm70AExl zb_uQ32|}s>&cUm6p-AXNJYWKhCw23(-lTn1bsvgjJSrtTjEltDg0VV;sW&PDf*gDg z#=7g|FAALi#Ec;X;o&*AG9GU|2)y4?KW;z@0s;sCn+{#< literal 0 HcmV?d00001 diff --git a/t/cert/ca-client-server/client.pfx b/t/cert/ca-client-server/client.pfx new file mode 100644 index 0000000000000000000000000000000000000000..2ac10de8c5fffeaa14822d728e825df6eb68fffb GIT binary patch literal 2349 zcmY+Ec{me}AICR447snOrpU1|=IEF+ll$0L62giKqa4$U+?$ORmiwrL4hf~(m1Yt# zN1G^N61g(Ig^AIxp6B=beSg0{KF{ZQUhn65|Mz;M$zli*AP7x{EkebRGzXeM5-18R zBg4kQWZ1}W`~gh{G5(35Wn@tDZxk;A1pI!ae-a>iCsh334cmZFv=kVoFcA2{IJ{h6 zL<9y%CW9QJw`xoE^UMg4J?Cs$%rV>6_|X@HBmQ&UlfjPp{H1AA+;pY9N5O+ZdZ?pS zXy8u+%QHil?$W}z(K4126*G%khs>@^7t(hVTf8hoVz22`Vy~Z zoSvq{RP9n2`Xs5{t;EhpVcmKw6&{oe0qi+#nU2c=-sKk$_|$aV&$ARfU{yi1Xu4iV){wZ_rCtDpS4}<(|(O*ym-Y*0frcpZ|vy1J_$LcT3Q7U z5j;z>=;h7Epo+&O)mJU0Z7N~~mzm{puG%}H=8Q+OUS|5nqx-_VG+W)^kaKOOq+Me0 zA*6dh;2vP`yHcKccDe0@V%HcsN)laz)6>3lJ965fF~sS5)7wbhe8MT1%WYn0+eJve zw8``0XxW5OtGpmX%-P28yjx|_-C3==+uRLMl3zwHdD(WJ@fcaORE znxb2evgQfYW}b9_U2IXvm(#ECxu}h;q~5rx@UB?!^4S6V2>GBB{d-kdW1QmassVn> z5AzIxF9ktwu@(lIq_af0%^sh?O0yQMS}O9RdX1-%bxrjBD-rRB%6B*z33ZPet@H7< zlmJ`=-(vBuEX`%(N_6(q=Bpbt=@Mk$hUovs$ls?0mH3Z_;y{ryGMJAhgXjLwPS77a zJ)Vz3%_Hkn|JVs8gF9i}z0VnUL=6rHSH0K6-W|3+B zmW0=lNYvoP!eq}~zI_N>ymZ_Wy|Af%g@gOjV;+EQXKzwZ76OQlBs0ZGIE`^1pHA%D zP^MV>vs_2!D!DVMpw`=`iy4oPSBs80)q4Ce?3ivZ@sTIX%JX)t5%%~yd!rQ!Pp5D% zyzSzwsPg>y3YYMsk0b|Cngij9GP=JZFcolkD5;ysT~wc+4FF?dSi1u zWJcnJ{lfJYvN(GwG?%?=wy<2xYSncZdVU4w9rQtg!nP-R8x3=<|DLK(i4LCCVQFv= z^o(IKPVB$Gr;md6?UfuEJ*LnRG1WN5?IxFrayTPG3FS zVZ=pbzK`NC`8PEVd(c=cC6)d%w({wFvJ5v#D3M|l5?k|xV&aGzK51t`D_|Sz%Bu%cGISST;@Yl{`yp&QmYoI$vpQ}CHr3w4dXWel zkAq@sm64DKR@J+fVM{YZ1OwL9egk5#A`f4YJBi9H`68an!D)|%Az|MR*}ncE^h5L? zWMIs*by631+-7pyKXp;)VWH4?NC5Vr#+?{n6|mgR@S2KI1pgHa(Jj4@sG*vpmFTTp zG=7XO09;V-v^cy#DK&>S8>CPa@*)J9rF}Lr3-cEiFHAl>Sye6?d?|6685-D#faOoS z4sWYzxj(g=iy6>)KtO;s1P$90PO@ly!)K;4k#CnEk-T8W6=}E*i*!{l0#;Y2`{_iV zxZ2RUZv7Yy{5Oq#vrK-*o%z@Bt1*IfQ7=Abf7&oF%}cB3eXY`Z4S6c_;u&AkJKpd+q@LVoue1WmG?TXuO&P*~+9SonhNW$5QSdg2 zgyB)TTL=Ke;;XC5`mS_%b{6;_a)0zPSUUc`CA-GmnJ{EEVs)~6QJACdFJF5c z$Xu{ZS@U=FqI>-K5q|83u=HqDqnF`LRDDB|p>~S1;kD{{)=U~ZF3a+R6eZYV0!8AT zbp?5+->u5(jKPd!noiFKzj{N}YVIuY1uX=-*?-+p6*e^uDiTFeMaZ()b&mQ*Rj3e_ z5(yZ>P~Wb{$bD{gx1YPETwCii*>krB)tGCcp+>_esbX7^yr8GrYSnB;+`}JpN!M)U z+!yeh868|?Cw=!a$*gnd19($5aw(8i}5MSj}C|xi2_|J52rm!JC^anfQV3;c3zyi{ULC5@J;w- z=fh&(l1iY;@I2fy$R{XNXcNU(OjNz>Suj6QN7?>s6tq91wx}Xai_y;?T!*>LwyV{6 z6`s#el7FR#u`%{YlpfoXVbsQ%#KKvMsYr%H=~NO9Wi8KlyzGPz2m%GX)KNQk+wm$S_fzywg9{|I8 P08b{{6^h3HtmMA{5Ku@9 literal 0 HcmV?d00001 diff --git a/t/cert/ca-client-server/client.unsecure.key b/t/cert/ca-client-server/client.unsecure.key new file mode 100644 index 000000000..65413413c --- /dev/null +++ b/t/cert/ca-client-server/client.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpAIBAAKCAQEA5+eLkb72fqTXF+6S3MloC7bry0sjstssew+3mn+83NfH3pDi +kjpgjJBrG2gfkORtU5kGuAf+/Wo6bvMUsVTzcokWyr/nPHTYXwgVYJR5gVW51Cy0 +MaQGFlBvOuUAqW6mqdbGuVQz1hvcCEgkhi21TqRe3FOxShUaltY/pMDOcg+h0NG2 +WjOnlTKDU4lcyzsPAI6BDJRfSb2IwkPvlJDZdv775aoPdrLr/mJgFFTBxo3M98mf +OnY4+C3LyZALJIMIB3/Ls3soqnvGlhzlxbyG6Wt2GPFxGQbrHj75DRYQclSQ4uE9 +rB0zajrszcEhvdC/G8DafURBmD/WFumaAU4m1wIDAQABAoIBAQDYgTqzYiZ9C+Zo +SGrCSCKkNS2kiU0V0TuQ1JakXjdzsty9tGRjAq9a7AWi+63ktu4+ivJT49syufc9 +2CFsgZQbTVODDHCU572N010p4tQhZGhuZyH/6lNoh8WgpWXdyRk+HO9A3RTcAvyE +mt3Gi2vmtNx/NH+jW1qMkg+u//Z9UsXXUYodhTr2Q5VS78Z9RETYA584B72wVRCj +QWdIqzCx/Qt6AHoc4waZq/5q7G+4+dMyBfwi/TLySADETdkuDYHx/2l14Zw7uN2f +nf1AMJn74x3Z/B58U03PWyTmygfy+KzvI/0Ghb0I9f3NMQrosxWvzExan1F1LX/x +uK4EyfQhAoGBAPVSeL2mGQ6/JDQ8RNGRxZIPFmpMX1YSBykzY9cQDekJoMxTlblJ +zWCtK6ImW+GO2x5N7t48Zg3Z5TzKQ9p45RJ0EUyF3xQFJ7ybRvgPbrrjjcHzPtIS +gBpZWfGT6VnrUNl5tEVQuGMoVEV9E0yXIxQAD9kXXBMn8eq4uTn5xwixAoGBAPH/ +kMsEkMkYzj+7uqUNY7jh61ZJayHtn2HUJWKhC2qlb14hXbHc3BcnLbZfocuJ0eLV +tweqP0oNkpc0fabXJRMBF/cEF1vF4S+UZ1/bH74a0swJo8Y3KJP2yQUsImVx7baI +cGdLYv25/9RzpDaOclQuY9Jtr7roORyYqH/wZgoHAoGAUyU0jvJwo7Lczmdu26iQ +UcSTUEu6NC3AB5LHT+i9DjKZMSdTI42D8jQ/CaH+miAU29yGDQRjgmZLb6MOBEnd +Obfk9Q6aYOquYRovn3t7iBP/w7Bxpjlm+Yc3GM2M1VEQAeVh1+xX0iOlDDgsBlVj +KjArLuTf7A4py+f3v1KMxsECgYBgDOvPaLR+3NWf/kcKk9Hs496glOtsv//uuGFO +UFVTsu4NEnk5y0uf9PDz3ek9/CnOOr020Z/lKJXyZecpfWM9s8VrSbhruJK0a9bL ++REUR1k7mufiGKqGcAFBiE7urNWJCYZzuTxFMLoV/QBEly1RtEfykY6aROnGK+FV +Rnl5qQKBgQDHVOPc7IvA7/SsscP82HJZBAczONY+zCM6TLIhmdfZIcqqmTaqgYoI +Y9lF5t2PJ+QjpKIl5QzFwpu/wJT5WOB2FkfEpO/hEu/YnEz28onYzftV2t5SecU9 +8CREZyO+1bxvQsBLOTR/QhHNnWPDPzwvgeCXUAY1U4+KVAzFJ3Yhjw== +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/ecc-server.crt b/t/cert/ca-client-server/ecc-server.crt new file mode 100644 index 000000000..c7be93d97 --- /dev/null +++ b/t/cert/ca-client-server/ecc-server.crt @@ -0,0 +1,14 @@ +-----BEGIN CERTIFICATE----- +MIICHzCCAQcCAQMwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGcxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMRMwEQYDVQQDDAplY2Mtc2VydmVyMFkwEwYHKoZIzj0C +AQYIKoZIzj0DAQcDQgAEUNRTepuYaeMvMz674huSqWnV1B4jJzR2hsim9TxogBE8 +cK17NSvFYTwNRdRD14spdFTJen8eD2n40rBMdmHzWTANBgkqhkiG9w0BAQsFAAOC +AQEAg7yt0M4My7VVWdE1sZe0kzWIinCIa+s2hptNNK9iwxkWh5xvr4Et0fnB1s7X +YKEc968t3488hKxMe0jC5H9pa8p4QN5eLcdpj413Qzj12RBS/Mt1jnrYJelTLSX9 +cUU2ym9spHOekhZApSGG6OJjtM97wQLb8a0PR5yxaRD8kCVBzJnOjiTU0+LMQf9s +5JKly7ZGtNYx50WVHU+nOSX1w/Q8p6aAA84qom1+uVo2wCqWyMtLFF2W+yougRqy +gDnO+8G4OYI0FhkR/9TNyzHD6pNSFl28GFWmWA1BgPiHFvwbOuqzB0e0GSxjQGRC +4ZZ7ZDLy7Jz3pWa00yt7tCBlYg== +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/ecc-server.csr b/t/cert/ca-client-server/ecc-server.csr new file mode 100644 index 000000000..3852c0bac --- /dev/null +++ b/t/cert/ca-client-server/ecc-server.csr @@ -0,0 +1,9 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIIBITCByQIBADBnMQswCQYDVQQGEwJVUzETMBEGA1UECAwKQ2FsaWZvcm5pYTEW +MBQGA1UEBwwNTW91bnRhaW4gVmlldzEWMBQGA1UECgwNT3BlblJlc3R5IEluYzET +MBEGA1UEAwwKZWNjLXNlcnZlcjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABFDU +U3qbmGnjLzM+u+Ibkqlp1dQeIyc0dobIpvU8aIARPHCtezUrxWE8DUXUQ9eLKXRU +yXp/Hg9p+NKwTHZh81mgADAKBggqhkjOPQQDAgNHADBEAiAStgXb9WVJD54T3Ekp +sHxLtcS41iyewWCU/xT+Yfw6UAIgAMDy6h6570z0MQ2ByniYyqqPgxz1r3bZ+l7w +MFLhJeM= +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/ecc-server.key b/t/cert/ca-client-server/ecc-server.key new file mode 100644 index 000000000..4f2f1f05a --- /dev/null +++ b/t/cert/ca-client-server/ecc-server.key @@ -0,0 +1,5 @@ +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEIGlMlfAxa97Uxdk1/WdP9eWjNrR/tX0MCGpLY89pLfVGoAoGCCqGSM49 +AwEHoUQDQgAEUNRTepuYaeMvMz674huSqWnV1B4jJzR2hsim9TxogBE8cK17NSvF +YTwNRdRD14spdFTJen8eD2n40rBMdmHzWQ== +-----END EC PRIVATE KEY----- diff --git a/t/cert/ca-client-server/generate-cert.sh b/t/cert/ca-client-server/generate-cert.sh new file mode 100755 index 000000000..95f27b838 --- /dev/null +++ b/t/cert/ca-client-server/generate-cert.sh @@ -0,0 +1,39 @@ +#! /bin/bash + +cd "$( dirname "${BASH_SOURCE[0]}" )" + +SUBJECT="/C=US/ST=California/L=Mountain View/O=OpenResty Inc" + +PASSWORD=${PASSWORD:-openresty} + +# Server key、no password key、csr +openssl genrsa -des3 -passout "pass:$PASSWORD" -out server.key 2048 +openssl rsa -passin "pass:$PASSWORD" -in server.key -out server.unsecure.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=server" -key server.key -out server.csr + +# Server ecc-key、csr +openssl ecparam -genkey -name secp256r1 | openssl ec -out ecc-server.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=ecc-server" -key ecc-server.key -out ecc-server.csr + +# Client key、no password key、csr +openssl genrsa -des3 -passout "pass:$PASSWORD" -out client.key 2048 +openssl rsa -passin "pass:$PASSWORD" -in client.key -out client.unsecure.key +openssl req -passin "pass:$PASSWORD" -new -subj "$SUBJECT/CN=client" -key client.key -out client.csr + +# CA key、crt +openssl req -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -new -x509 -subj "$SUBJET/CN=ca" -keyout ca.key -out ca.crt + +# Client key、Server key、 ECC-Server key +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in client.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out client.crt +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in server.csr -CA ca.crt -CAkey ca.key -set_serial 2 -out server.crt +openssl x509 -req -sha256 -days 30650 -passin "pass:$PASSWORD" -in ecc-server.csr -CA ca.crt -CAkey ca.key -set_serial 3 -out ecc-server.crt + +# Client p12、pfx +openssl pkcs12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -export -clcerts -in client.crt -inkey client.key -out client.p12 +openssl pkcs12 -passin "pass:$PASSWORD" -passout "pass:$PASSWORD" -export -in client.crt -inkey client.key -out client.pfx + +# Client cer、Server cer、ECC-server cer +openssl x509 -in client.crt -out client.cer +openssl x509 -in server.crt -out server.cer +openssl x509 -in ecc-server.crt -out ecc-server.crt + diff --git a/t/cert/ca-client-server/server.cer b/t/cert/ca-client-server/server.cer new file mode 100644 index 000000000..449486634 --- /dev/null +++ b/t/cert/ca-client-server/server.cer @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQIwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDoFbQMPAsAZT+1E2KVZXtrR1ry1TtjKRupxJZ/jmGo +XDH85t5DADrc+x0qGnfzSzJD5YpAMmCzvhkum8HARaeFxGgGIJt4mm7yGtCoLZbm +/c5ZzHJ2UtGpm3+Yh9Q7WM71ESBB1VLuAdec1WvpUZrCfXthZ+xnQlWYgd3TPpAt +Qez57Smp2fiTzpqjcYBc8ihuAHlhsqXX0lmjM8Mul8/F5qHqUKDkiNwQFuymL0v8 +m0vtU4ZrINFedHFHmFRnAZ5FlJKBC9WZ7N4+CvgQFGye35QNBAokJO8hRQDd1AIT +qlkUI2uNuXYGiOep9iA159D6u+g9+j71z3BoOOntxdErAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBACg7t1KNy0AbYcvBJkwHBQ9sgVCDgAaLI80sDEZmEHZXTIH8pw4S +ZoJrgteux/ZOM5rGQj58lIRa9eam6fGb7TzY+/OqdjQIZZhnllhQxlqmf5aV8UH9 +uGPvixWGJi+1wZU+faF4akFkoaA+tnvC8IGaTZ5hWbE3ZhpCaSD3NgrVDOUMuDcH +AbqOpg0JxWQ8AafPNT0d9vzUD8+pUc4nDYVNmPkX0iJa0ToD5RuHZiuytf33joG4 +mpszJ7MfzEYmsNfO92VJLDN40p2SOgc6GcXwFG9z6g9NRy7bmyX8ZWz8UHdgq0zZ +WIR0t7kCVGxlFu24eA+nmiTRKBRkX8iIX10= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/server.crt b/t/cert/ca-client-server/server.crt new file mode 100644 index 000000000..449486634 --- /dev/null +++ b/t/cert/ca-client-server/server.crt @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC5jCCAc4CAQIwDQYJKoZIhvcNAQELBQAwDTELMAkGA1UEAwwCY2EwIBcNMTcw +MjE5MTUxNjA1WhgPMjEwMTAxMjAxNTE2MDVaMGMxCzAJBgNVBAYTAlVTMRMwEQYD +VQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1Nb3VudGFpbiBWaWV3MRYwFAYDVQQK +DA1PcGVuUmVzdHkgSW5jMQ8wDQYDVQQDDAZzZXJ2ZXIwggEiMA0GCSqGSIb3DQEB +AQUAA4IBDwAwggEKAoIBAQDoFbQMPAsAZT+1E2KVZXtrR1ry1TtjKRupxJZ/jmGo +XDH85t5DADrc+x0qGnfzSzJD5YpAMmCzvhkum8HARaeFxGgGIJt4mm7yGtCoLZbm +/c5ZzHJ2UtGpm3+Yh9Q7WM71ESBB1VLuAdec1WvpUZrCfXthZ+xnQlWYgd3TPpAt +Qez57Smp2fiTzpqjcYBc8ihuAHlhsqXX0lmjM8Mul8/F5qHqUKDkiNwQFuymL0v8 +m0vtU4ZrINFedHFHmFRnAZ5FlJKBC9WZ7N4+CvgQFGye35QNBAokJO8hRQDd1AIT +qlkUI2uNuXYGiOep9iA159D6u+g9+j71z3BoOOntxdErAgMBAAEwDQYJKoZIhvcN +AQELBQADggEBACg7t1KNy0AbYcvBJkwHBQ9sgVCDgAaLI80sDEZmEHZXTIH8pw4S +ZoJrgteux/ZOM5rGQj58lIRa9eam6fGb7TzY+/OqdjQIZZhnllhQxlqmf5aV8UH9 +uGPvixWGJi+1wZU+faF4akFkoaA+tnvC8IGaTZ5hWbE3ZhpCaSD3NgrVDOUMuDcH +AbqOpg0JxWQ8AafPNT0d9vzUD8+pUc4nDYVNmPkX0iJa0ToD5RuHZiuytf33joG4 +mpszJ7MfzEYmsNfO92VJLDN40p2SOgc6GcXwFG9z6g9NRy7bmyX8ZWz8UHdgq0zZ +WIR0t7kCVGxlFu24eA+nmiTRKBRkX8iIX10= +-----END CERTIFICATE----- diff --git a/t/cert/ca-client-server/server.csr b/t/cert/ca-client-server/server.csr new file mode 100644 index 000000000..000a03b49 --- /dev/null +++ b/t/cert/ca-client-server/server.csr @@ -0,0 +1,17 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIICqDCCAZACAQAwYzELMAkGA1UEBhMCVVMxEzARBgNVBAgMCkNhbGlmb3JuaWEx +FjAUBgNVBAcMDU1vdW50YWluIFZpZXcxFjAUBgNVBAoMDU9wZW5SZXN0eSBJbmMx +DzANBgNVBAMMBnNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB +AOgVtAw8CwBlP7UTYpVle2tHWvLVO2MpG6nEln+OYahcMfzm3kMAOtz7HSoad/NL +MkPlikAyYLO+GS6bwcBFp4XEaAYgm3iabvIa0Kgtlub9zlnMcnZS0ambf5iH1DtY +zvURIEHVUu4B15zVa+lRmsJ9e2Fn7GdCVZiB3dM+kC1B7PntKanZ+JPOmqNxgFzy +KG4AeWGypdfSWaMzwy6Xz8XmoepQoOSI3BAW7KYvS/ybS+1Thmsg0V50cUeYVGcB +nkWUkoEL1Zns3j4K+BAUbJ7flA0ECiQk7yFFAN3UAhOqWRQja425dgaI56n2IDXn +0Pq76D36PvXPcGg46e3F0SsCAwEAAaAAMA0GCSqGSIb3DQEBCwUAA4IBAQCkb18t +CB7P63L+2+tlGvpBs1Mhxkg98yEWE2uuxEgL7q+HmkLbIFVB+M/kLhJaPqPBhAkt +l+Cc6mUMpHL3S6XjU1oYxeHDoXqUEgZSQWPTxnyAxqVrFkKzaf2Mo+kmRpuPpECi +MyIDmuVMrBpYnGXTwdncxtmM9K/Fpsd+vR82Lc9H1uiNVtunsFtRoiaYYbIvO+03 +5Ie085kNQtJW3u9JiKJ6Ui9YhWMHV8m8yl9Rt1CVpz1dVant9UkvoacYnmtNC4An +tH2F14/zX4+pCkQbxX8R/GTZMtD36Esfp4czHiEfLl8/U2tUV1HBSkX96e3GEVPv +D2vxGL1kln7yulUS +-----END CERTIFICATE REQUEST----- diff --git a/t/cert/ca-client-server/server.key b/t/cert/ca-client-server/server.key new file mode 100644 index 000000000..2c5996fea --- /dev/null +++ b/t/cert/ca-client-server/server.key @@ -0,0 +1,30 @@ +-----BEGIN RSA PRIVATE KEY----- +Proc-Type: 4,ENCRYPTED +DEK-Info: DES-EDE3-CBC,7803FB947423C395 + +7TL3cH0trCVNY+DG+vsbA/kB0UldQ6AdUiGozXewCBGENVLwu95ngyB9WV7IFdO2 +78zg0FSYNgOwaGJLbfgNSxvJQete/k6eOvPe0iQtjlcM65oHqmSJVR3G4XOu0wPV +XdJtQfVO9KH2sg2cV0c9XGKJ9vSplldcfaEXbQ3k5Xcb5QLrGElelQ8XdTETI1Ql +iDDIrpkjVJPEhh+LESLMvQrAqEIs12BFe2zLT+MOocvUXSt9L/ljQvkqfj/0TOOA +5MdxCmO0Un1pbY8INGYR2K+zIx4zqQ4xxe5iDGOqv5XpYwXqsNKwbJvtU9eYSjot +1V5b/1IC4d2/B9cekBkrDnNHEPvUFzDuAwD5N8r291JgL1wHshk6o5sMx72xRoXc +fJ8pV6aAftxYvr9HzFVRs60kOrs099T+YTTkLXXfhi9mtfoi6Zu0Ykwo3ClOfhi+ +HmDSJ+yYmyIoxLEjoFRNJpemSFlFae9OrppOkuNvTQGOO8nnVxDhAto+w2D3h3+y +SiVjhMvE6fR1HNY0n+wmGo0rfoOx6iBJKq7TyZ7JwWiFQG1vOzhrFFEjtCuaqfjX +6B9oZp1f1JsQT9LGTKCYFSKOgFH6Q+MwZqNSLrJXgl5Zk7NUxZxR1vx6+wJ5tbvY +xdtqqmyMJCsqsyKw49JLZHK0YSRynKDipIbvIXMyVyUuBaRy2OyKZereddR23kpD +Wd/vLj4ngyOP3h77N2Jp3Lp/nAJNYLjWoLS/R7LOz3cxJh9iTzHwbTnWEsTrsssD +gT3JXoLNyYiHc+BJP2G2aDu/EP3paerfN9izSQb2EsLiKj9FjVdCpc0H32ql9N8g +iNIr0Qnq1IQK6Zz3GYTyLkg6b/rH5SO/hr5/ylfd0kR8HY+Ssb+Chi9BF4++Grnw +PWZnSzVgf3Vy/L6w/PxYLE/BDbf3HT9dw7AVSqmS2wX8l2eJE6oOoHEGLIxXNgzJ +prlTTmQ+9+MJE9c0+gg9LASDrt4uldbl5KOpRbNeD5VEMTYXZ0burYLarCY7zoca +2tZ4YntS6qBXZlJj+1YI/6GrQbyviZfL+fyIsBFAKVSuiwTPqW5ItW8Cqfg6PBv4 +dUR8qY1lRtreN479AZeW414KWlKeB+dGn0lAkm3+iIFmOLlFK5mz7o9I1XEur00P +9ZNfgWHTLMtRl55cg3JXBOaTpmuSwAjizqCqXxEcQCqoVIAqmBYOtC9pFiGzl7Kq +XbK2dQZn+cBOmcqgwqKr41cSaKlAlMTtbrr/9YnraHk1Yd4Kmo++InWqXmmOqX2r +UX5rNHtMGXEZ6W4+GQKfPHBvG5T0Mp190tQ0qHnrqU3V13ns0Ya7s8pWkJG5Nz5Q +aNtFn/mGVKMUU1HivUwmsTORHv5DAv7YxvTeERo20hG1wzjFRQWJ7qPngUomnT0O +9JinV9uVnAtI3/VNX+gJovOEdnwvdxv2rwkiWbWz2faG4fWD6a+uflRrwJ+q7B5G +OK8Vnk7NSjFI7XHwp3RbNqSx5q0Pt63uyAsUJcEry27zk7gRv4Nxb9QT29UtRuOX +fzPsetlDSL0pVJM1Uvl979KPEPSTlzhTeckbsIUhR15Q2p4ylDy3Hubnwzetc1yE +-----END RSA PRIVATE KEY----- diff --git a/t/cert/ca-client-server/server.unsecure.key b/t/cert/ca-client-server/server.unsecure.key new file mode 100644 index 000000000..18d47ed8a --- /dev/null +++ b/t/cert/ca-client-server/server.unsecure.key @@ -0,0 +1,27 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIEpQIBAAKCAQEA6BW0DDwLAGU/tRNilWV7a0da8tU7YykbqcSWf45hqFwx/Obe +QwA63PsdKhp380syQ+WKQDJgs74ZLpvBwEWnhcRoBiCbeJpu8hrQqC2W5v3OWcxy +dlLRqZt/mIfUO1jO9REgQdVS7gHXnNVr6VGawn17YWfsZ0JVmIHd0z6QLUHs+e0p +qdn4k86ao3GAXPIobgB5YbKl19JZozPDLpfPxeah6lCg5IjcEBbspi9L/JtL7VOG +ayDRXnRxR5hUZwGeRZSSgQvVmezePgr4EBRsnt+UDQQKJCTvIUUA3dQCE6pZFCNr +jbl2BojnqfYgNefQ+rvoPfo+9c9waDjp7cXRKwIDAQABAoIBAQCSBzXmjNEPSqWv +NadOATCK67baHDjlx7PUOhHH6LqhyIDbdBhdaAOhj49mMolO1/2kowU+J3SZI/+M +SAy9AhbKIC6jzFiGpgUw6JZpe2X7qa7w6acLtEifw2uhebWcMeDmagQ16BfqEdas +o8zmXaZWwcWkIFOrFR3ue6grhq4JCsM4hpbfKmrCb1qq7u0QntEKibSc8jLAzCR8 +55ghCBIqQlRV0LfZB1Q0+JvIX+a/8bAI5gZCFK7o7nUX4Wl8hmZ8Eeg17OpZa/70 +knhgKCEPymUiNFrKxfU4Y7bUWdiV1OjlttdyN3art8Xhr9/6/dkG7Lhjo3p1DvfV +XBOPR8BhAoGBAPxVyieuJT0NgIa/3oUTaZNOMESfN0ojhPt2Ny/Y9+/zLZVwzmc7 +tSez3K/Iuy4NGqjKbMJ2Ewfz7goHUtjwM55IoowW8eaAHgA0d9VJOZxnfKid9NHc +87xVrkmSqLwRd2yca/OwW10bztbFCMiN2nJfs3qoxhecA7Y2/+NaJqPFAoGBAOt0 +nuB5GlxV8VIhWRJiaqYZ9ehIj5Lp34Zl7WvSYfJVdrq5fvY6Wf3wBsefuLXQKTOY +xPLXNiiW942guxTRkZzwpptDNNN47W8bONBELp21Cwf2fNM27BB2QgQ/6meb9Brd +FdM+DESm/jJoxxb5cT8WkIpJg7q6tXjBk1x6EsAvAoGALvkpcMmSVRM2Yd9F5S// +71QW2C9rc3m5P7Z5/4Y8YYa7bZ5aTg1nY8SvyGltrtzxoYpNRMYGNOzL20IRwiC0 ++zo6SCndTjN7Yj5iMGo5N0xsgFcnRAoFtYGduER89MWrnaRg1DR4TZTnpEN5pxwB +FlmKZ8MTXUHFzx3d9MzLdKECgYEArjmXLmauGNEHRkyiyjXE0K+5BG5cvssLuTlG +21fLXjPbLQQBbFV1LbAkdCY92Vr0gddzNHYG/zXmbAgZJqiD5Os1fQHX3vtGRcaQ +3Zr2G4BRb0z2xJuJRg0bgGWDH7OIhzA87Binn00qH0bkup1NLO+XeJw5OzzY90fV +sMIricUCgYEAwOAZYCmODw8pWC2sLKB9Ot70VssbzR+z/5dEooOU+Mm634lSCW+C +mSCV1/3NvNOUtAvAVB6bnKzJ+Gdw2lZW/gKXB7s7Zqt9momVvc68uTnlaOuf9kYa +Z/ifOs7TYy5uEvVffiasJZNGv559mstcDc1bqINOHka6iBr2pfwsHKw= +-----END RSA PRIVATE KEY----- diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t new file mode 100644 index 000000000..47a8a9d3e --- /dev/null +++ b/t/ssl-ctx.t @@ -0,0 +1,290 @@ +# vim:set ft= ts=4 sw=4 et fdm=marker: + +use Test::Nginx::Socket::Lua; +use Cwd qw(cwd); +use Digest::MD5 qw(md5_hex); + +repeat_each(2); + +plan tests => repeat_each() * (blocks() + 5); + +our $CWD = cwd(); +$ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); +our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; + +log_level 'debug'; + +no_long_string(); + +sub read_file { + my $infile = shift; + open my $in, $infile + or die "cannot open $infile for reading: $!"; + my $cert = do { local $/; <$in> }; + close $in; + $cert; +} + +our $clientKey = read_file("t/cert/ca-client-server/client.key"); +our $clientUnsecureKey = read_file("t/cert/ca-client-server/client.unsecure.key"); +our $clientCrt = read_file("t/cert/ca-client-server/client.crt"); +our $clientCrtMd5 = md5_hex($clientCrt); +our $serverKey = read_file("t/cert/ca-client-server/server.key"); +our $serverUnsecureKey = read_file("t/cert/ca-client-server/server.unsecure.key"); +our $serverCrt = read_file("t/cert/ca-client-server/server.crt"); +our $caKey = read_file("t/cert/ca-client-server/ca.key"); +our $caCrt = read_file("t/cert/ca-client-server/ca.crt"); +our $http_config = <<_EOS_; +lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;"; + +init_by_lua_block { + require "resty.core.socket.tcp" + + function read_file(file) + local f = io.open(file, "rb") + local content = f:read("*all") + f:close() + return content + end + + function get_response_body(response) + for k, v in ipairs(response) do + if #v == 0 then + return table.concat(response, "\\r\\n", k + 1) + end + end + + return nil, "CRLF not found" + end + + function https_get(host, port, path, ssl_ctx) + local sock = ngx.socket.tcp() + + local ok, err = sock:connect(host, port) + if not ok then + return nil, err + end + + local ok, err = sock:setsslctx(ssl_ctx) + if not ok then + return nil, err + end + + local sess, err = sock:sslhandshake() + if not sess then + return nil, err + end + + local req = "GET " .. path .. " HTTP/1.0\\r\\nHost: server\\r\\nConnection: close\\r\\n\\r\\n" + local bytes, err = sock:send(req) + if not bytes then + return nil, err + end + + local response = {} + while true do + local line, err, partial = sock:receive() + if not line then + if not partial then + response[#response+1] = partial + end + break + end + + response[#response+1] = line + end + + sock:close() + + return response + end +} +server { + listen 1983 ssl; + server_name server; + ssl_certificate ../html/server.crt; + ssl_certificate_key ../html/server.unsecure.key; + + ssl on; + ssl_client_certificate ../html/ca.crt; + ssl_verify_client on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + + ssl_prefer_server_ciphers on; + + server_tokens off; + more_clear_headers Date; + default_type 'text/plain'; + + location / { + content_by_lua_block { + ngx.say("foo") + } + } + + location /protocol { + content_by_lua_block {ngx.say(ngx.var.ssl_protocol)} + } + + location /cert { + content_by_lua_block { + ngx.say(ngx.md5(ngx.var.ssl_client_raw_cert)) + } + } +} +_EOS_ +our $user_files = <<_EOS_; +>>> client.key +$clientKey +>>> client.unsecure.key +$clientUnsecureKey +>>> client.crt +$clientCrt +>>> server.key +$serverKey +>>> server.unsecure.key +$serverUnsecureKey +>>> server.crt +$serverCrt +>>> ca.key +$caKey +>>> ca.crt +$caCrt +>>> wrong.crt +OpenResty +>>> wrong.key +OpenResty +_EOS_ + +add_block_preprocessor(sub { + my $block = shift; + + $block->set_value("http_config", $http_config); + $block->set_value("user_files", $user_files); +}); + +run_tests(); + +__DATA__ + +=== TEST 1: ssl ctx - create_ctx must pass options +--- config + location /t{ + content_by_lua_block { + local ssl = require "ngx.ssl" + local ssl_ctx, err = ssl.create_ctx() + if ssl_ctx == nil then + ngx.say(err) + end + } + } +--- request +GET /t +--- response_body +no options found + + + +=== TEST 2: ssl ctx - disable ssl protocols method SSLv2 SSLv3 +--- config + location /t{ + content_by_lua_block { + local ssl = require "ngx.ssl" + local ssl_ctx, err = ssl.create_ctx({ + method = "SSLv2_method", + }) + if ssl_ctx == nil then + ngx.say(err) + end + local ssl_ctx, err = ssl.create_ctx({ + method = "SSLv3_method", + }) + if ssl_ctx == nil then + ngx.say(err) + end + } + } +--- request +GET /t +--- response_body +SSLv2 methods disabled +SSLv3 methods disabled + + + +=== TEST 3: ssl ctx - specify ssl protocols method TLSv1、TLSv1.1、TLSv1.2 +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + function test_ssl_method(method) + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + local ssl_ctx, err = ssl.create_ctx({ + method = method, + priv_key = priv_key, + cert = cert + }) + if ssl_ctx == nil then + return err + end + + local response, err = https_get('127.0.0.1', 1983, '/protocol', ssl_ctx) + + if not response then + return err + end + + local body, err = get_response_body(response) + if not body then + return