12086Szelenkov@nginx.comimport socket 22086Szelenkov@nginx.comimport ssl 32086Szelenkov@nginx.comimport time 42086Szelenkov@nginx.com 52086Szelenkov@nginx.comimport pytest 62086Szelenkov@nginx.comfrom unit.applications.tls import TestApplicationTLS 72086Szelenkov@nginx.com 82086Szelenkov@nginx.com 92086Szelenkov@nginx.comclass TestReconfigureTLS(TestApplicationTLS): 102086Szelenkov@nginx.com prerequisites = {'modules': {'openssl': 'any'}} 112086Szelenkov@nginx.com 122086Szelenkov@nginx.com @pytest.fixture(autouse=True) 132086Szelenkov@nginx.com def setup_method_fixture(self): 14*2112Szelenkov@nginx.com if 'HAS_TLSv1_2' not in dir(ssl) or not ssl.HAS_TLSv1_2: 15*2112Szelenkov@nginx.com pytest.skip('OpenSSL too old') 16*2112Szelenkov@nginx.com 172086Szelenkov@nginx.com self.certificate() 182086Szelenkov@nginx.com 192086Szelenkov@nginx.com assert 'success' in self.conf( 202086Szelenkov@nginx.com { 212086Szelenkov@nginx.com "listeners": { 222086Szelenkov@nginx.com "*:7080": { 232086Szelenkov@nginx.com "pass": "routes", 242086Szelenkov@nginx.com "tls": {"certificate": "default"}, 252086Szelenkov@nginx.com } 262086Szelenkov@nginx.com }, 272086Szelenkov@nginx.com "routes": [{"action": {"return": 200}}], 282086Szelenkov@nginx.com "applications": {}, 292086Szelenkov@nginx.com } 302086Szelenkov@nginx.com ), 'load application configuration' 312086Szelenkov@nginx.com 322086Szelenkov@nginx.com def create_socket(self): 33*2112Szelenkov@nginx.com ctx = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT) 34*2112Szelenkov@nginx.com ctx.check_hostname = False 352086Szelenkov@nginx.com ctx.verify_mode = ssl.CERT_NONE 362086Szelenkov@nginx.com 372086Szelenkov@nginx.com s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 382086Szelenkov@nginx.com ssl_sock = ctx.wrap_socket( 392086Szelenkov@nginx.com s, server_hostname='localhost', do_handshake_on_connect=False 402086Szelenkov@nginx.com ) 412086Szelenkov@nginx.com ssl_sock.connect(('127.0.0.1', 7080)) 422086Szelenkov@nginx.com 432086Szelenkov@nginx.com return ssl_sock 442086Szelenkov@nginx.com 452086Szelenkov@nginx.com def clear_conf(self): 462086Szelenkov@nginx.com assert 'success' in self.conf({"listeners": {}, "applications": {}}) 472086Szelenkov@nginx.com 482086Szelenkov@nginx.com @pytest.mark.skip('not yet') 492086Szelenkov@nginx.com def test_reconfigure_tls_switch(self): 502086Szelenkov@nginx.com assert 'success' in self.conf_delete('listeners/*:7080/tls') 512086Szelenkov@nginx.com 522086Szelenkov@nginx.com (_, sock) = self.get( 532086Szelenkov@nginx.com headers={'Host': 'localhost', 'Connection': 'keep-alive'}, 542086Szelenkov@nginx.com start=True, 552086Szelenkov@nginx.com read_timeout=1, 562086Szelenkov@nginx.com ) 572086Szelenkov@nginx.com 582086Szelenkov@nginx.com assert 'success' in self.conf( 592086Szelenkov@nginx.com {"pass": "routes", "tls": {"certificate": "default"}}, 602086Szelenkov@nginx.com 'listeners/*:7080', 612086Szelenkov@nginx.com ) 622086Szelenkov@nginx.com 632086Szelenkov@nginx.com assert self.get(sock=sock)['status'] == 200, 'reconfigure' 642086Szelenkov@nginx.com assert self.get_ssl()['status'] == 200, 'reconfigure tls' 652086Szelenkov@nginx.com 662086Szelenkov@nginx.com def test_reconfigure_tls(self): 672086Szelenkov@nginx.com ssl_sock = self.create_socket() 682086Szelenkov@nginx.com 692086Szelenkov@nginx.com ssl_sock.sendall("""GET / HTTP/1.1\r\n""".encode()) 702086Szelenkov@nginx.com 712086Szelenkov@nginx.com self.clear_conf() 722086Szelenkov@nginx.com 732086Szelenkov@nginx.com ssl_sock.sendall( 742086Szelenkov@nginx.com """Host: localhost\r\nConnection: close\r\n\r\n""".encode() 752086Szelenkov@nginx.com ) 762086Szelenkov@nginx.com 772086Szelenkov@nginx.com assert ( 782086Szelenkov@nginx.com self.recvall(ssl_sock).decode().startswith('HTTP/1.1 200 OK') 792086Szelenkov@nginx.com ), 'finish request' 802086Szelenkov@nginx.com 812086Szelenkov@nginx.com def test_reconfigure_tls_2(self): 822086Szelenkov@nginx.com ssl_sock = self.create_socket() 832086Szelenkov@nginx.com 842086Szelenkov@nginx.com # Waiting for connection completion. 852086Szelenkov@nginx.com # Delay should be more than TCP_DEFER_ACCEPT. 862086Szelenkov@nginx.com time.sleep(1.5) 872086Szelenkov@nginx.com 882086Szelenkov@nginx.com self.clear_conf() 892086Szelenkov@nginx.com 902086Szelenkov@nginx.com try: 912086Szelenkov@nginx.com ssl_sock.do_handshake() 922086Szelenkov@nginx.com except ssl.SSLError: 932086Szelenkov@nginx.com ssl_sock.close() 942086Szelenkov@nginx.com success = True 952086Szelenkov@nginx.com 962086Szelenkov@nginx.com if not success: 972086Szelenkov@nginx.com pytest.fail('Connection is not closed.') 982086Szelenkov@nginx.com 992086Szelenkov@nginx.com def test_reconfigure_tls_3(self): 1002086Szelenkov@nginx.com ssl_sock = self.create_socket() 1012086Szelenkov@nginx.com ssl_sock.do_handshake() 1022086Szelenkov@nginx.com 1032086Szelenkov@nginx.com self.clear_conf() 1042086Szelenkov@nginx.com 1052086Szelenkov@nginx.com assert self.get(sock=ssl_sock)['status'] == 408, 'request timeout' 106