From bd723bf3d54302064d5e8b4c971a27878efe81d7 Mon Sep 17 00:00:00 2001 From: Daniel McCarney Date: Fri, 21 Jun 2024 16:19:56 -0400 Subject: [PATCH] tests: add nginx 1.24 specific tests We want to test the `ssl_conf_command` directive, but this is only available in nginx 1.24+. This commit adds a 1.24 specific config file and updates the test runner so we can spin up and test a nginx 1.24 server with this config when available. For now we test the `MinProtocol` and `MaxProtocol` OpenSSL CONF_CTX commands that the compat shim supports. --- rustls-libssl/tests/nginx_1_24.conf | 50 ++++++++++++++ rustls-libssl/tests/runner.rs | 103 ++++++++++++++++++++++++++++ 2 files changed, 153 insertions(+) create mode 100644 rustls-libssl/tests/nginx_1_24.conf diff --git a/rustls-libssl/tests/nginx_1_24.conf b/rustls-libssl/tests/nginx_1_24.conf new file mode 100644 index 0000000..1bcf8b3 --- /dev/null +++ b/rustls-libssl/tests/nginx_1_24.conf @@ -0,0 +1,50 @@ +daemon off; +master_process off; +pid nginx.pid; + +events { +} + +http { + # Default to both supported protocols enabled. + ssl_protocols TLSv1.2 TLSv1.3; + access_log access.log; + + server { + # Custom configuration w/ ssl_conf_command: + # * TLS 1.3 or greater only + listen 8447 ssl; + ssl_certificate ../../../test-ca/rsa/server.cert; + ssl_certificate_key ../../../test-ca/rsa/server.key; + server_name localhost; + + ssl_conf_command MinProtocol TLSv1.3; + + location = / { + return 200 "hello world\n"; + } + + location /ssl-agreed { + return 200 "protocol:$ssl_protocol,cipher:$ssl_cipher\n"; + } + } + + server { + # Custom configuration w/ ssl_conf_command: + # * TLS 1.2 or less only + listen 8448 ssl; + ssl_certificate ../../../test-ca/rsa/server.cert; + ssl_certificate_key ../../../test-ca/rsa/server.key; + server_name localhost; + + ssl_conf_command MaxProtocol TLSv1.2; + + location = / { + return 200 "hello world\n"; + } + + location /ssl-agreed { + return 200 "protocol:$ssl_protocol,cipher:$ssl_cipher\n"; + } + } +} diff --git a/rustls-libssl/tests/runner.rs b/rustls-libssl/tests/runner.rs index e2047ef..65be7ee 100644 --- a/rustls-libssl/tests/runner.rs +++ b/rustls-libssl/tests/runner.rs @@ -561,6 +561,109 @@ fn nginx() { drop(nginx_server); } +#[test] +#[ignore] +fn nginx_1_24() { + let (major, minor) = nginx_version(); + if major != 1 || minor < 24 { + println!("skipping Nginx 1.24 tests, installed version is {major}.{minor}.x"); + return; + } + + fs::create_dir_all("target/nginx-tmp/1_24/html").unwrap(); + fs::write( + "target/nginx-tmp/1_24/server.conf", + include_str!("nginx_1_24.conf"), + ) + .unwrap(); + + let _nginx_server = KillOnDrop(Some( + Command::new("tests/maybe-valgrind.sh") + .args([ + "nginx", + "-g", + &format!("error_log stderr {NGINX_LOG_LEVEL};"), + "-p", + "./target/nginx-tmp/1_24", + "-c", + "server.conf", + ]) + .spawn() + .unwrap(), + )); + wait_for_port(8447); + wait_for_port(8448); + + // TLS 1.2 to the TLS 1.3 only port should fail w/ exit code 35 + assert_eq!( + Command::new("curl") + .env("LD_LIBRARY_PATH", "") + .args([ + "--cacert", + "test-ca/rsa/ca.cert", + "--tls-max", + "1.2", + "https://localhost:8447/ssl-agreed" + ]) + .stdout(Stdio::piped()) + .status() + .unwrap() + .code() + .unwrap(), + 35 + ); + // TLS 1.3 to the TLS 1.3 only port should succeed. + assert_eq!( + Command::new("curl") + .env("LD_LIBRARY_PATH", "") + .args([ + "--cacert", + "test-ca/rsa/ca.cert", + "--tlsv1.3", + "https://localhost:8447/ssl-agreed" + ]) + .stdout(Stdio::piped()) + .output() + .unwrap() + .stdout, + "protocol:TLSv1.3,cipher:TLS_AES_256_GCM_SHA384\n".as_bytes() + ); + + // TLS 1.3 to the TLS 1.2 only port should fail w/ exit code 35 + assert_eq!( + Command::new("curl") + .env("LD_LIBRARY_PATH", "") + .args([ + "--cacert", + "test-ca/rsa/ca.cert", + "--tlsv1.3", + "https://localhost:8448/ssl-agreed" + ]) + .stdout(Stdio::piped()) + .status() + .unwrap() + .code() + .unwrap(), + 35 + ); + // TLS 1.2 to the TLS 1.2 only port should succeed. + assert_eq!( + Command::new("curl") + .env("LD_LIBRARY_PATH", "") + .args([ + "--cacert", + "test-ca/rsa/ca.cert", + "--tlsv1.2", + "https://localhost:8448/ssl-agreed" + ]) + .stdout(Stdio::piped()) + .output() + .unwrap() + .stdout, + "protocol:TLSv1.2,cipher:ECDHE-RSA-AES256-GCM-SHA384\n".as_bytes() + ); +} + // Return the major and minor version components of the Nginx binary in `$PATH`. fn nginx_version() -> (u32, u32) { let nginx_version_output = Command::new("nginx").args(["-v"]).output().unwrap();