12086Szelenkov@nginx.comimport socket 22086Szelenkov@nginx.comimport ssl 32086Szelenkov@nginx.comimport time 42086Szelenkov@nginx.com 52086Szelenkov@nginx.comimport pytest 62616Szelenkov@nginx.com 72491Szelenkov@nginx.comfrom unit.applications.tls import ApplicationTLS 8*2694Szelenkov@nginx.comfrom unit.option import option 92086Szelenkov@nginx.com 102488Szelenkov@nginx.comprerequisites = {'modules': {'openssl': 'any'}} 112488Szelenkov@nginx.com 122491Szelenkov@nginx.comclient = ApplicationTLS() 132086Szelenkov@nginx.com 142112Szelenkov@nginx.com 152491Szelenkov@nginx.com@pytest.fixture(autouse=True) 162491Szelenkov@nginx.comdef setup_method_fixture(): 172491Szelenkov@nginx.com if 'HAS_TLSv1_2' not in dir(ssl) or not ssl.HAS_TLSv1_2: 182491Szelenkov@nginx.com pytest.skip('OpenSSL too old') 192491Szelenkov@nginx.com 202491Szelenkov@nginx.com client.certificate() 212086Szelenkov@nginx.com 222491Szelenkov@nginx.com assert 'success' in client.conf( 232491Szelenkov@nginx.com { 242491Szelenkov@nginx.com "listeners": { 252592Szelenkov@nginx.com "*:8080": { 262491Szelenkov@nginx.com "pass": "routes", 272491Szelenkov@nginx.com "tls": {"certificate": "default"}, 282491Szelenkov@nginx.com } 292491Szelenkov@nginx.com }, 302491Szelenkov@nginx.com "routes": [{"action": {"return": 200}}], 312491Szelenkov@nginx.com "applications": {}, 322491Szelenkov@nginx.com } 332491Szelenkov@nginx.com ), 'load application configuration' 342491Szelenkov@nginx.com 352086Szelenkov@nginx.com 362491Szelenkov@nginx.comdef create_socket(): 372491Szelenkov@nginx.com ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) 382491Szelenkov@nginx.com ctx.check_hostname = False 392491Szelenkov@nginx.com ctx.verify_mode = ssl.CERT_NONE 402086Szelenkov@nginx.com 412491Szelenkov@nginx.com s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 422491Szelenkov@nginx.com ssl_sock = ctx.wrap_socket( 432491Szelenkov@nginx.com s, server_hostname='localhost', do_handshake_on_connect=False 442491Szelenkov@nginx.com ) 452592Szelenkov@nginx.com ssl_sock.connect(('127.0.0.1', 8080)) 462086Szelenkov@nginx.com 472491Szelenkov@nginx.com return ssl_sock 482491Szelenkov@nginx.com 492086Szelenkov@nginx.com 502491Szelenkov@nginx.comdef clear_conf(): 512491Szelenkov@nginx.com assert 'success' in client.conf({"listeners": {}, "applications": {}}) 522491Szelenkov@nginx.com 532086Szelenkov@nginx.com 542491Szelenkov@nginx.com@pytest.mark.skip('not yet') 552491Szelenkov@nginx.comdef test_reconfigure_tls_switch(): 562592Szelenkov@nginx.com assert 'success' in client.conf_delete('listeners/*:8080/tls') 572086Szelenkov@nginx.com 582491Szelenkov@nginx.com (_, sock) = client.get( 592491Szelenkov@nginx.com headers={'Host': 'localhost', 'Connection': 'keep-alive'}, 602491Szelenkov@nginx.com start=True, 612491Szelenkov@nginx.com read_timeout=1, 622491Szelenkov@nginx.com ) 632086Szelenkov@nginx.com 642491Szelenkov@nginx.com assert 'success' in client.conf( 652491Szelenkov@nginx.com {"pass": "routes", "tls": {"certificate": "default"}}, 662592Szelenkov@nginx.com 'listeners/*:8080', 672491Szelenkov@nginx.com ) 682086Szelenkov@nginx.com 692491Szelenkov@nginx.com assert client.get(sock=sock)['status'] == 200, 'reconfigure' 702491Szelenkov@nginx.com assert client.get_ssl()['status'] == 200, 'reconfigure tls' 712086Szelenkov@nginx.com 722491Szelenkov@nginx.com 732491Szelenkov@nginx.comdef test_reconfigure_tls(): 74*2694Szelenkov@nginx.com if option.configure_flag['asan']: 75*2694Szelenkov@nginx.com pytest.skip('not yet, router crash') 76*2694Szelenkov@nginx.com 772491Szelenkov@nginx.com ssl_sock = create_socket() 782086Szelenkov@nginx.com 792491Szelenkov@nginx.com ssl_sock.sendall("""GET / HTTP/1.1\r\n""".encode()) 802086Szelenkov@nginx.com 812491Szelenkov@nginx.com clear_conf() 822086Szelenkov@nginx.com 832491Szelenkov@nginx.com ssl_sock.sendall( 842491Szelenkov@nginx.com """Host: localhost\r\nConnection: close\r\n\r\n""".encode() 852491Szelenkov@nginx.com ) 862086Szelenkov@nginx.com 872491Szelenkov@nginx.com assert ( 882491Szelenkov@nginx.com client.recvall(ssl_sock).decode().startswith('HTTP/1.1 200 OK') 892491Szelenkov@nginx.com ), 'finish request' 902491Szelenkov@nginx.com 912086Szelenkov@nginx.com 922491Szelenkov@nginx.comdef test_reconfigure_tls_2(): 932491Szelenkov@nginx.com ssl_sock = create_socket() 942086Szelenkov@nginx.com 952491Szelenkov@nginx.com # Waiting for connection completion. 962491Szelenkov@nginx.com # Delay should be more than TCP_DEFER_ACCEPT. 972491Szelenkov@nginx.com time.sleep(1.5) 982086Szelenkov@nginx.com 992491Szelenkov@nginx.com clear_conf() 1002086Szelenkov@nginx.com 1012616Szelenkov@nginx.com success = False 1022616Szelenkov@nginx.com 1032491Szelenkov@nginx.com try: 1042491Szelenkov@nginx.com ssl_sock.do_handshake() 1052491Szelenkov@nginx.com except ssl.SSLError: 1062491Szelenkov@nginx.com ssl_sock.close() 1072491Szelenkov@nginx.com success = True 1082491Szelenkov@nginx.com 1092491Szelenkov@nginx.com if not success: 1102491Szelenkov@nginx.com pytest.fail('Connection is not closed.') 1112086Szelenkov@nginx.com 1122086Szelenkov@nginx.com 1132491Szelenkov@nginx.comdef test_reconfigure_tls_3(): 114*2694Szelenkov@nginx.com if option.configure_flag['asan']: 115*2694Szelenkov@nginx.com pytest.skip('not yet, router crash') 116*2694Szelenkov@nginx.com 1172491Szelenkov@nginx.com ssl_sock = create_socket() 1182491Szelenkov@nginx.com ssl_sock.do_handshake() 1192086Szelenkov@nginx.com 1202491Szelenkov@nginx.com clear_conf() 1212086Szelenkov@nginx.com 1222491Szelenkov@nginx.com assert client.get(sock=ssl_sock)['status'] == 408, 'request timeout' 123