From 4b58b25c19b3503589235dbf57e8cc6c87152be7 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Sun, 25 Jan 2015 15:36:14 +0900 Subject: [PATCH] nghttpx: Refactor code to build cert_tree, add SNI test --- integration-tests/alt-server.crt | 21 +++++++++++++++++++ integration-tests/alt-server.key | 28 +++++++++++++++++++++++++ integration-tests/nghttpx_http2_test.go | 16 ++++++++++++++ integration-tests/server_tester.go | 22 +++++++++++++------ src/shrpx_ssl.cc | 18 +++++++++------- 5 files changed, 91 insertions(+), 14 deletions(-) create mode 100644 integration-tests/alt-server.crt create mode 100644 integration-tests/alt-server.key diff --git a/integration-tests/alt-server.crt b/integration-tests/alt-server.crt new file mode 100644 index 00000000..f003eb14 --- /dev/null +++ b/integration-tests/alt-server.crt @@ -0,0 +1,21 @@ +-----BEGIN CERTIFICATE----- +MIIDhzCCAm+gAwIBAgIJANfuEldiquMNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCmFsdC1kb21haW4wHhcNMTUwMTI1MDYy +NTQxWhcNMjUwMTIyMDYyNTQxWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t +ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD +VQQDDAphbHQtZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA +0IwhDOGDipGrJQ9IoRSzPdkU/Ii4aJgGKHlXminym42X0VI3IW61RLvOHRlHVmVH +JQjFuDo2x+y81t9NlDg3HGUbSpzOzpm6StiutB7c4hreT5G4r0YKya1ugiemN0+p +qjIPJWm2jVnf448eZvUKRKEQ9W0MLZjiNjVGKrKlwo7fIlXg4N3+YixLYffAT1NV +d1T6V5jzlbruj15gK2nGjMQ9D1h1t9vTbTxY+mtk72aX0Y64IE6pPBWLFSSH8ozU +idDoL3AZwz2Jker+ALKK8CM4uho/RPpyW1C06HH+HLdH2MqEjDOROde/Nzxm668O +gK/JWGIEyUqYiUXx0yhFxwIDAQABo1AwTjAdBgNVHQ4EFgQU/Y0GDN2uPjbyePcu +95ZvYEK/gHIwHwYDVR0jBBgwFoAU/Y0GDN2uPjbyePcu95ZvYEK/gHIwDAYDVR0T +BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAodD6LVCzL3wfsZ6TxTzf9TfgIdbj +ilL3SEMT/xnfTXT3SLYScTRqQIAI29Y7dOLMq89p4hY2wmeUEhBUAz+y9G2JVr8o +6EbxXrQpWgNJogELqoNnMdrDxB5RsmDDKEJ/rLjDfSkjWbK7B2PZsqVTDgjekCFw +u6FqTIjn/O1O/L5tjwxwxjHmQod/maFCvXoDOVBuwdHnkp298tqlvsHfHO8m++Wj ++XYB8plMIjpeTh9v4w9Jc4QZ59lK/3Tt4qaENeQrMEubKSY/Zen7L2bzhk+cChWT +GSGz9uNXieoZaH79D0wnyZaSZ5Ds4ActMevnGg3iYXuzuFqx8Pungn74Vg== +-----END CERTIFICATE----- diff --git a/integration-tests/alt-server.key b/integration-tests/alt-server.key new file mode 100644 index 00000000..a977663c --- /dev/null +++ b/integration-tests/alt-server.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDQjCEM4YOKkasl +D0ihFLM92RT8iLhomAYoeVeaKfKbjZfRUjchbrVEu84dGUdWZUclCMW4OjbH7LzW +302UODccZRtKnM7OmbpK2K60HtziGt5PkbivRgrJrW6CJ6Y3T6mqMg8labaNWd/j +jx5m9QpEoRD1bQwtmOI2NUYqsqXCjt8iVeDg3f5iLEth98BPU1V3VPpXmPOVuu6P +XmAracaMxD0PWHW329NtPFj6a2TvZpfRjrggTqk8FYsVJIfyjNSJ0OgvcBnDPYmR +6v4AsorwIzi6Gj9E+nJbULTocf4ct0fYyoSMM5E51783PGbrrw6Ar8lYYgTJSpiJ +RfHTKEXHAgMBAAECggEBALTrjFSXY72YB+h7rN+JjMIwDIPUvF6I3HbKZhQpJf6K +xNVkRM2tNHavku0tm/S4ohLf3F+pqRKiL2Udjjjy1+S7VgTRqpwTQ0lhV5aNW8SP +2KMg4R61XfB+k+s4KHu9kYxEJ12mqydPe+r3o0FgfYryTDsOYk1AX6b1aqzqFOGF +7GaqLALSbKU59tcJJ1SZNBbpIKFUrAT9nZt9dW02/foqP5bzUk43Yjw48xmLwegc +bMXXcpZhNZSktltvwRw7Q4Foc9kuRlMdTAnAD9PnMCcZwicS/YeVVF6Rz4fGviKv +7/kPHQ7g4YpFktVDzuZ5xw6GDVFeJ6uGMVUX8+EePvkCgYEA+/nrcn82nFHCxm8Q +0iiUhi/AoXjZg+O5Ytaje9O/YNoX+c4ywe13h0+TXKH79O0KfTwXeJyDgPZbAIFV +9oURellRYUzKDafnBHis2f+Ywn6GqHL5e2X30ZxIp1GK46pcvne1YuvJhgGmiVay +vd7sRx09OKU124dG22rIFCis6asCgYEA0+CsA6LrEwQ/aPJYASY3VHNO/WoAOnPg +Cwsg+02XWsPEwP//lNmpanz8TUm2URS063ZK8bx7t3ejvDgBdsRwwjiMlDp7XTUU +3Zk+mhCV2qkMi02aKemvz29bDhmh5JoH7W3IwsXtJYO0yZDYrDR3ioiKRccioPoE +b/Nq781sEFUCgYEA4xqx9xRpaCLY5nicNI6WrwrDF8YQZisNn+PMnYKP7v8itOgA +H4GkRbSXINpueKZc2dsbXH3UmJtyEdaAYBw3UIrIKmZHhl9afFE3mZQhXssjGxfl +fC6/WZD+eq+n+uJFjPXf6jSSAdHjA828dB1D4CSeVTuyexZF6uUnR+QRVNkCgYEA +i+pb7XLSpZYygY03zFp+Q0h6KyKqz+7hTqmkuA8/GfMZpRHop1UtaWLsAeXhfZ2c +87kEOKptUHSzLYIWhWWnyLorK1+LQ7vf8Y5XJso5C1KDNCKk4XSuYt94U9FddWa6 +QXI0F1s5BYL6Cfma++0R2+va08Vy+rbf40XtojoXWJkCgYEA0hMQSCvok7is27nQ +G80KXfmghU2eEB7zif3T00/fwJycxEbmnNeof+SKmhdY4ZgqTscfOxlQPflV/eqB +xs4GnFDDeM0F8KH0BimOXxr7sJPFCg22PCCQQcRtM/KoU+ip/kNmTfwrsC0xMFPU +HD8M1JCZF2eLMekXXP3cB0U4sUs= +-----END PRIVATE KEY----- diff --git a/integration-tests/nghttpx_http2_test.go b/integration-tests/nghttpx_http2_test.go index 878d8df6..bc6f30a4 100644 --- a/integration-tests/nghttpx_http2_test.go +++ b/integration-tests/nghttpx_http2_test.go @@ -1,6 +1,7 @@ package nghttp2 import ( + "crypto/tls" "fmt" "github.com/bradfitz/http2" "github.com/bradfitz/http2/hpack" @@ -358,6 +359,21 @@ func TestH2H1TEGzip(t *testing.T) { } } +func TestH2H1SNI(t *testing.T) { + st := newServerTesterTLSConfig([]string{"--subcert=" + testDir + "/alt-server.key:" + testDir + "/alt-server.crt"}, t, noopHandler, &tls.Config{ + ServerName: "alt-domain", + }) + defer st.Close() + + tlsConn := st.conn.(*tls.Conn) + connState := tlsConn.ConnectionState() + cert := connState.PeerCertificates[0] + + if got, want := cert.Subject.CommonName, "alt-domain"; got != want { + t.Errorf("CommonName: %v; want %v", got, want) + } +} + // TestH2H1GracefulShutdown tests graceful shutdown. func TestH2H1GracefulShutdown(t *testing.T) { st := newServerTester(nil, t, noopHandler) diff --git a/integration-tests/server_tester.go b/integration-tests/server_tester.go index dc2376b0..d323925a 100644 --- a/integration-tests/server_tester.go +++ b/integration-tests/server_tester.go @@ -60,17 +60,23 @@ type serverTester struct { // newServerTester creates test context for plain TCP frontend // connection. func newServerTester(args []string, t *testing.T, handler