err + end + return body + end + + ngx.say(test_ssl_method("TLSv1_method")) + ngx.say(test_ssl_method("TLSv1_1_method")) + ngx.say(test_ssl_method("TLSv1_2_method")) + } + } + +--- request +GET /t +--- response_body +TLSv1 +TLSv1.1 +TLSv1.2 + +--- no_error_log +[error] + + + +=== TEST 4: ssl ctx - send client certificate +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx({ + priv_key = priv_key, + cert = cert + }) + + if ssl_ctx == nil then + ngx.say("failed to init ssl ctx: ", err) + return + end + local response = https_get("127.0.0.1", 1983, "/cert", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body eval +"$::clientCrtMd5 +" From 34a408844225dd8001d1e536ab6060dff7b7e054 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 21 Feb 2017 11:33:34 +0800 Subject: [PATCH 02/13] tests: test sslctx with lrucache Signed-off-by: detailyang --- t/ssl-ctx.t | 68 ++++++++++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 65 insertions(+), 3 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 47a8a9d3e..c8d72b187 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -6,12 +6,13 @@ use Digest::MD5 qw(md5_hex); repeat_each(2); -plan tests => repeat_each() * (blocks() + 5); +plan tests => repeat_each() * (blocks() + 7); our $CWD = cwd(); $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); our $TEST_NGINX_LUA_PACKAGE_PATH = $ENV{TEST_NGINX_LUA_PACKAGE_PATH}; +our $TEST_NGINX_HTML_DIR = $ENV{TEST_NGINX_HTML_DIR}; log_level 'debug'; @@ -36,7 +37,7 @@ our $serverCrt = read_file("t/cert/ca-client-server/server.crt"); our $caKey = read_file("t/cert/ca-client-server/ca.key"); our $caCrt = read_file("t/cert/ca-client-server/ca.crt"); our $http_config = <<_EOS_; -lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;"; +lua_package_path "$TEST_NGINX_LUA_PACKAGE_PATH/?.lua;;../lua-resty-lrucache/lib/?.lua;"; init_by_lua_block { require "resty.core.socket.tcp" @@ -48,6 +49,26 @@ init_by_lua_block { return content end + local lrucache = require "resty.lrucache" + local c, err = lrucache.new(1) + if not c then + return error("failed to create the cache: " .. (err or "unknown")) + end + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + + local ssl_ctx, err = ssl.create_ctx({ + priv_key = priv_key, + cert = cert + }) + + c:set("sslctx", ssl_ctx) + + function lrucache_getsslctx() + return c:get("sslctx") + end + function get_response_body(response) for k, v in ipairs(response) do if #v == 0 then @@ -262,7 +283,31 @@ TLSv1.2 -=== TEST 4: ssl ctx - send client certificate +=== TEST 4: ssl ctx - dismatch priv_key and cert +--- config + location /t { + content_by_lua_block { + local ssl = require "ngx.ssl" + local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/server.crt")) + local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) + local ssl_ctx, err = ssl.create_ctx({ + priv_key = priv_key, + cert = cert + }) + if ssl_ctx == nil then + ngx.say("create_ctx err: ", err) + end + } + } + +--- request +GET /t +--- response_body +create_ctx err: SSL_CTX_use_PrivateKey() failed + + + +=== TEST 5: ssl ctx - send client certificate --- config location /t { content_by_lua_block { @@ -288,3 +333,20 @@ GET /t --- response_body eval "$::clientCrtMd5 " + + + +=== TEST 6: ssl ctx - setsslctx with cached ssl_ctx +--- config + location /t { + content_by_lua_block { + local ssl_ctx = lrucache_getsslctx() + local response = https_get("127.0.0.1", 1983, "/cert", ssl_ctx) + ngx.say(get_response_body(response)) + } + } +--- request +GET /t +--- response_body eval +"$::clientCrtMd5 +" From 79c1efbd1cc1a34a5f311656119e7b0e1a812134 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 26 Feb 2017 21:00:40 +0800 Subject: [PATCH 03/13] refactor: use protocols as arg to create_ctx Signed-off-by: detailyang --- lib/ngx/ssl.lua | 23 +++++++++++++++------ t/ssl-ctx.t | 55 +++++++++++++++---------------------------------- 2 files changed, 34 insertions(+), 44 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 96d3ba164..918c76e26 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -3,6 +3,7 @@ local ffi = require "ffi" local base = require "resty.core.base" +local bit = require "bit" local C = ffi.C @@ -16,6 +17,7 @@ local get_string_buf = base.get_string_buf local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK +local bor = bit.bor ffi.cdef[[ @@ -59,8 +61,7 @@ void ngx_http_lua_ffi_free_cert(void *cdata); void ngx_http_lua_ffi_free_priv_key(void *cdata); -void *ngx_http_lua_ffi_ssl_ctx_init(const unsigned char *method, - size_t method_len, char **err); +void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); @@ -273,17 +274,27 @@ function _M.set_priv_key(priv_key) end +_M.PROTOCOL_SSLv2 = 0x0002 +_M.PROTOCOL_SSLv3 = 0x0004 +_M.PROTOCOL_TLSv1 = 0x0008 +_M.PROTOCOL_TLSv1_1 = 0x0010 +_M.PROTOCOL_TLSv1_2 = 0x0020 +local default_protocols = bor(bor(bor(_M.PROTOCOL_SSLv3,_M.PROTOCOL_TLSv1), + _M.PROTOCOL_TLSv1_1), _M.PROTOCOL_TLSv1_2) + + function _M.create_ctx(options) if type(options) ~= 'table' then return nil, "no options found" end - local method = "SSLv23_method" - if options.method ~= nil then - method = options.method + local protocols = default_protocols + + if options.protocols ~= nil then + protocols = options.protocols end - local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(method, #method, errmsg) + local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) if ctx == nil then return nil, ffi_str(errmsg[0]) end diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index c8d72b187..d378c2887 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -6,7 +6,7 @@ use Digest::MD5 qw(md5_hex); repeat_each(2); -plan tests => repeat_each() * (blocks() + 7); +plan tests => repeat_each() * (blocks() + 6); our $CWD = cwd(); $ENV{TEST_NGINX_LUA_PACKAGE_PATH} = "$::CWD/lib/?.lua;;"; @@ -127,7 +127,7 @@ server { ssl_certificate ../html/server.crt; ssl_certificate_key ../html/server.unsecure.key; - ssl on; + ssl on; ssl_client_certificate ../html/ca.crt; ssl_verify_client on; @@ -208,43 +208,17 @@ no options found -=== TEST 2: ssl ctx - disable ssl protocols method SSLv2 SSLv3 ---- config - location /t{ - content_by_lua_block { - local ssl = require "ngx.ssl" - local ssl_ctx, err = ssl.create_ctx({ - method = "SSLv2_method", - }) - if ssl_ctx == nil then - ngx.say(err) - end - local ssl_ctx, err = ssl.create_ctx({ - method = "SSLv3_method", - }) - if ssl_ctx == nil then - ngx.say(err) - end - } - } ---- request -GET /t ---- response_body -SSLv2 methods disabled -SSLv3 methods disabled - - - -=== TEST 3: ssl ctx - specify ssl protocols method TLSv1、TLSv1.1、TLSv1.2 +=== TEST 2: ssl ctx - specify ssl protocols TLSv1、TLSv1.1、TLSv1.2 --- config location /t { content_by_lua_block { local ssl = require "ngx.ssl" - function test_ssl_method(method) + function test_ssl_protocol(protocols) + local ssl = require "ngx.ssl" local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) local ssl_ctx, err = ssl.create_ctx({ - method = method, + protocols = protocols, priv_key = priv_key, cert = cert }) @@ -265,9 +239,13 @@ SSLv3 methods disabled return body end - ngx.say(test_ssl_method("TLSv1_method")) - ngx.say(test_ssl_method("TLSv1_1_method")) - ngx.say(test_ssl_method("TLSv1_2_method")) + local bit = require "bit" + local bor = bit.bor + + ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1)) + ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_1)) + ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_2)) + ngx.say(test_ssl_protocol(bor(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1_2))) } } @@ -277,13 +255,14 @@ GET /t TLSv1 TLSv1.1 TLSv1.2 +TLSv1.2 --- no_error_log [error] -=== TEST 4: ssl ctx - dismatch priv_key and cert +=== TEST 3: ssl ctx - dismatch priv_key and cert --- config location /t { content_by_lua_block { @@ -307,7 +286,7 @@ create_ctx err: SSL_CTX_use_PrivateKey() failed -=== TEST 5: ssl ctx - send client certificate +=== TEST 4: ssl ctx - send client certificate --- config location /t { content_by_lua_block { @@ -336,7 +315,7 @@ GET /t -=== TEST 6: ssl ctx - setsslctx with cached ssl_ctx +=== TEST 5: ssl ctx - setsslctx with cached ssl_ctx --- config location /t { content_by_lua_block { From 55a099b5db6067dba072206a1f9143fc5a13c910 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 28 Feb 2017 16:39:29 +0800 Subject: [PATCH 04/13] refactor: get tcp metatable from REGISTRY --- lib/ngx/ssl.lua | 10 +++------- lib/resty/core/socket/tcp.lua | 5 +++-- 2 files changed, 6 insertions(+), 9 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 918c76e26..a4b0dee05 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -279,8 +279,8 @@ _M.PROTOCOL_SSLv3 = 0x0004 _M.PROTOCOL_TLSv1 = 0x0008 _M.PROTOCOL_TLSv1_1 = 0x0010 _M.PROTOCOL_TLSv1_2 = 0x0020 -local default_protocols = bor(bor(bor(_M.PROTOCOL_SSLv3,_M.PROTOCOL_TLSv1), - _M.PROTOCOL_TLSv1_1), _M.PROTOCOL_TLSv1_2) +local default_protocols = bor(_M.PROTOCOL_SSLv3, _M.PROTOCOL_TLSv1, + _M.PROTOCOL_TLSv1_1, _M.PROTOCOL_TLSv1_2) function _M.create_ctx(options) @@ -288,11 +288,7 @@ function _M.create_ctx(options) return nil, "no options found" end - local protocols = default_protocols - - if options.protocols ~= nil then - protocols = options.protocols - end + local protocols = options.protocols or default_protocols local ctx = C.ngx_http_lua_ffi_ssl_ctx_init(protocols, errmsg) if ctx == nil then diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua index 117e16eb3..285932e11 100644 --- a/lib/resty/core/socket/tcp.lua +++ b/lib/resty/core/socket/tcp.lua @@ -2,12 +2,13 @@ local ffi = require "ffi" +local debug = require 'debug' local base = require "resty.core.base" local C = ffi.C local ffi_str = ffi.string -local getfenv = getfenv +local registry = debug.getregistry() local error = error local errmsg = base.get_errmsg_ptr() local FFI_OK = base.FFI_OK @@ -53,7 +54,7 @@ local function setsslctx(tcp, ssl_ctx) end -local mt = getfenv(0).__ngx_socket_tcp_mt +local mt = registry.__ngx_socket_tcp_mt if mt then mt = mt.__index if mt then From 2f3790662e136d9b9eefdc8163253473509077a6 Mon Sep 17 00:00:00 2001 From: detailyang Date: Tue, 28 Feb 2017 17:14:36 +0800 Subject: [PATCH 05/13] refactor: use nil to replace false as return value --- lib/resty/core/socket/tcp.