Tests: simplified HTTP/2 SSL tests with IO::Socket::SSL.

pluknet · pluknet · commit b9337d816b72 · 2025-05-02T20:31:01.000+04:00
Tests are converted to use Test::Nginx infrastructure, similar to dcfe53a. Further, expect ALPN to be negotiated with supporting OpenSSL versions. Previously, such tests might be silently skipped on failure.
diff --git a/h2_ssl.t b/h2_ssl.t
@@ -28,6 +28,9 @@ select STDOUT; $| = 1;
 my $t = Test::Nginx->new()->has(qw/http http_ssl http_v2 socket_ssl_alpn/)
 	->has_daemon('openssl');
 
+plan(skip_all => 'no ALPN support in OpenSSL')
+	if $t->has_module('OpenSSL') and not $t->has_feature('openssl:1.0.2');
+
 $t->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
@@ -41,7 +44,7 @@ http {
     %%TEST_GLOBALS_HTTP%%
 
     server {
-        listen       127.0.0.1:8080 http2 ssl;
+        listen       127.0.0.1:8443 http2 ssl;
         server_name  localhost;
 
         ssl_certificate_key localhost.key;
@@ -81,7 +84,6 @@ open OLDERR, ">&", \*STDERR; close STDERR;
 $t->run();
 open STDERR, ">&", \*OLDERR;
 
-plan(skip_all => 'no ALPN negotiation') unless defined getconn();
 $t->plan(4);
 
 ###############################################################################
@@ -110,7 +112,8 @@ is($frame->{headers}->{':status'}, 200, 'alpn to HTTP/2');
 # h2c preface on ssl-enabled socket is rejected as invalid HTTP/1.x request,
 # ensure that HTTP/2 auto-detection doesn't kick in
 
-like(http("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n"), qr/Bad Request/,
+like(http("PRI * HTTP/2.0\r\n\r\nSM\r\n\r\n",
+	PeerAddr => '127.0.0.1:' . port(8443)), qr/Bad Request/,
 	'no h2c on ssl socket');
 
 # client cancels last stream after HEADERS has been created,
@@ -135,39 +138,13 @@ $t->stop();
 
 sub getconn {
 	my ($alpn) = @_;
-	$alpn = ['h2'] if !defined $alpn;
-
 	my $sock = get_ssl_socket($alpn);
-	my $s = Test::Nginx::HTTP2->new(undef, socket => $sock)
-		if $sock->alpn_selected();
+	Test::Nginx::HTTP2->new(undef, socket => $sock);
 }
 
 sub get_ssl_socket {
 	my ($alpn) = @_;
-	my $s;
-
-	eval {
-		local $SIG{ALRM} = sub { die "timeout\n" };
-		local $SIG{PIPE} = sub { die "sigpipe\n" };
-		alarm(8);
-		$s = IO::Socket::SSL->new(
-			Proto => 'tcp',
-			PeerAddr => '127.0.0.1',
-			PeerPort => port(8080),
-			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
-			SSL_alpn_protocols => $alpn,
-			SSL_error_trap => sub { die $_[1] }
-		);
-		alarm(0);
-	};
-	alarm(0);
-
-	if ($@) {
-		log_in("died: $@");
-		return undef;
-	}
-
-	return $s;
+	return http('', start => 1, SSL => 1, SSL_alpn_protocols => $alpn);
 }
 
 ###############################################################################
diff --git a/h2_ssl_proxy_cache.t b/h2_ssl_proxy_cache.t
@@ -24,9 +24,12 @@ select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
 my $t = Test::Nginx->new()
-	->has(qw/http http_ssl http_v2 proxy cache socket_ssl/)
+	->has(qw/http http_ssl http_v2 proxy cache socket_ssl_alpn/)
 	->has_daemon('openssl');
 
+plan(skip_all => 'no ALPN support in OpenSSL')
+	if $t->has_module('OpenSSL') and not $t->has_feature('openssl:1.0.2');
+
 $t->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
@@ -42,7 +45,7 @@ http {
     proxy_cache_path   %%TESTDIR%%/cache  keys_zone=NAME:1m;
 
     server {
-        listen       127.0.0.1:8080 http2 ssl sndbuf=32k;
+        listen       127.0.0.1:8443 http2 ssl sndbuf=32k;
         server_name  localhost;
 
         ssl_certificate_key localhost.key;
@@ -92,22 +95,21 @@ open OLDERR, ">&", \*STDERR; close STDERR;
 $t->run();
 open STDERR, ">&", \*OLDERR;
 
-plan(skip_all => 'no ALPN negotiation') unless defined getconn(port(8080));
 $t->plan(1);
 
