nghttpx: Refactor code to build cert_tree, add SNI test
This commit is contained in:
Tatsuhiro Tsujikawa
parent
fbd9bcb00e
commit
4b58b25c19
|
|
@ -0,0 +1,21 @@
|
||||||
|
-----BEGIN CERTIFICATE-----
|
||||||
|
MIIDhzCCAm+gAwIBAgIJANfuEldiquMNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
|
||||||
|
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
|
||||||
|
aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCmFsdC1kb21haW4wHhcNMTUwMTI1MDYy
|
||||||
|
NTQxWhcNMjUwMTIyMDYyNTQxWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
|
||||||
|
ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
|
||||||
|
VQQDDAphbHQtZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
|
||||||
|
0IwhDOGDipGrJQ9IoRSzPdkU/Ii4aJgGKHlXminym42X0VI3IW61RLvOHRlHVmVH
|
||||||
|
JQjFuDo2x+y81t9NlDg3HGUbSpzOzpm6StiutB7c4hreT5G4r0YKya1ugiemN0+p
|
||||||
|
qjIPJWm2jVnf448eZvUKRKEQ9W0MLZjiNjVGKrKlwo7fIlXg4N3+YixLYffAT1NV
|
||||||
|
d1T6V5jzlbruj15gK2nGjMQ9D1h1t9vTbTxY+mtk72aX0Y64IE6pPBWLFSSH8ozU
|
||||||
|
idDoL3AZwz2Jker+ALKK8CM4uho/RPpyW1C06HH+HLdH2MqEjDOROde/Nzxm668O
|
||||||
|
gK/JWGIEyUqYiUXx0yhFxwIDAQABo1AwTjAdBgNVHQ4EFgQU/Y0GDN2uPjbyePcu
|
||||||
|
95ZvYEK/gHIwHwYDVR0jBBgwFoAU/Y0GDN2uPjbyePcu95ZvYEK/gHIwDAYDVR0T
|
||||||
|
BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAodD6LVCzL3wfsZ6TxTzf9TfgIdbj
|
||||||
|
ilL3SEMT/xnfTXT3SLYScTRqQIAI29Y7dOLMq89p4hY2wmeUEhBUAz+y9G2JVr8o
|
||||||
|
6EbxXrQpWgNJogELqoNnMdrDxB5RsmDDKEJ/rLjDfSkjWbK7B2PZsqVTDgjekCFw
|
||||||
|
u6FqTIjn/O1O/L5tjwxwxjHmQod/maFCvXoDOVBuwdHnkp298tqlvsHfHO8m++Wj
|
||||||
|
+XYB8plMIjpeTh9v4w9Jc4QZ59lK/3Tt4qaENeQrMEubKSY/Zen7L2bzhk+cChWT
|
||||||
|
GSGz9uNXieoZaH79D0wnyZaSZ5Ds4ActMevnGg3iYXuzuFqx8Pungn74Vg==
|
||||||
|
-----END CERTIFICATE-----
|
||||||
|
|
@ -0,0 +1,28 @@
|
||||||
|
-----BEGIN PRIVATE KEY-----
|
||||||
|
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDQjCEM4YOKkasl
|
||||||
|
D0ihFLM92RT8iLhomAYoeVeaKfKbjZfRUjchbrVEu84dGUdWZUclCMW4OjbH7LzW
|
||||||
|
302UODccZRtKnM7OmbpK2K60HtziGt5PkbivRgrJrW6CJ6Y3T6mqMg8labaNWd/j
|
||||||
|
jx5m9QpEoRD1bQwtmOI2NUYqsqXCjt8iVeDg3f5iLEth98BPU1V3VPpXmPOVuu6P
|
||||||
|
XmAracaMxD0PWHW329NtPFj6a2TvZpfRjrggTqk8FYsVJIfyjNSJ0OgvcBnDPYmR
|
||||||
|
6v4AsorwIzi6Gj9E+nJbULTocf4ct0fYyoSMM5E51783PGbrrw6Ar8lYYgTJSpiJ
|
||||||
|
RfHTKEXHAgMBAAECggEBALTrjFSXY72YB+h7rN+JjMIwDIPUvF6I3HbKZhQpJf6K
|
||||||
|
xNVkRM2tNHavku0tm/S4ohLf3F+pqRKiL2Udjjjy1+S7VgTRqpwTQ0lhV5aNW8SP
|
||||||
|
2KMg4R61XfB+k+s4KHu9kYxEJ12mqydPe+r3o0FgfYryTDsOYk1AX6b1aqzqFOGF
|
||||||
|
7GaqLALSbKU59tcJJ1SZNBbpIKFUrAT9nZt9dW02/foqP5bzUk43Yjw48xmLwegc
|
||||||
|
bMXXcpZhNZSktltvwRw7Q4Foc9kuRlMdTAnAD9PnMCcZwicS/YeVVF6Rz4fGviKv
|
||||||
|