http.HandlerFunc) *serverTester { - return newServerTesterInternal(args, t, handler, false) + return newServerTesterInternal(args, t, handler, false, nil) } // newServerTester creates test context for TLS frontend connection. func newServerTesterTLS(args []string, t *testing.T, handler http.HandlerFunc) *serverTester { - return newServerTesterInternal(args, t, handler, true) + return newServerTesterInternal(args, t, handler, true, nil) +} + +// newServerTester creates test context for TLS frontend connection +// with given clientConfig +func newServerTesterTLSConfig(args []string, t *testing.T, handler http.HandlerFunc, clientConfig *tls.Config) *serverTester { + return newServerTesterInternal(args, t, handler, true, clientConfig) } // newServerTesterInternal creates test context. If frontendTLS is // true, set up TLS frontend connection. -func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFunc, frontendTLS bool) *serverTester { +func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFunc, frontendTLS bool, clientConfig *tls.Config) *serverTester { ts := httptest.NewUnstartedServer(handler) backendTLS := false @@ -134,10 +140,14 @@ func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFu var conn net.Conn var err error if frontendTLS { - tlsConfig := &tls.Config{ - InsecureSkipVerify: true, - NextProtos: []string{"h2-14", "spdy/3.1"}, + var tlsConfig *tls.Config + if clientConfig == nil { + tlsConfig = new(tls.Config) + } else { + tlsConfig = clientConfig } + tlsConfig.InsecureSkipVerify = true + tlsConfig.NextProtos = []string{"h2-14", "spdy/3.1"} conn, err = tls.Dial("tcp", authority, tlsConfig) } else { conn, err = net.Dial("tcp", authority) diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 4afb9703..b05deffe 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -950,8 +950,12 @@ SSL_CTX *setup_server_ssl_context() { auto ssl_ctx = ssl::create_ssl_context(get_config()->private_key_file.get(), get_config()->cert_file.get()); - auto cert_tree = - get_config()->subcerts.empty() ? nullptr : cert_lookup_tree_new(); + if (get_config()->subcerts.empty()) { + return ssl_ctx; + } + + auto cert_tree = cert_lookup_tree_new(); + worker_config->cert_tree = cert_tree; for (auto &keycert : get_config()->subcerts) { @@ -964,12 +968,10 @@ SSL_CTX *setup_server_ssl_context() { } } - if (cert_tree) { - if (ssl::cert_lookup_tree_add_cert_from_file( - cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) { - LOG(FATAL) << "Failed to add default certificate."; - DIE(); - } + if (ssl::cert_lookup_tree_add_cert_from_file( + cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) { + LOG(FATAL) << "Failed to add default certificate."; + DIE(); } return ssl_ctx;