 ###############################################################################
 
 # client cancels stream with a cacheable request sent to upstream causing alert
 
-my $s = getconn(port(8080));
+my $s = getconn();
 ok($s, 'ssl connection');
 
 my $sid = $s->new_stream();
 $s->h2_rst($sid, 8);
 
 # large response may stuck in SSL buffer and won't be sent producing alert
 
-my $s2 = getconn(port(8080));
+my $s2 = getconn();
 $sid = $s2->new_stream({ path => '/tbig.html' });
 $s2->h2_window(2**30, $sid);
 $s2->h2_window(2**30);
@@ -119,17 +121,8 @@ $t->stop();
 ###############################################################################
 
 sub getconn {
-	my ($port) = @_;
-	my $s;
-
-	eval {
-		my $sock = Test::Nginx::HTTP2::new_socket($port, SSL => 1,
-			alpn => 'h2');
-		$s = Test::Nginx::HTTP2->new($port, socket => $sock)
-			if $sock->alpn_selected();
-	};
-
-	return $s;
+	my $sock = http('', start => 1, SSL => 1, SSL_alpn_protocols => ['h2']);
+	Test::Nginx::HTTP2->new(undef, socket => $sock);
 }
 
 ###############################################################################
diff --git a/h2_ssl_proxy_protocol.t b/h2_ssl_proxy_protocol.t
@@ -90,7 +90,8 @@ my $sock = http($proxy, start => 1);
 http('', start => 1, socket => $sock, SSL => 1, SSL_alpn_protocols => ['h2']);
 
 SKIP: {
-skip 'no ALPN negotiation', 2 unless $sock->alpn_selected();
+skip 'no ALPN support in OpenSSL', 2
+	if $t->has_module('OpenSSL') and not $t->has_feature('openssl:1.0.2');
 
 my $s = Test::Nginx::HTTP2->new(undef, socket => $sock);
 my $sid = $s->new_stream({ path => '/pp' });
diff --git a/h2_ssl_variables.t b/h2_ssl_variables.t
@@ -23,8 +23,12 @@ use Test::Nginx::HTTP2;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http http_ssl http_v2 rewrite socket_ssl/)
-	->has_daemon('openssl')->plan(4);
+my $t = Test::Nginx->new()
+	->has(qw/http http_ssl http_v2 rewrite socket_ssl_alpn/)
+	->has_daemon('openssl');
+
+plan(skip_all => 'no ALPN support in OpenSSL')
+	if $t->has_module('OpenSSL') and not $t->has_feature('openssl:1.0.2');
 
 $t->write_file_expand('nginx.conf', <<'EOF');
 
@@ -39,7 +43,7 @@ http {
     %%TEST_GLOBALS_HTTP%%
 
     server {
-        listen       127.0.0.1:8080 http2 ssl;
+        listen       127.0.0.1:8443 http2 ssl;
         server_name  localhost;
 
         ssl_certificate_key localhost.key;
@@ -84,69 +88,27 @@ open OLDERR, ">&", \*STDERR; close STDERR;
 $t->run();
 open STDERR, ">&", \*OLDERR;
 
-###############################################################################
-
-my ($s, $sid, $frames, $frame);
-
-my $has_npn = eval { Test::Nginx::HTTP2::new_socket(port(8080), SSL => 1,
-	npn => 'h2')->next_proto_negotiated() };
-my $has_alpn = eval { Test::Nginx::HTTP2::new_socket(port(8080), SSL => 1,
-	alpn => 'h2')->alpn_selected() };
-
-# SSL/TLS connection, ALPN
-
-SKIP: {
-skip 'OpenSSL ALPN support required', 1 unless $has_alpn;
-
-$s = Test::Nginx::HTTP2->new(port(8080), SSL => 1, alpn => 'h2');
-$sid = $s->new_stream({ path => '/h2' });
-$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
-
-($frame) = grep { $_->{type} eq "DATA" } @$frames;
-is($frame->{data}, 'h2', 'http variable - alpn');
-
-}
-
-# $server_protocol - SSL/TLS connection, ALPN
-
-SKIP: {
-skip 'OpenSSL ALPN support required', 1 unless $has_alpn;
+$t->plan(4);
 
-$s = Test::Nginx::HTTP2->new(port(8080), SSL => 1, alpn => 'h2');
-$sid = $s->new_stream({ path => '/sp' });
-$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
-
-($frame) = grep { $_->{type} eq "DATA" } @$frames;
-is($frame->{data}, 'HTTP/2.0', 'server_protocol variable - alpn');
-
-}
-
-# $scheme - SSL/TLS connection, ALPN
-
-SKIP: {
-skip 'OpenSSL ALPN support required', 1 unless $has_alpn;
-
-$s = Test::Nginx::HTTP2->new(port(8080), SSL => 1, alpn => 'h2');
-$sid = $s->new_stream({ path => '/scheme' });
-$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
-
-($frame) = grep { $_->{type} eq "DATA" } @$frames;
-is($frame->{data}, 'https', 'scheme variable - alpn');
-
-}
+###############################################################################
 
-# $https - SSL/TLS connection, ALPN
+is(get('/h2'), 'h2', 'http2 variable');
+is(get('/sp'), 'HTTP/2.0', 'server_protocol variable');
+is(get('/scheme'), 'https', 'scheme variable');
+is(get('/https'), 'on', 'https variable');
 
-SKIP: {
-skip 'OpenSSL ALPN support required', 1 unless $has_alpn;
+###############################################################################
 
-$s = Test::Nginx::HTTP2->new(port(8080), SSL => 1, alpn => 'h2');
-$sid = $s->new_stream({ path => '/https' });
-$frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
+sub get {
+	my ($uri) = @_;
 
-($frame) = grep { $_->{type} eq "DATA" } @$frames;
-is($frame->{data}, 'on', 'https variable - alpn');
+	my $sock = http('', start => 1, SSL => 1, SSL_alpn_protocols => ['h2']);
+	my $s = Test::Nginx::HTTP2->new(undef, socket => $sock);
+	my $sid = $s->new_stream({ path => $uri });
+	my $frames = $s->read(all => [{ sid => $sid, fin => 1 }]);
 
+	my ($frame) = grep { $_->{type} eq "DATA" } @$frames;
+	return $frame->{data};
 }
 
 ###############################################################################
diff --git a/h2_ssl_verify_client.t b/h2_ssl_verify_client.t
@@ -26,6 +26,9 @@ select STDOUT; $| = 1;
 my $t = Test::Nginx->new()->has(qw/http http_ssl sni http_v2 socket_ssl_alpn/)
 	->has_daemon('openssl');
 
+plan(skip_all => 'no ALPN support in OpenSSL')
+	if $t->has_module('OpenSSL') and not $t->has_feature('openssl:1.0.2');
+
 $t->write_file_expand('nginx.conf', <<'EOF');
 
 %%TEST_GLOBALS%%
@@ -46,7 +49,7 @@ http {
     add_header X-Verify $ssl_client_verify;
 
     server {
-        listen       127.0.0.1:8080 ssl http2;
+        listen       127.0.0.1:8443 ssl http2;
         server_name  localhost;
 
         ssl_client_certificate client.crt;
@@ -55,7 +58,7 @@ http {
     }
 
     server {
-        listen       127.0.0.1:8080 ssl http2;
+        listen       127.0.0.1:8443 ssl http2;
         server_name  example.com;
 
         location / { }
@@ -88,8 +91,6 @@ open OLDERR, ">&", \*STDERR; close STDERR;
 $t->run();
 open STDERR, ">&", \*OLDERR;
 
-my $s = get_ssl_socket();
-plan(skip_all => 'no alpn') unless $s->alpn_selected();
 $t->plan(3);
 
 ###############################################################################
@@ -102,33 +103,12 @@ is(get('localhost', 'example.com')->{':status'}, '421', 'misdirected');
 
 sub get_ssl_socket {
 	my ($sni) = @_;
-	my $s;
-
-	eval {
-		local $SIG{ALRM} = sub { die "timeout\n" };
-		local $SIG{PIPE} = sub { die "sigpipe\n" };
-		alarm(8);
-		$s = IO::Socket::SSL->new(
-			Proto => 'tcp',
-			PeerAddr => '127.0.0.1',
-			PeerPort => port(8080),
-			SSL_verify_mode => IO::Socket::SSL::SSL_VERIFY_NONE(),
-			SSL_alpn_protocols => [ 'h2' ],
-			SSL_hostname => $sni,
-			SSL_cert_file => "$d/client.crt",
-			SSL_key_file => "$d/client.key",
-			SSL_error_trap => sub { die $_[1] }
-		);
-		alarm(0);
-	};
-	alarm(0);
-
-	if ($@) {
-		log_in("died: $@");
-		return undef;
-	}
-
-	return $s;
+	http('', start => 1,
+		SSL => 1,
+		SSL_alpn_protocols => [ 'h2' ],
+		SSL_hostname => $sni,
+		SSL_cert_file => "$d/client.crt",
+		SSL_key_file => "$d/client.key");
 }
 
 sub get {