7/kPHQ7g4YpFktVDzuZ5xw6GDVFeJ6uGMVUX8+EePvkCgYEA+/nrcn82nFHCxm8Q
|
||||||
|
0iiUhi/AoXjZg+O5Ytaje9O/YNoX+c4ywe13h0+TXKH79O0KfTwXeJyDgPZbAIFV
|
||||||
|
9oURellRYUzKDafnBHis2f+Ywn6GqHL5e2X30ZxIp1GK46pcvne1YuvJhgGmiVay
|
||||||
|
vd7sRx09OKU124dG22rIFCis6asCgYEA0+CsA6LrEwQ/aPJYASY3VHNO/WoAOnPg
|
||||||
|
Cwsg+02XWsPEwP//lNmpanz8TUm2URS063ZK8bx7t3ejvDgBdsRwwjiMlDp7XTUU
|
||||||
|
3Zk+mhCV2qkMi02aKemvz29bDhmh5JoH7W3IwsXtJYO0yZDYrDR3ioiKRccioPoE
|
||||||
|
b/Nq781sEFUCgYEA4xqx9xRpaCLY5nicNI6WrwrDF8YQZisNn+PMnYKP7v8itOgA
|
||||||
|
H4GkRbSXINpueKZc2dsbXH3UmJtyEdaAYBw3UIrIKmZHhl9afFE3mZQhXssjGxfl
|
||||||
|
fC6/WZD+eq+n+uJFjPXf6jSSAdHjA828dB1D4CSeVTuyexZF6uUnR+QRVNkCgYEA
|
||||||
|
i+pb7XLSpZYygY03zFp+Q0h6KyKqz+7hTqmkuA8/GfMZpRHop1UtaWLsAeXhfZ2c
|
||||||
|
87kEOKptUHSzLYIWhWWnyLorK1+LQ7vf8Y5XJso5C1KDNCKk4XSuYt94U9FddWa6
|
||||||
|
QXI0F1s5BYL6Cfma++0R2+va08Vy+rbf40XtojoXWJkCgYEA0hMQSCvok7is27nQ
|
||||||
|
G80KXfmghU2eEB7zif3T00/fwJycxEbmnNeof+SKmhdY4ZgqTscfOxlQPflV/eqB
|
||||||
|
xs4GnFDDeM0F8KH0BimOXxr7sJPFCg22PCCQQcRtM/KoU+ip/kNmTfwrsC0xMFPU
|
||||||
|
HD8M1JCZF2eLMekXXP3cB0U4sUs=
|
||||||
|
-----END PRIVATE KEY-----
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
package nghttp2
|
package nghttp2
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto/tls"
|
||||||
"fmt"
|
"fmt"
|
||||||
"github.com/bradfitz/http2"
|
"github.com/bradfitz/http2"
|
||||||
"github.com/bradfitz/http2/hpack"
|
"github.com/bradfitz/http2/hpack"
|
||||||
|
|
@ -358,6 +359,21 @@ func TestH2H1TEGzip(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func TestH2H1SNI(t *testing.T) {
|
||||||
|
st := newServerTesterTLSConfig([]string{"--subcert=" + testDir + "/alt-server.key:" + testDir + "/alt-server.crt"}, t, noopHandler, &tls.Config{
|
||||||
|
ServerName: "alt-domain",
|
||||||
|
})
|
||||||
|
defer st.Close()
|
||||||
|
|
||||||
|
tlsConn := st.conn.(*tls.Conn)
|
||||||
|
connState := tlsConn.ConnectionState()
|
||||||
|
cert := connState.PeerCertificates[0]
|
||||||
|
|
||||||
|
if got, want := cert.Subject.CommonName, "alt-domain"; got != want {
|
||||||
|
t.Errorf("CommonName: %v; want %v", got, want)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// TestH2H1GracefulShutdown tests graceful shutdown.
|
// TestH2H1GracefulShutdown tests graceful shutdown.
|
||||||
func TestH2H1GracefulShutdown(t *testing.T) {
|
func TestH2H1GracefulShutdown(t *testing.T) {
|
||||||
st := newServerTester(nil, t, noopHandler)
|
st := newServerTester(nil, t, noopHandler)
|
||||||
|
|
|
||||||
|
|
@ -60,17 +60,23 @@ type serverTester struct {
|
||||||
// newServerTester creates test context for plain TCP frontend
|
// newServerTester creates test context for plain TCP frontend
|
||||||
// connection.