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua index 285932e11..ff7029a4b 100644 --- a/lib/resty/core/socket/tcp.lua +++ b/lib/resty/core/socket/tcp.lua @@ -47,7 +47,7 @@ local function setsslctx(tcp, ssl_ctx) local rc = C.ngx_http_lua_ffi_socket_tcp_setsslctx(r, tcp, ssl_ctx, errmsg) if rc ~= FFI_OK then - return false, ffi_str(errmsg[0]) + return nil, ffi_str(errmsg[0]) end return true From ba7e50b1f4ef49d7b02a97635f03e3d563200594 Mon Sep 17 00:00:00 2001 From: detailyang Date: Wed, 8 Mar 2017 15:18:42 +0800 Subject: [PATCH 06/13] refactor: caller allocate error message buffer --- lib/ngx/ssl.lua | 21 ++++++++++++++------- t/ssl-ctx.t | 4 ++-- 2 files changed, 16 insertions(+), 9 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index a4b0dee05..5333d94fc 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -14,6 +14,7 @@ local error = error local tonumber = tonumber local errmsg = base.get_errmsg_ptr() local get_string_buf = base.get_string_buf +local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK @@ -66,10 +67,10 @@ void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, - void *cdata_key, char **err); + void *cdata_key, unsigned char **err_buf, size_t err_buf_len); int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, - void *cdata_cert, char **err); + void *cdata_cert, unsigned char **err_buf, size_t err_buf_len); ]] @@ -79,6 +80,7 @@ local _M = { version = base.version } local charpp = ffi.new("char*[1]") local intp = ffi.new("int[1]") +local err_buf = ffi.new("unsigned char *[1]") function _M.clear_certs() @@ -297,19 +299,24 @@ function _M.create_ctx(options) ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) + local size = get_string_buf_size() + local buf = get_string_buf(size) + err_buf[0] = buf + if options.cert ~= nil then - local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, - options.cert, errmsg) + local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, options.cert, + err_buf, size) if rc ~= FFI_OK then - return nil, ffi_str(errmsg[0]) + return nil, ffi_str(err_buf[0]) end end if options.priv_key ~= nil then local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, - options.priv_key, errmsg) + options.priv_key, + err_buf, size) if rc ~= FFI_OK then - return nil, ffi_str(errmsg[0]) + return nil, ffi_str(err_buf[0]) end end diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index d378c2887..acfc580cf 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -274,7 +274,7 @@ TLSv1.2 cert = cert }) if ssl_ctx == nil then - ngx.say("create_ctx err: ", err) + ngx.say(err) end } } @@ -282,7 +282,7 @@ TLSv1.2 --- request GET /t --- response_body -create_ctx err: SSL_CTX_use_PrivateKey() failed +error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch From 93d3d5f75886b7854c61f0754f9381a0376827ef Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:36:16 +0800 Subject: [PATCH 07/13] refactor: copy literal to caller error buffer --- lib/ngx/ssl.lua | 25 ++++++++++++++----------- 1 file changed, 14 insertions(+), 11 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 5333d94fc..252cf91ae 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -19,6 +19,7 @@ local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK local bor = bit.bor +local ERR_BUF_SIZE = 256 ffi.cdef[[ @@ -66,11 +67,11 @@ void *ngx_http_lua_ffi_ssl_ctx_init(unsigned int protocols, char **err); void ngx_http_lua_ffi_ssl_ctx_free(void *cdata); -int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, - void *cdata_key, unsigned char **err_buf, size_t err_buf_len); +int ngx_http_lua_ffi_ssl_ctx_set_priv_key(void *cdata_ctx, void *cdata_key, + unsigned char *ssl_err_buf, size_t *ssl_err_buf_len); -int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, - void *cdata_cert, unsigned char **err_buf, size_t err_buf_len); +int ngx_http_lua_ffi_ssl_ctx_set_cert(void *cdata_ctx, void *cdata_cert, + unsigned char *ssl_err_buf, size_t *ssl_err_buf_len); ]] @@ -299,24 +300,26 @@ function _M.create_ctx(options) ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) - local size = get_string_buf_size() - local buf = get_string_buf(size) - err_buf[0] = buf + local err_buf = get_string_buf(ERR_BUF_SIZE) + local err_buf_len = get_size_ptr() + err_buf_len[0] = ERR_BUF_SIZE if options.cert ~= nil then local rc = C.ngx_http_lua_ffi_ssl_ctx_set_cert(ctx, options.cert, - err_buf, size) + err_buf, + err_buf_len) if rc ~= FFI_OK then - return nil, ffi_str(err_buf[0]) + return nil, ffi_str(err_buf, err_buf_len[0]) end end if options.priv_key ~= nil then local rc = C.ngx_http_lua_ffi_ssl_ctx_set_priv_key(ctx, options.priv_key, - err_buf, size) + err_buf, + err_buf_len) if rc ~= FFI_OK then - return nil, ffi_str(err_buf[0]) + return nil, ffi_str(err_buf, err_buf_len[0]) end end From da0e95308f2437ffc7ba6e7d3791fe7dd986518a Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:38:40 +0800 Subject: [PATCH 08/13] travis: use personal lua-nginx-module to pass test --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 76ab84d00..a3225c7c3 100644 --- a/.travis.yml +++ b/.travis.yml @@ -53,7 +53,7 @@ install: - git clone https://github.com/openresty/openresty.git ../openresty - git clone https://github.com/openresty/nginx-devel-utils.git - git clone https://github.com/simpl/ngx_devel_kit.git ../ndk-nginx-module - - git clone https://github.com/openresty/lua-nginx-module.git ../lua-nginx-module + - git clone -b lua-ffi-api-sslctx https://github.com/detailyang/lua-nginx-module.git ../lua-nginx-module - git clone https://github.com/openresty/no-pool-nginx.git ../no-pool-nginx - git clone https://github.com/openresty/echo-nginx-module.git ../echo-nginx-module - git clone https://github.com/openresty/lua-resty-lrucache.git From eae3453e6818427d58646a442754ba8c72f77936 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sat, 11 Mar 2017 16:46:44 +0800 Subject: [PATCH 09/13] style: remove unused variable --- lib/ngx/ssl.lua | 2 -- 1 file changed, 2 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 252cf91ae..03699c5be 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -14,7 +14,6 @@ local error = error local tonumber = tonumber local errmsg = base.get_errmsg_ptr() local get_string_buf = base.get_string_buf -local get_string_buf_size = base.get_string_buf_size local get_size_ptr = base.get_size_ptr local FFI_DECLINED = base.FFI_DECLINED local FFI_OK = base.FFI_OK @@ -81,7 +80,6 @@ local _M = { version = base.version } local charpp = ffi.new("char*[1]") local intp = ffi.new("int[1]") -local err_buf = ffi.new("unsigned char *[1]") function _M.clear_certs() From ff9c8f1b9f5c91170844ce82170bab5d5fff8b8c Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:27:04 +0800 Subject: [PATCH 10/13] refactor: omit PROTOCOL prefix in ngx.ssl --- lib/ngx/ssl.lua | 13 ++++++------- t/ssl-ctx.t | 8 ++++---- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 03699c5be..19efe8d7b 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -275,13 +275,12 @@ function _M.set_priv_key(priv_key) end -_M.PROTOCOL_SSLv2 = 0x0002 -_M.PROTOCOL_SSLv3 = 0x0004 -_M.PROTOCOL_TLSv1 = 0x0008 -_M.PROTOCOL_TLSv1_1 = 0x0010 -_M.PROTOCOL_TLSv1_2 = 0x0020 -local default_protocols = bor(_M.PROTOCOL_SSLv3, _M.PROTOCOL_TLSv1, - _M.PROTOCOL_TLSv1_1, _M.PROTOCOL_TLSv1_2) +_M.SSLv2 = 0x0002 +_M.SSLv3 = 0x0004 +_M.TLSv1 = 0x0008 +_M.TLSv1_1 = 0x0010 +_M.TLSv1_2 = 0x0020 +local default_protocols = bor(_M.SSLv3, _M.TLSv1, _M.TLSv1_1, _M.TLSv1_2) function _M.create_ctx(options) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index acfc580cf..0abac449e 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -242,10 +242,10 @@ no options found local bit = require "bit" local bor = bit.bor - ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1)) - ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_1)) - ngx.say(test_ssl_protocol(ssl.PROTOCOL_TLSv1_2)) - ngx.say(test_ssl_protocol(bor(ssl.PROTOCOL_SSLv2, ssl.PROTOCOL_TLSv1_2))) + ngx.say(test_ssl_protocol(ssl.TLSv1)) + ngx.say(test_ssl_protocol(ssl.TLSv1_1)) + ngx.say(test_ssl_protocol(ssl.TLSv1_2)) + ngx.say(test_ssl_protocol(bor(ssl.SSLv2, ssl.TLSv1_2))) } } From e8ce4939dfe483eda7f32ba767a8eae469091579 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:27:56 +0800 Subject: [PATCH 11/13] style: ffi.cdef should not be indented --- lib/resty/core/socket/tcp.lua | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/lib/resty/core/socket/tcp.lua b/lib/resty/core/socket/tcp.lua index ff7029a4b..1720a908d 100644 --- a/lib/resty/core/socket/tcp.lua +++ b/lib/resty/core/socket/tcp.lua @@ -16,9 +16,8 @@ local FFI_OK = base.FFI_OK ffi.cdef[[ - int - ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, - void *u, void *cdata_ctx, char **err); +int ngx_http_lua_ffi_socket_tcp_setsslctx(ngx_http_request_t *r, void *u, + void *cdata_ctx, char **err); ]] From b19447d089b1965c8ae2f6c9748a4277a9b23904 Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:30:16 +0800 Subject: [PATCH 12/13] refactor: no need to assign ctx again after ffi_gc --- lib/ngx/ssl.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/ngx/ssl.lua b/lib/ngx/ssl.lua index 19efe8d7b..28db5c0fe 100644 --- a/lib/ngx/ssl.lua +++ b/lib/ngx/ssl.lua @@ -295,7 +295,7 @@ function _M.create_ctx(options) return nil, ffi_str(errmsg[0]) end - ctx = ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) + ffi_gc(ctx, C.ngx_http_lua_ffi_ssl_ctx_free) local err_buf = get_string_buf(ERR_BUF_SIZE) local err_buf_len = get_size_ptr() From 5c04464f573791c0a629f23dd16760d44c647c3b Mon Sep 17 00:00:00 2001 From: detailyang Date: Sun, 7 May 2017 22:31:39 +0800 Subject: [PATCH 13/13] style: omit parentheses only one argument --- t/ssl-ctx.t | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/t/ssl-ctx.t b/t/ssl-ctx.t index 0abac449e..e281fbf8f 100644 --- a/t/ssl-ctx.t +++ b/t/ssl-ctx.t @@ -58,10 +58,10 @@ init_by_lua_block { local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ priv_key = priv_key, cert = cert - }) + } c:set("sslctx", ssl_ctx) @@ -195,7 +195,7 @@ __DATA__ location /t{ content_by_lua_block { local ssl = require "ngx.ssl" - local ssl_ctx, err = ssl.create_ctx() + local ssl_ctx, err = ssl.create_ctx{} if ssl_ctx == nil then ngx.say(err) end @@ -217,11 +217,11 @@ no options found local ssl = require "ngx.ssl" local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ protocols = protocols, priv_key = priv_key, cert = cert - }) + } if ssl_ctx == nil then return err end @@ -269,10 +269,10 @@ TLSv1.2 local ssl = require "ngx.ssl" local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/server.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ priv_key = priv_key, cert = cert - }) + } if ssl_ctx == nil then ngx.say(err) end @@ -294,10 +294,10 @@ error:0B080074:x509 certificate routines:X509_check_private_key:key values misma local cert = ssl.parse_pem_cert(read_file("$TEST_NGINX_HTML_DIR/client.crt")) local priv_key = ssl.parse_pem_priv_key(read_file("$TEST_NGINX_HTML_DIR/client.unsecure.key")) - local ssl_ctx, err = ssl.create_ctx({ + local ssl_ctx, err = ssl.create_ctx{ priv_key = priv_key, cert = cert - }) + } if ssl_ctx == nil then ngx.say("failed to init ssl ctx: ", err)