tests: remove google.com relevant ssl certificate test cases.

spacewander · agentzh · commit 5196e65519b1 · 2018-03-27T13:11:33.000-07:00
We could not control Google's certificate, and Google don't promise their root certificate won't change, see https://pki.google.com/faq.html. > Q: What roots should we trust for connecting to Google? > A: Google may decide to have its intermediate signed by another root at any point in time, ... Because in TEST 8 we already tested passing verify case with openresty.org, here I remove TEST 11 and change TEST 12 to test with openresty.org. Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
diff --git a/t/129-ssl-socket.t b/t/129-ssl-socket.t
@@ -4,7 +4,7 @@ use Test::Nginx::Socket::Lua;
 
 repeat_each(2);
 
-plan tests => repeat_each() * 218;
+plan tests => repeat_each() * 211;
 
 $ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
 
@@ -867,54 +867,42 @@ SSL reused session
 
 
 
-=== TEST 11: www.google.com  (SSL verify passes)
+=== TEST 11: openresty.org: SSL verify enabled and no corresponding trusted certificates
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
     lua_ssl_trusted_certificate ../html/trusted.crt;
-    lua_ssl_verify_depth 3;
+    lua_ssl_verify_depth 2;
     location /t {
-        #set $port 5000;
         set $port $TEST_NGINX_MEMCACHED_PORT;
 
-        content_by_lua '
-            -- avoid flushing google in "check leak" testing mode:
-            local counter = package.loaded.counter
-            if not counter then
-                counter = 1
-            elseif counter >= 2 then
-                return ngx.exit(503)
-            else
-                counter = counter + 1
-            end
-            package.loaded.counter = counter
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            sock:settimeout(4000)
 
             do
-                local sock = ngx.socket.tcp()
-                sock:settimeout(2000)
-                local ok, err = sock:connect("www.google.com", 443)
+                local ok, err = sock:connect("openresty.org", 443)
                 if not ok then
                     ngx.say("failed to connect: ", err)
                     return
                 end
 
                 ngx.say("connected: ", ok)
 
-                local sess, err = sock:sslhandshake(nil, "www.google.com", true)
-                if not sess then
+                local session, err = sock:sslhandshake(nil, "openresty.org", true)
+                if not session then
                     ngx.say("failed to do SSL handshake: ", err)
                     return
                 end
 
-                ngx.say("ssl handshake: ", type(sess))
+                ngx.say("ssl handshake: ", type(session))
 
-                local req = "GET / HTTP/1.1\\r\\nHost: www.google.com\\r\\nConnection: close\\r\\n\\r\\n"
+                local req = "GET / HTTP/1.1\r\nHost: openresty.org\r\nConnection: close\r\n\r\n"
                 local bytes, err = sock:send(req)
                 if not bytes then
                     ngx.say("failed to send http request: ", err)
                     return
                 end
-
                 ngx.say("sent http request: ", bytes, " bytes.")
 
                 local line, err = sock:receive()
@@ -929,106 +917,13 @@ SSL reused session
                 ngx.say("close: ", ok, " ", err)
             end  -- do
             collectgarbage()
-        ';
+        }
     }
 
 --- user_files eval
 ">>> trusted.crt
 $::EquifaxRootCertificate"
 
---- request
-GET /t
---- response_body_like chop
-\Aconnected: 1
-ssl handshake: userdata
-sent http request: 59 bytes.
-received: HTTP/1.1 (?:200 OK|302 Found)
-close: 1 nil
-\z
---- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/
---- grep_error_log_out eval
-qr/^lua ssl save session: ([0-9A-F]+)
-lua ssl free session: ([0-9A-F]+)
-$/
---- error_log
-lua ssl server name: "www.google.com"
---- no_error_log
-SSL reused session
-[error]
-[alert]
---- timeout: 5
-
-
-
-=== TEST 12: www.google.com  (SSL verify enabled and no corresponding trusted certificates)
---- config
-    server_tokens off;
-    resolver $TEST_NGINX_RESOLVER ipv6=off;
-    lua_ssl_trusted_certificate ../html/trusted.crt;
-    lua_ssl_verify_depth 3;
-    location /t {
-        #set $port 5000;
-        set $port $TEST_NGINX_MEMCACHED_PORT;
-
-        content_by_lua '
-            -- avoid flushing google in "check leak" testing mode:
-            local counter = package.loaded.counter
-            if not counter then
-                counter = 1
-            elseif counter >= 2 then
-                return ngx.exit(503)
-            else
-                counter = counter + 1
-            end
-            package.loaded.counter = counter
-
-            do
-                local sock = ngx.socket.tcp()
-                sock:settimeout(2000)
-                local ok, err = sock:connect("www.google.com", 443)
-                if not ok then
-                    ngx.say("failed to connect: ", err)
-                    return
-                end
-
-                ngx.say("connected: ", ok)
-
-                local sess, err = sock:sslhandshake(nil, "www.google.com", true)
-                if not sess then
-                    ngx.say("failed to do SSL handshake: ", err)
-                    return
-                end
-
-                ngx.say("ssl handshake: ", type(sess))
-
-                local req = "GET / HTTP/1.1\\r\\nHost: www.google.com\\r\\nConnection: close\\r\\n\\r\\n"
-                local bytes, err = sock:send(req)
-                if not bytes then
-                    ngx.say("failed to send http request: ", err)
-                    return
-                end
-
-                ngx.say("sent http request: ", bytes, " bytes.")
-
-                local line, err = sock:receive()
-                if not line then
-                    ngx.say("failed to receive response status line: ", err)
-                    return
-                end
-
-                ngx.say("received: ", line)
-
-                local ok, err = sock:close()
-                ngx.say("close: ", ok, " ", err)
-            end  -- do
-            collectgarbage()
-        ';
-    }
-
---- user_files eval
-">>> trusted.crt
-$::DSTRootCertificate"
-
 --- request
 GET /t
 --- response_body
@@ -1038,7 +933,7 @@ failed to do SSL handshake: 20: unable to get local issuer certificate
 --- grep_error_log eval: qr/lua ssl (?:set|save|free) session: [0-9A-F]+/
 --- grep_error_log_out
 --- error_log
-lua ssl server name: "www.google.com"
+lua ssl server name: "openresty.org"
 lua ssl certificate verify error: (20: unable to get local issuer certificate)
 --- no_error_log
 SSL reused session
@@ -1047,7 +942,7 @@ SSL reused session
 
 
 
-=== TEST 13: openresty.org: passing SSL verify with multiple certificates
+=== TEST 12: openresty.org: passing SSL verify with multiple certificates
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1133,7 +1028,7 @@ SSL reused session
 
 
 
-=== TEST 14: default cipher
+=== TEST 13: default cipher
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1212,7 +1107,7 @@ SSL reused session
 
 
 
-=== TEST 15: explicit cipher configuration
+=== TEST 14: explicit cipher configuration
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1292,7 +1187,7 @@ SSL reused session
 
 
 
-=== TEST 16: explicit ssl protocol configuration
+=== TEST 15: explicit ssl protocol configuration
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1372,7 +1267,7 @@ SSL reused session
 
 
 
-=== TEST 17: unsupported ssl protocol
+=== TEST 16: unsupported ssl protocol
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1449,7 +1344,7 @@ SSL reused session
 
 
 
-=== TEST 18: openresty.org: passing SSL verify: keepalive (reuse the ssl session)
+=== TEST 17: openresty.org: passing SSL verify: keepalive (reuse the ssl session)
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1526,7 +1421,7 @@ SSL reused session
 
 
 
-=== TEST 19: openresty.org: passing SSL verify: keepalive (no reusing the ssl session)
+=== TEST 18: openresty.org: passing SSL verify: keepalive (no reusing the ssl session)
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1606,7 +1501,7 @@ SSL reused session
 
 
 
-=== TEST 20: downstream cosockets do not support ssl handshake
+=== TEST 19: downstream cosockets do not support ssl handshake
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -1647,7 +1542,7 @@ attempt to call method 'sslhandshake' (a nil value)
 
 
 
-=== TEST 21: unix domain ssl cosocket (no verify)
+=== TEST 20: unix domain ssl cosocket (no verify)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -1750,7 +1645,7 @@ SSL reused session
 
 
 
-=== TEST 22: unix domain ssl cosocket (verify)
+=== TEST 21: unix domain ssl cosocket (verify)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -1856,7 +1751,7 @@ SSL reused session
 
 
 
-=== TEST 23: unix domain ssl cosocket (no ssl on server)
+=== TEST 22: unix domain ssl cosocket (no ssl on server)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock;
@@ -1946,7 +1841,7 @@ SSL reused session
 
 
 
-=== TEST 24: lua_ssl_crl
+=== TEST 23: lua_ssl_crl
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -2045,7 +1940,7 @@ SSL reused session
 
 
 
-=== TEST 25: multiple handshake calls
+=== TEST 24: multiple handshake calls
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -2129,7 +2024,7 @@ SSL reused session
 
 
 
-=== TEST 26: handshake timed out
+=== TEST 25: handshake timed out
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
@@ -2183,7 +2078,7 @@ SSL reused session
 
 
 
-=== TEST 27: unix domain ssl cosocket (no gen session)
+=== TEST 26: unix domain ssl cosocket (no gen session)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -2254,7 +2149,7 @@ SSL reused session
 
 
 
-=== TEST 28: unix domain ssl cosocket (gen session, true)
+=== TEST 27: unix domain ssl cosocket (gen session, true)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -2328,7 +2223,7 @@ SSL reused session
 
 
 
-=== TEST 29: unix domain ssl cosocket (keepalive)
+=== TEST 28: unix domain ssl cosocket (keepalive)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -2405,7 +2300,7 @@ SSL reused session
 
 
 
-=== TEST 30: unix domain ssl cosocket (verify cert but no host name check, passed)
+=== TEST 29: unix domain ssl cosocket (verify cert but no host name check, passed)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -2510,7 +2405,7 @@ SSL reused session
 
 
 
-=== TEST 31: unix domain ssl cosocket (verify cert but no host name check, NOT passed)
+=== TEST 30: unix domain ssl cosocket (verify cert but no host name check, NOT passed)
 --- http_config
     server {
         listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
@@ -2603,7 +2498,7 @@ SSL reused session
 
 
 
-=== TEST 32: handshake, too many arguments
+=== TEST 31: handshake, too many arguments
 --- config
     server_tokens off;
     resolver $TEST_NGINX_RESOLVER ipv6=off;