|
// connection.
|
||||||
func newServerTester(args []string, t *testing.T, handler http.HandlerFunc) *serverTester {
|
func newServerTester(args []string, t *testing.T, handler http.HandlerFunc) *serverTester {
|
||||||
return newServerTesterInternal(args, t, handler, false)
|
return newServerTesterInternal(args, t, handler, false, nil)
|
||||||
}
|
}
|
||||||
|
|
||||||
// newServerTester creates test context for TLS frontend connection.
|
// newServerTester creates test context for TLS frontend connection.
|
||||||
func newServerTesterTLS(args []string, t *testing.T, handler http.HandlerFunc) *serverTester {
|
func newServerTesterTLS(args []string, t *testing.T, handler http.HandlerFunc) *serverTester {
|
||||||
return newServerTesterInternal(args, t, handler, true)
|
return newServerTesterInternal(args, t, handler, true, nil)
|
||||||
|
}
|
||||||
|
|
||||||
|
// newServerTester creates test context for TLS frontend connection
|
||||||
|
// with given clientConfig
|
||||||
|
func newServerTesterTLSConfig(args []string, t *testing.T, handler http.HandlerFunc, clientConfig *tls.Config) *serverTester {
|
||||||
|
return newServerTesterInternal(args, t, handler, true, clientConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
// newServerTesterInternal creates test context. If frontendTLS is
|
// newServerTesterInternal creates test context. If frontendTLS is
|
||||||
// true, set up TLS frontend connection.
|
// true, set up TLS frontend connection.
|
||||||
func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFunc, frontendTLS bool) *serverTester {
|
func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFunc, frontendTLS bool, clientConfig *tls.Config) *serverTester {
|
||||||
ts := httptest.NewUnstartedServer(handler)
|
ts := httptest.NewUnstartedServer(handler)
|
||||||
|
|
||||||
backendTLS := false
|
backendTLS := false
|
||||||
|
|
@ -134,10 +140,14 @@ func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFu
|
||||||
var conn net.Conn
|
var conn net.Conn
|
||||||
var err error
|
var err error
|
||||||
if frontendTLS {
|
if frontendTLS {
|
||||||
tlsConfig := &tls.Config{
|
var tlsConfig *tls.Config
|
||||||
InsecureSkipVerify: true,
|
if clientConfig == nil {
|
||||||
NextProtos: []string{"h2-14", "spdy/3.1"},
|
tlsConfig = new(tls.Config)
|
||||||
|
} else {
|
||||||
|
tlsConfig = clientConfig
|
||||||
}
|
}
|
||||||
|
tlsConfig.InsecureSkipVerify = true
|
||||||
|
tlsConfig.NextProtos = []string{"h2-14", "spdy/3.1"}
|
||||||
conn, err = tls.Dial("tcp", authority, tlsConfig)
|
conn, err = tls.Dial("tcp", authority, tlsConfig)
|
||||||
} else {
|
} else {
|
||||||
conn, err = net.Dial("tcp", authority)
|
conn, err = net.Dial("tcp", authority)
|
||||||
|
|
|
||||||
|
|
@ -950,8 +950,12 @@ SSL_CTX *setup_server_ssl_context() {
|
||||||
auto ssl_ctx = ssl::create_ssl_context(get_config()->private_key_file.get(),
|
auto ssl_ctx = ssl::create_ssl_context(get_config()->private_key_file.get(),
|
||||||
get_config()->cert_file.get());
|
get_config()->cert_file.get());
|
||||||
|
|
||||||
auto cert_tree =
|
if (get_config()->subcerts.empty()) {
|
||||||
get_config()->subcerts.empty() ? nullptr : cert_lookup_tree_new();
|
return ssl_ctx;
|
||||||
|
}
|
||||||
|
|
||||||
|
auto cert_tree = cert_lookup_tree_new();
|
||||||
|
|
||||||
worker_config->cert_tree = cert_tree;
|
worker_config->cert_tree = cert_tree;
|
||||||
|
|
||||||
for (auto &keycert : get_config()->subcerts) {
|
for (auto &keycert : get_config()->subcerts) {
|
||||||
|
|
@ -964,12 +968,10 @@ SSL_CTX *setup_server_ssl_context() {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (cert_tree) {
|
if (ssl::cert_lookup_tree_add_cert_from_file(
|
||||||
if (ssl::cert_lookup_tree_add_cert_from_file(
|
cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) {
|
||||||
cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) {
|
LOG(FATAL) << "Failed to add default certificate.";
|
||||||
LOG(FATAL) << "Failed to add default certificate.";
|
DIE();
|
||||||
DIE();
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return ssl_ctx;
|
return ssl_ctx;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue