Hi Tim,
Another revision of the patch is attached.
What I changed from last patch :
- Skip if the name cannot be resolved
- skip if not using openssl as a temp work around till I figure out
gnutls-openssl cert issues.
Best,
Vijo.
On Thu, May 4, 2017 at 8:01 AM, Tim Rühsen <[email protected]> wrote:
> Hi Vijo,
>
> I fixed what I could fix (as totally Perl ignorant).
>
> There is still one issue left that I can't figure out.
>
> Test-https-badcerts.px fails here with this in the log:
>
>
> Connecting to wgettestingserver (wgettestingserver)|127.0.0.1|:60443...
> connected.
> Created socket 3.
> Releasing 0x00005571c84304e0 (new refcount 1).
> GnuTLS: ASN1 parser: Error in DER parsing.
> Closed fd 3
> Unable to establish SSL connection.
> Test failed: wrong code returned (was: 4, expected: 5)
>
> $ openssl version
> OpenSSL 1.1.0e 16 Feb 2017
>
>
>
> With Best Regards, Tim
>
>
>
> On 05/02/2017 05:07 PM, Vijo Cherian wrote:
> > Attached now.
> >
> > On Tue, May 2, 2017 at 8:06 AM, Vijo Cherian <[email protected]>
> wrote:
> >
> >> Sorry about that Tim.
> >> I reworked the patches again.
> >> This time, I ran 'make check -j4" in a loop overnight.
> >>
> >> Best,
> >> Vijo.
> >>
> >> On Sun, Apr 30, 2017 at 5:49 AM, Tim Rühsen <[email protected]> wrote:
> >>
> >>> Hi Vijo,
> >>>
> >>> maybe I miss something ?
> >>>
> >>> $ cat tests/Test-https-pfs.log
> >>> Running test Test-https-pfs
> >>> IO::Socket::IP configuration failed at SSLServer.pm line 71.
> >>> Failed to get ssl sock at SSLServer.pm line 168.
> >>> Can't call method "accept" on an undefined value at SSLServer.pm line
> 86.
> >>>
> >>> Regards, Tim
> >>>
> >>> On Samstag, 29. April 2017 13:21:04 CEST Vijo Cherian wrote:
> >>>> Thank you for your review and comments, Tim.
> >>>>
> >>>> Attached is the revised set of patches for the same tests.
> >>>>
> >>>>
> >>>> Best,
> >>>> Vijo.
> >>>>
> >>>> On Fri, Apr 28, 2017 at 3:42 AM, Tim Rühsen <[email protected]>
> wrote:
> >>>>> Hi Vijo,
> >>>>>
> >>>>> great work !
> >>>>>
> >>>>> There is just a bit of polishing to be done... :-)
> >>>>>
> >>>>>
> >>>>> - some whitespace warnings (maybe you set your editor to remove
> >>> trailing
> >>>>> whitespace when saving !?):
> >>>>>
> >>>>> .git/rebase-apply/patch:516: trailing whitespace.
> >>>>> my $revokecmd = "openssl ca -config $caconf -revoke $servercrt &&
> >>>>> .git/rebase-apply/patch:795: trailing whitespace.
> >>>>> issuerAltName=issuer:copy
> >>>>> .git/rebase-apply/patch:802: trailing whitespace.
> >>>>>
> >>>>> certificate = $dir/interca.crt
> >>>>>
> >>>>> .git/rebase-apply/patch:865: trailing whitespace.
> >>>>> issuerAltName=issuer:copy
> >>>>> .git/rebase-apply/patch:872: trailing whitespace.
> >>>>>
> >>>>> certificate = $dir/test-ca-cert.pem
> >>>>>
> >>>>> warning: 5 lines add whitespace errors.
> >>>>>
> >>>>>
> >>>>> - you use the 'openssl' tool from the tests.
> >>>>> Is it possible to create the required files apart from the tests and
> >>>>> store them in tests/certs ? You can provide a script and/or a README
> >>> how
> >>>>> to create these files (see testenv/certs/README).
> >>>>> If that is not possible, the tests should see if the 'openssl'
> command
> >>>>> is available. If unavailable the test(s) should SKIP.
> >>>>>
> >>>>>
> >>>>> - some tests fail here with 'make check -j4' but succeed with -j1
> >>>>> (failures are a bit random):
> >>>>> FAIL: Test-https-tlsv1.px
> >>>>> FAIL: Test-https-tlsv1x.px
> >>>>> FAIL: Test-https-clientcert.px
> >>>>>
> >>>>>
> >>>>> - this test always fails (wget is build with GnuTLS):
> >>>>> FAIL: Test-https-badcerts.px
> >>>>>
> >>>>> Releasing 0x0000559c258a74d0 (new refcount 1).
> >>>>> GnuTLS: ASN1 parser: Error in DER parsing.
> >>>>> Closed fd 3
> >>>>> Unable to establish SSL connection.
> >>>>> Can't use an undefined value as a symbol reference at SSLServer.pm
> >>> line
> >>>>> 131.
> >>>>> Test failed: wrong code returned (was: 4, expected: 5)
> >>>>> FAIL Test-https-badcerts.px (exit status: 255)
> >>>>>
> >>>>>
> >>>>>
> >>>>> With Best Regards, Tim
> >>>>>
> >>>>> On 04/27/2017 06:19 AM, Vijo Cherian wrote:
> >>>>>> Thank you Tim.
> >>>>>>
> >>>>>> Attached is the last set of patches from me for SSL testing.
> >>>>>> I will apply these to wget2 and start working on wget2 from now.
> >>>>>>
> >>>>>> Best,
> >>>>>> Vijo.
> >>>>>>
> >>>>>> On Wed, Apr 19, 2017 at 4:12 AM, Tim Rühsen <[email protected]>
> >>> wrote:
> >>>>>>> Hi Vijo,
> >>>>>>>
> >>>>>>> On 04/18/2017 06:56 PM, Vijo Cherian wrote:
> >>>>>>>> Added a framework for perl based SSL tests, and some tests to
> >>> start
> >>>>>
> >>>>> with.
> >>>>>
> >>>>>>>> In case this is of interest, I will add more tests for SSL: client
> >>>>>>>> certificates, CRLs, negative tests etc.
> >>>>>>>> Also not included : making these tests a part of "make check".
> >>>>>>>>
> >>>>>>>> TESTING : only on ubuntu 16
> >>>>>>>
> >>>>>>> thank you for this contribution !
> >>>>>>>
> >>>>>>> Your commit has been slightly amended (trailing white space
> >>> removed,
> >>>>>>> commit message changed to GNU style) and pushed to master.
> >>>>>>>
> >>>>>>> Maybe you are interested to inspect Wget2 testing to see if your
> >>> tests
> >>>>>>> are already covered there. If not we would be pleased if you could
> >>> add
> >>>>>>> them there as well.
> >>>>>>>
> >>>>>>> Just 'git clone https://github.com/rockdaboot/wget2' and jump in !
> >>>>>>>
> >>>>>>> Regards, Tim
> >>>
> >>>
> >>
> >
>
>
From 5ba186f127258f0266c1fec02f2e71714a57bd2e Mon Sep 17 00:00:00 2001
From: Vijo Cherian <[email protected]>
Date: Fri, 21 Apr 2017 12:34:16 -0700
Subject: [PATCH] Added 8 SSL tests to make check
* tests/Test-https-badcerts.px : New file
* tests/Test-https-clientcert.px : New file
* tests/Test-https-crl.px : New file
* tests/Test-https-weboftrust.px : New file
* tests/certs/interca.conf : New file
* tests/certs/rootca.conf : New file
* tests/certs/test-ca-key.pem : New file
* tests/wgethosts : New file
Added all new SSL / HTTPS tests to make check
Added Test for SSL Web of Trust, accept only if CA chain of trust is intact.
Added a test script for client certificate
Added Test for crlfile option of wget
Added test to make sure that wget doesn't accept expired or invalid certs
Added wgethosts file to the repo rather than create it for every SSL Test.
Since most of the testing of this change was done with openssl,
if wget is not built with openssl, skip the SSL tests.
Some clean up : 1, Removed cause of warnings from perl & other cosmetic changes
2, Fixes to test such that make -j 4 check passes
---
tests/Makefile.am | 10 ++-
tests/SSLServer.pm | 20 ++---
tests/SSLTest.pm | 1 +
tests/Test-https-badcerts.px | 164 +++++++++++++++++++++++++++++++++++++++
tests/Test-https-clientcert.px | 159 ++++++++++++++++++++++++++++++++++++++
tests/Test-https-crl.px | 161 ++++++++++++++++++++++++++++++++++++++
tests/Test-https-pfs.px | 32 ++++++--
tests/Test-https-selfsigned.px | 55 +++++++++----
tests/Test-https-tlsv1.px | 32 ++++++--
tests/Test-https-tlsv1x.px | 32 ++++++--
tests/Test-https-weboftrust.px | 171 +++++++++++++++++++++++++++++++++++++++++
tests/WgetFeature.cfg | 1 +
tests/certs/interca.conf | 64 +++++++++++++++
tests/certs/rootca.conf | 64 +++++++++++++++
tests/certs/test-ca-key.pem | 58 ++++++++++++++
tests/wgethosts | 1 +
16 files changed, 980 insertions(+), 45 deletions(-)
create mode 100755 tests/Test-https-badcerts.px
create mode 100755 tests/Test-https-clientcert.px
create mode 100755 tests/Test-https-crl.px
create mode 100755 tests/Test-https-weboftrust.px
create mode 100644 tests/certs/interca.conf
create mode 100644 tests/certs/rootca.conf
create mode 100644 tests/certs/test-ca-key.pem
create mode 100644 tests/wgethosts
diff --git a/tests/Makefile.am b/tests/Makefile.am
index c27c4ce..367a8c0 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -128,7 +128,15 @@ PX_TESTS = \
Test--start-pos--continue.px \
Test--httpsonly-r.px \
Test-204.px \
- Test-ftp-pasv-not-supported.px
+ Test-ftp-pasv-not-supported.px \
+ Test-https-pfs.px \
+ Test-https-tlsv1.px \
+ Test-https-tlsv1x.px \
+ Test-https-selfsigned.px \
+ Test-https-weboftrust.px \
+ Test-https-clientcert.px \
+ Test-https-crl.px \
+ Test-https-badcerts.px
EXTRA_DIST = FTPServer.pm FTPTest.pm HTTPServer.pm HTTPTest.pm \
WgetTests.pm WgetFeature.pm WgetFeature.cfg $(PX_TESTS) \
diff --git a/tests/SSLServer.pm b/tests/SSLServer.pm
index ed121b1..a123a28 100644
--- a/tests/SSLServer.pm
+++ b/tests/SSLServer.pm
@@ -30,12 +30,12 @@ my $sslsock;
my $plaincon;
my %args;
-$HTTP::Daemon::DEBUG=5;
+#$HTTP::Daemon::DEBUG=5;
#*DEBUG = \$HTTP::Daemon::DEBUG;
$args{SSL_error_trap} ||= \&ssl_error;
-my $class = shift;
+my $class = 'SSLServer';
my $self = {};
$self = bless $self, $class;
@@ -46,6 +46,7 @@ sub init
%ssl_params = %sargs;
unless (exists($ssl_params{'lhostname'}) &&
+ exists($ssl_params{'sslport'}) &&
exists($ssl_params{'ciphers'}) &&
exists($ssl_params{'cafile'}) &&
exists($ssl_params{'certfile'}) &&
@@ -57,7 +58,7 @@ sub init
sub ssl_setup_conn
{
$sslsock = IO::Socket::SSL->new(LocalAddr => $ssl_params{'lhostname'},
- LocalPort => 55443,
+ LocalPort => $ssl_params{'sslport'},
Listen => 10,
Timeout => 30,
ReuseAddr => 1,
@@ -67,7 +68,7 @@ sub ssl_setup_conn
SSL_cert_file => $ssl_params{'certfile'},
SSL_key_file => $ssl_params{'keyfile'});
- $sslsock || warn $IO::Socket::SSL::ERROR;
+ $sslsock || die $IO::Socket::SSL::ERROR;
return $sslsock;
}
@@ -86,7 +87,7 @@ sub accept
if ($sock) {
${*$sock}{'httpd_daemon'} = $self;
${*$self}{'httpd_daemon'} = $sock;
- my $fileno = ${*$self}{'_SSL_fileno'} = fileno($self);
+ my $fileno = ${*$self}{'_SSL_fileno'} = &fileno($self);
my $f = $sock->fileno;
return wantarray ? ($sock, $peer) : $sock;
}
@@ -157,19 +158,21 @@ sub run
{
my ($self, $urls, $synch_callback) = @_;
my $initialized = 0;
+ my $sslsock;
while (1)
{
if (!$initialized)
{
+ $sslsock = $self->ssl_setup_conn();
+ $sslsock || warn "Failed to get ssl sock";
+
$initialized = 1;
open (LOGFILE, '>', "/tmp/wgetserver.log");
LOGFILE->autoflush(1);
print LOGFILE "Starting logging";
+ $synch_callback->() if $synch_callback;
}
- my $sslsock = $self->ssl_setup_conn();
- $sslsock || warn "Failed to get ssl sock";
- $synch_callback->() if $synch_callback;
my $con = $self->accept();
${*$self}{'sslcon'} = $con;
@@ -216,7 +219,6 @@ sub run
print LOGFILE "Closing connection\n" if $log;
close(LOGFILE);
$con->close();
- last;
}
}
diff --git a/tests/SSLTest.pm b/tests/SSLTest.pm
index a38acfb..ec37c76 100644
--- a/tests/SSLTest.pm
+++ b/tests/SSLTest.pm
@@ -16,6 +16,7 @@ my %ssl_defaults = (
_cafile => "certs/test-ca-cert.pem",
_ciphers => 'ALL',
_lhostname => 'wgettestingserver',
+ _sslport => 55443,
);
{
diff --git a/tests/Test-https-badcerts.px b/tests/Test-https-badcerts.px
new file mode 100755
index 0000000..9def1d7
--- /dev/null
+++ b/tests/Test-https-badcerts.px
@@ -0,0 +1,164 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use POSIX;
+use Socket;
+use WgetFeature qw(https ssl/openssl);
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "WgetTestingServer";
+my $testhostfile = "$cdir/wgethosts";
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+print CRLN "1122";
+close CRLN;
+
+my $caconf = "$cdir/certs/rootca.conf";
+my $cacrt = "$cdir/certs/test-ca-cert.pem";
+my $cakey = "$cdir/certs/test-ca-key.pem";
+
+# Prepare expired server certificate
+my $servercrt = "certs/tmpserver3.crt";
+my $serverkey = "certs/tmpserver3.key";
+my $servercsr = "$cdir/certs/tmpserver3.csr";
+my $enddate = strftime "%y%m%d%H%M%S%z", localtime(time-86400);
+my $startdate = strftime "%y%m%d%H%M%S%z", localtime(time+86400);
+my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
+ "$testhostname/emailAddress=servertester";
+my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext ".
+ "-enddate $enddate -in $servercsr".
+ " -out $servercrt";
+system($servercmd);
+
+my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL with expired cert. Expect Failure.
+my $port = 60443;
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
+ " https://$testhostname:$port/somefile.txt";;
+my $expected_error_code = 5;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname,
+ sslport => $port);
+if ($sslsock->run() == 0)
+{
+ exit -1;
+}
+print "Test successful.\n";
+
+system("/bin/rm $servercrt $serverkey $servercsr");
+$servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext ".
+ " -startdate $startdate -in $servercsr".
+ " -out $servercrt";
+system($servercmd);
+
+$servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+
+# Retry the test with --no-check-certificate. expect success
+$port = 50443;
+$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
+ " https://$testhostname:$port/somefile.txt";;
+
+$expected_error_code = 5;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname,
+ sslport => $port);
+if ($retryssl->run() == 0)
+{
+ exit 0;
+}
+else
+{
+ exit -1;
+}
+# vim: et ts=4 sw=4
diff --git a/tests/Test-https-clientcert.px b/tests/Test-https-clientcert.px
new file mode 100755
index 0000000..a1c7c9b
--- /dev/null
+++ b/tests/Test-https-clientcert.px
@@ -0,0 +1,159 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use Socket;
+use WgetFeature qw(https);
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "WgetTestingServer";
+my $testhostfile = "$cdir/wgethosts";
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+close CRLN;
+
+my $caconf = "$cdir/certs/rootca.conf";
+my $cacrt = "$cdir/certs/test-ca-cert.pem";
+my $cakey = "$cdir/certs/test-ca-key.pem";
+
+# Prepare server certificate
+my $servercrt = "certs/tmpserver1.crt";
+my $serverkey = "certs/tmpserver1.key";
+my $servercsr = "$cdir/certs/tmpserver.csr";
+my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
+ "$testhostname/emailAddress=servertester";
+my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext -in $servercsr".
+ " -out $servercrt";
+
+system($servercmd);
+my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+# Prepare client certifcate
+my $clientcert = "$cdir/certs/client.crt";
+my $clientkey = "$cdir/certs/client.key";
+my $clientcsr = "$cdir/certs/client.csr";
+my $clientsubj = "/C=US/ST=CA/L=Client Mystery Spot/O=Client/CN=".
+ "Client Tester/emailAddress=clienttester";
+my $clientcertcmd = "openssl genrsa -out $clientkey 4096 &&".
+ " openssl req -new -key $clientkey -out $clientcsr".
+ " -subj \"$clientsubj\" &&".
+ " openssl ca -config $caconf -in $clientcsr ".
+ " -out $clientcert -batch";
+
+system($clientcertcmd);
+my $clientcheck=`(openssl x509 -noout -modulus -in $clientcert | openssl md5 ;
+ openssl rsa -noout -modulus -in $clientkey | openssl md5) |
+ uniq | wc -l`;
+
+# Check if signed certificate and key are made correctly.
+unless(-e $clientcert && -e $clientkey && $clientcheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL with mismatched client cert & key . Expect error
+my $port = 51443;
+my $cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert ".
+ " --private-key=$serverkey ".
+ " --ca-certificate=$cacrt".
+ " https://$testhostname:$port/somefile.txt";;
+my $expected_error_code = 5;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname,
+ sslport => $port);
+if ($sslsock->run() == 0)
+{
+ exit 0;
+}
+
+# Retry wget using SSL with client certificate. Expect success
+$port = 52443;
+$cmdline = $WgetTest::WGETPATH . " --certificate=$clientcert".
+ " --private-key=$clientkey ".
+ " --ca-certificate=$cacrt".
+ " https://$testhostname:$port/somefile.txt";;
+
+$expected_error_code = 0;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname,
+ sslport => $port);
+exit $retryssl->run();
+# vim: et ts=4 sw=4
diff --git a/tests/Test-https-crl.px b/tests/Test-https-crl.px
new file mode 100755
index 0000000..62456f9
--- /dev/null
+++ b/tests/Test-https-crl.px
@@ -0,0 +1,161 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use Socket;
+use WgetFeature qw(https);
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "WgetTestingServer";
+my $testhostfile = "$cdir/wgethosts";
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+print CRLN "1122";
+close CRLN;
+
+my $caconf = "$cdir/certs/rootca.conf";
+my $cacrt = "$cdir/certs/test-ca-cert.pem";
+my $cakey = "$cdir/certs/test-ca-key.pem";
+
+# Prepare server certificate
+my $servercrt = "certs/tmpserver2.crt";
+my $serverkey = "certs/tmpserver2.key";
+my $servercsr = "$cdir/certs/tmpserver.csr";
+my $serversubj = "/C=US/ST=CA/L=Server Mystery Spot/O=Serv/CN=".
+ "$testhostname/emailAddress=servertester";
+my $servercmd = "openssl genrsa -out $serverkey 4096 && openssl req -new".
+ " -sha256 -key $serverkey -out $servercsr -days 365 ".
+ " -subj \"$serversubj\" &&".
+ "openssl ca -batch -config $caconf -notext -in $servercsr".
+ " -out $servercrt";
+
+system($servercmd);
+
+my $servercheck =`(openssl x509 -noout -modulus -in $servercrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $serverkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $servercrt && -e $serverkey && $servercheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL first without --no-check-certificate. Expect Success.
+my $port = 62443;
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cacrt".
+ " https://$testhostname:$port/somefile.txt";;
+my $expected_error_code = 0;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname,
+ sslport => $port);
+if ($sslsock->run() != 0)
+{
+ exit -1;
+}
+
+# Revoke the certificate
+my $crlfile = "$cdir/certs/servercrl.pem";
+my $revokecmd = "openssl ca -config $caconf -revoke $servercrt &&
+ openssl ca -config $caconf -gencrl -keyfile $cakey ".
+ "-cert $cacrt -out $crlfile";
+
+system($revokecmd);
+# Check if CRL file is generated.
+unless(-e $crlfile)
+{
+ exit 77; # skip
+}
+
+# To read a CRL file use the following command:
+# openssl crl -text -in certs/root.crl.pem
+
+# Retry the test with CRL. Expect Failure.
+$port = 53443;
+$cmdline = $WgetTest::WGETPATH . " --crl-file=$crlfile ".
+ " --ca-certificate=$cacrt".
+ " https://$testhostname:$port/somefile.txt";;
+
+$expected_error_code = 5;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $servercrt,
+ keyfile => $serverkey,
+ lhostname => $testhostname,
+ sslport => $port);
+if ($retryssl->run() == 0)
+{
+ unlink "$cdir/certs/crlnumber";
+ exit -1;
+}
+else
+{
+ unlink "$cdir/certs/crlnumber";
+ print "Test successful.\n";
+ exit 0;
+}
+# vim: et ts=4 sw=4
diff --git a/tests/Test-https-pfs.px b/tests/Test-https-pfs.px
index f23dd37..0c9e202 100755
--- a/tests/Test-https-pfs.px
+++ b/tests/Test-https-pfs.px
@@ -2,7 +2,8 @@
use strict;
use warnings;
-
+use Socket;
+use WgetFeature qw(https);
use SSLTest;
###############################################################################
@@ -19,15 +20,31 @@ my %urls = (
},
);
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
-open(my $fh, '>', $testhostfile);
-print $fh "$testhostname 127.0.0.1\n";
-close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
-my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=PFS --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+my $port = 54443;
+my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=PFS".
+ " --ca-certificate=$cdir/certs/test-ca-cert.pem".
+ " https://$testhostname:$port/somefile.txt";;
my $expected_error_code = 0;
@@ -44,7 +61,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
input => \%urls,
errcode => $expected_error_code,
existing => \%existing_files,
- output => \%expected_downloaded_files);
-$sslsock->run();
+ output => \%expected_downloaded_files,
+ sslport => $port);
+exit $sslsock->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-selfsigned.px b/tests/Test-https-selfsigned.px
index 30a6caa..05cbf4d 100755
--- a/tests/Test-https-selfsigned.px
+++ b/tests/Test-https-selfsigned.px
@@ -2,7 +2,8 @@
use strict;
use warnings;
-
+use Socket;
+use WgetFeature qw(https);
use SSLTest;
###############################################################################
@@ -19,32 +20,50 @@ my %urls = (
},
);
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
-my $testhostname = "wgettesterr";
+my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
-open(my $fh, '>', $testhostfile);
-print $fh "$testhostname 127.0.0.1\n";
-close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
# Prepare self-signed certifcates
my $certfile="tmpsscert.pem";
my $keyfile="tmpsskey.pem";
my $certsubj="/C=US/ST=CA/L=Mystery Spot/O=Dis/CN=$testhostname/emailAddress=tester";
-my $sscertcmd="openssl req -x509 -nodes -newkey rsa:4096 -keyout $keyfile -out $certfile -days 365 -subj \"$certsubj\"";
+my $sscertcmd="openssl req -x509 -nodes -newkey rsa:4096 -keyout $keyfile ".
+ " -out $certfile -days 365 -subj \"$certsubj\"";
system($sscertcmd);
-my $sscheck=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ; openssl rsa -noout -modulus -in $keyfile | openssl md5) | uniq|wc -l`;
+my $sscheck=`(openssl x509 -noout -modulus -in $certfile | openssl md5 ;
+ openssl rsa -noout -modulus -in $keyfile | openssl md5) |
+ uniq|wc -l`;
# Check if Self signed certificate and key are made correctly.
-unless(-e $certfile && -e $keyfile && $sscheck == 1) {
+unless(-e $certfile && -e $keyfile && $sscheck == 1)
+{
exit 77; # skip
}
# Try Wget using SSL first without --no-check-certificate. expect error
-my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
+my $port = 56443;
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/test-ca-cert.pem".
+ " https://$testhostname:$port/somefile.txt";;
my $expected_error_code = 5;
my %existing_files = (
);
@@ -62,11 +81,18 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $certfile,
keyfile => $keyfile,
- lhostname => $testhostname);
-$sslsock->run();
+ lhostname => $testhostname,
+ sslport => $port);
+if ($sslsock->run() == 0)
+{
+ exit 0;
+}
# Retry the test with --no-check-certificate. expect success
-$cmdline = $WgetTest::WGETPATH . " --no-check-certificate --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
+$port = 57443;
+$cmdline = $WgetTest::WGETPATH . " --no-check-certificate ".
+ " --ca-certificate=$cdir/certs/test-ca-cert.pem".
+ " https://$testhostname:$port/somefile.txt";;
$expected_error_code = 0;
@@ -77,6 +103,7 @@ my $retryssl = SSLTest->new(cmdline => $cmdline,
output => \%expected_downloaded_files,
certfile => $certfile,
keyfile => $keyfile,
- lhostname => $testhostname);
-$retryssl->run();
+ lhostname => $testhostname,
+ sslport => $port);
+exit $retryssl->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-tlsv1.px b/tests/Test-https-tlsv1.px
index 22665f5..8bd58d0 100755
--- a/tests/Test-https-tlsv1.px
+++ b/tests/Test-https-tlsv1.px
@@ -2,7 +2,8 @@
use strict;
use warnings;
-
+use Socket;
+use WgetFeature qw(https);
use SSLTest;
###############################################################################
@@ -19,15 +20,31 @@ my %urls = (
},
);
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
-open(my $fh, '>', $testhostfile);
-print $fh "$testhostname 127.0.0.1\n";
-close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
-my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1 --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+my $port = 58443;
+my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1".
+ " --ca-certificate=$cdir/certs/test-ca-cert.pem".
+ " https://$testhostname:$port/somefile.txt";;
my $expected_error_code = 0;
@@ -44,7 +61,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
input => \%urls,
errcode => $expected_error_code,
existing => \%existing_files,
- output => \%expected_downloaded_files);
-$sslsock->run();
+ output => \%expected_downloaded_files,
+ sslport => $port);
+exit $sslsock->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-tlsv1x.px b/tests/Test-https-tlsv1x.px
index 8dd57dc..9d31942 100755
--- a/tests/Test-https-tlsv1x.px
+++ b/tests/Test-https-tlsv1x.px
@@ -2,7 +2,8 @@
use strict;
use warnings;
-
+use Socket;
+use WgetFeature qw(https);
use SSLTest;
###############################################################################
@@ -19,15 +20,31 @@ my %urls = (
},
);
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
my $cdir = $ENV{'PWD'};
# HOSTALIASES env variable allows us to create hosts file alias.
my $testhostname = "WgetTestingServer";
my $testhostfile = "$cdir/wgethosts";
-open(my $fh, '>', $testhostfile);
-print $fh "$testhostname 127.0.0.1\n";
-close $fh;
$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
-my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1_1 --ca-certificate=$cdir/certs/test-ca-cert.pem https://$testhostname:55443/somefile.txt";;
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+my $port = 59443;
+my $cmdline = $WgetTest::WGETPATH . " --secure-protocol=TLSv1_1".
+ " --ca-certificate=$cdir/certs/test-ca-cert.pem".
+ " https://$testhostname:$port/somefile.txt";;
my $expected_error_code = 0;
@@ -44,7 +61,8 @@ my $sslsock = SSLTest->new(cmdline => $cmdline,
input => \%urls,
errcode => $expected_error_code,
existing => \%existing_files,
- output => \%expected_downloaded_files);
-$sslsock->run();
+ output => \%expected_downloaded_files,
+ sslport => $port);
+exit $sslsock->run();
# vim: et ts=4 sw=4
diff --git a/tests/Test-https-weboftrust.px b/tests/Test-https-weboftrust.px
new file mode 100755
index 0000000..f0cf6c8
--- /dev/null
+++ b/tests/Test-https-weboftrust.px
@@ -0,0 +1,171 @@
+#!/usr/bin/env perl
+
+use strict;
+use warnings;
+use Socket;
+use WgetFeature qw(https);
+use SSLTest;
+
+###############################################################################
+
+# code, msg, headers, content
+my %urls = (
+ '/somefile.txt' => {
+ code => "200",
+ msg => "Dontcare",
+ headers => {
+ "Content-type" => "text/plain",
+ },
+ content => "blabla",
+ },
+);
+
+# Skip the test if openssl is not available
+my $ossl = `openssl version`;
+unless ($ossl =~ m/OpenSSL 1/)
+{
+ exit 77;
+}
+
+my $cdir = $ENV{'PWD'};
+
+# HOSTALIASES env variable allows us to create hosts file alias.
+my $testhostname = "WgetTestingServer";
+my $testhostfile = "$cdir/wgethosts";
+$ENV{'HOSTALIASES'} = "$cdir/wgethosts";
+
+my $addr = gethostbyname($testhostname) or
+ exit 77;
+unless (inet_ntoa($addr) =~ "127.0.0.1")
+{
+ warn "Failed to resolve $testhostname";
+ exit 77;
+}
+
+# Create certindex
+open CERTID, ">", "$cdir/certs/certindex" or
+ warn "Cannot overwrite file $cdir/certs/certindex";
+close CERTID;
+
+# Create certserial
+open CERTSN, ">", "$cdir/certs/certserial" or
+ warn "Cannot overwrite file $cdir/certs/certserial";
+print CERTSN "1122";
+close CERTSN;
+
+# Create crlnumber
+open CRLN, ">", "$cdir/certs/crlnumber" or
+ warn "Cannot overwrite file $cdir/certs/crlnumber";
+close CRLN;
+
+# Create Intermediate CA
+my $caconf = "certs/rootca.conf";
+my $icrtfile = "certs/interca.crt";
+my $ikeyfile = "certs/interca.key";
+my $icsrfile = "certs/interca.csr";
+my $icasubj = "/C=US/ST=CA/L=Intermediate Mystery Spot/O=Int/CN=".
+ "ica-$testhostname/emailAddress=icatester";
+my $icacmd = "openssl genrsa -out $ikeyfile 4096 && openssl req -new".
+ " -sha256 -key $ikeyfile -out $icsrfile -days 365 ".
+ " -subj \"$icasubj\" &&".
+ "openssl ca -batch -config $caconf -notext -in $icsrfile".
+ " -out $icrtfile";
+
+system($icacmd);
+my $icacheck=`(openssl x509 -noout -modulus -in $icrtfile | openssl md5 ;
+ openssl rsa -noout -modulus -in $ikeyfile | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $icrtfile && -e $ikeyfile && $icacheck == 1)
+{
+ exit 77; # skip
+}
+
+# Now create web of trust - Root CA + Intermediate CA
+open WOT, ">", "$cdir/certs/wotca.pem" or
+ die "Cannot overwrite file $cdir/certs/wotca";
+open ICA, "<", $icrtfile or die "Cannot read file $icrtfile";
+while (<ICA>)
+{
+ print WOT $_;
+}
+print WOT "\n";
+close ICA;
+open RCA, "<", "$cdir/certs/test-ca-cert.pem" or
+ die "Cannot read file $cdir/certs/test-ca-cert.pem";
+while (<RCA>)
+{
+ print WOT $_;
+}
+print WOT "\n";
+close RCA;
+close WOT;
+
+# Create Test certificate using intermediate CA
+my $icaconf = "certs/interca.conf";
+my $usrcrt = "certs/user.crt";
+my $usrkey = "certs/user.key";
+my $usrcsr = "certs/user.csr";
+my $usrsubj = "/C=US/ST=CA/L=User Mystery Spot/O=Int/CN=$testhostname/".
+ "emailAddress=usertester";
+my $usrcmd = "openssl genrsa -out $usrkey 4096 && ".
+ "openssl req -new -sha256 -key $usrkey -out $usrcsr -days".
+ " 365 -subj \"$usrsubj\" && ".
+ "openssl ca -batch -config $icaconf -notext -in $usrcsr ".
+ "-out $usrcrt";
+
+system($usrcmd);
+my $usrcheck=`(openssl x509 -noout -modulus -in $usrcrt | openssl md5 ;
+ openssl rsa -noout -modulus -in $usrkey | openssl md5) |
+ uniq | wc -l`;
+# Check if certificate and key are made correctly.
+unless(-e $usrcrt && -e $ikeyfile && $usrcheck == 1)
+{
+ exit 77; # skip
+}
+
+# Try Wget using SSL using certificate signed by intermediate CA. Expect error.
+my $port = 60443;
+my $cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/".
+ "test-ca-cert.pem https://$testhostname:$port/somefile.txt";;
+my $expected_error_code = 5;
+my %existing_files = (
+);
+
+my %expected_downloaded_files = (
+ 'somefile.txt' => {
+ content => "blabla",
+ },
+);
+
+my $sslsock = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $usrcrt,
+ keyfile => $usrkey,
+ lhostname => $testhostname);
+if ($sslsock->run() == 0)
+{
+ exit 0;
+}
+
+# Retry the test with --no-check-certificate. expect success
+$port = 61443;
+$cmdline = $WgetTest::WGETPATH . " --ca-certificate=$cdir/certs/wotca.pem".
+ " https://$testhostname:$port/somefile.txt";;
+
+$expected_error_code = 0;
+
+my $retryssl = SSLTest->new(cmdline => $cmdline,
+ input => \%urls,
+ errcode => $expected_error_code,
+ existing => \%existing_files,
+ output => \%expected_downloaded_files,
+ certfile => $usrcrt,
+ keyfile => $usrkey,
+ lhostname => $testhostname,
+ sslport => $port);
+exit $retryssl->run();
+# vim: et ts=4 sw=4
diff --git a/tests/WgetFeature.cfg b/tests/WgetFeature.cfg
index a1176e0..1c4f461 100644
--- a/tests/WgetFeature.cfg
+++ b/tests/WgetFeature.cfg
@@ -1,5 +1,6 @@
%skip_messages = (
https => "Not running test: Wget under test doesn't support HTTPS.",
+ ssl/openssl => "Not running test: Wget doesn't use OpenSSL.",
iri => "Not running test: Wget under test doesn't support IDN/IRI.",
);
diff --git a/tests/certs/interca.conf b/tests/certs/interca.conf
new file mode 100644
index 0000000..7e7576b
--- /dev/null
+++ b/tests/certs/interca.conf
@@ -0,0 +1,64 @@
+[ ca ]
+default_ca = myca
+
+[ crl_ext ]
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+ [ myca ]
+ dir = ./certs/
+ new_certs_dir = $dir
+ unique_subject = no
+ certificate = $dir/interca.crt
+ database = $dir/certindex
+ private_key = $dir/interca.key
+ serial = $dir/certserial
+ default_days = 730
+ default_md = sha1
+ policy = myca_policy
+ x509_extensions = myca_extensions
+ crlnumber = $dir/crlnumber
+ default_crl_days = 730
+
+ [ myca_policy ]
+ commonName = supplied
+ stateOrProvinceName = supplied
+ countryName = optional
+ emailAddress = optional
+ organizationName = supplied
+ organizationalUnitName = optional
+
+ [ myca_extensions ]
+ basicConstraints = critical,CA:TRUE
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [alt_names]
+ DNS.0 = WgetTestingServer
+
+ [crl_section]
+ URI.0 = http://intertest.wgettest.org/Bogus.crl
+ URI.1 = http://intertest.wgettest.org/Bogus.crl
+
+ [ocsp_section]
+ caIssuers;URI.0 = http://intertest.wgettest.com/Bogus.crt
+ caIssuers;URI.1 = http://intertest.wgettest.com/Bogus.crt
+ OCSP;URI.0 = http://intertest.wgettest.com/ocsp/
+ OCSP;URI.1 = http://intertest.wgettest.com/ocsp/
diff --git a/tests/certs/rootca.conf b/tests/certs/rootca.conf
new file mode 100644
index 0000000..fc8dce7
--- /dev/null
+++ b/tests/certs/rootca.conf
@@ -0,0 +1,64 @@
+[ ca ]
+default_ca = myca
+
+[ crl_ext ]
+issuerAltName=issuer:copy
+authorityKeyIdentifier=keyid:always
+
+ [ myca ]
+ dir = ./certs/
+ new_certs_dir = $dir
+ unique_subject = no
+ certificate = $dir/test-ca-cert.pem
+ database = $dir/certindex
+ private_key = $dir/test-ca-key.pem
+ serial = $dir/certserial
+ default_days = 730
+ default_md = sha1
+ policy = myca_policy
+ x509_extensions = myca_extensions
+ crlnumber = $dir/crlnumber
+ default_crl_days = 730
+
+ [ myca_policy ]
+ commonName = supplied
+ stateOrProvinceName = supplied
+ countryName = optional
+ emailAddress = optional
+ organizationName = supplied
+ organizationalUnitName = optional
+
+ [ myca_extensions ]
+ basicConstraints = critical,CA:TRUE
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [ v3_ca ]
+ basicConstraints = critical,CA:TRUE,pathlen:0
+ keyUsage = critical,any
+ subjectKeyIdentifier = hash
+ authorityKeyIdentifier = keyid:always,issuer
+ keyUsage = digitalSignature,keyEncipherment,cRLSign,keyCertSign
+ extendedKeyUsage = serverAuth
+ crlDistributionPoints = @crl_section
+ subjectAltName = @alt_names
+ authorityInfoAccess = @ocsp_section
+
+ [alt_names]
+ DNS.0 = WgetTestingServer
+
+ [crl_section]
+ URI.0 = http://test.wgettest.org/Bogus.crl
+ URI.1 = http://test.wgettest.org/Bogus.crl
+
+ [ocsp_section]
+ caIssuers;URI.0 = http://test.wgettest.com/Bogus.crt
+ caIssuers;URI.1 = http://test.wgettest.com/Bogus.crt
+ OCSP;URI.0 = http://test.wgettest.com/ocsp/
+ OCSP;URI.1 = http://test.wgettest.com/ocsp/
diff --git a/tests/certs/test-ca-key.pem b/tests/certs/test-ca-key.pem
new file mode 100644
index 0000000..0bef904
--- /dev/null
+++ b/tests/certs/test-ca-key.pem
@@ -0,0 +1,58 @@
+!!!!!DO NOT USE THIS KEY FOR ANYTHING !!!!!!!
+!!!!THIS FILE IS FOR TESTING WGET ONLY!!!!!!
+
+-----BEGIN RSA PRIVATE KEY-----
+MIIJKgIBAAKCAgEArx5p0JWOfE/z3GXkd57QaemGBC8ZmE463Yhy6WtR7ww5MGMl
+QmlsYYvEeZj/3FLe2mdAazTAlU8uf3BM5f8PUVahESgwevGVNJLtgOGJgxXp5csl
+LlWYZ+a3qL1FJYVqPKfiK/tb8BsgzzPyECmlCerXw1lQ+34Fc36bw5vFw6igegb8
+yz5N59yvZp3b9iooU1J5yRTGTpEmGhUrUNdUc2MEe2bwLiEgffVmX9oc2mIqLwfR
+tFjJMvNb6Zr42yllWC5aVeSJ86tkIhuLRQRD/nmy3NR/Txne764BhNnJ+/INV16U
+fJz1A2BeFBhbPdH7T6jQx3BxRDQew66Qe8ESGuWa6SsjWwhiCl/lJ1UeUWt9pjDN
+qT4kfeWQzZKnbMoC7hwLMmmo9fsL65jPNR9iclf5FXBap39/gtWl9vobuTi+6yLJ
+BGBvB4FsFsRNDVu0PM06wUew/d9oTP+3/GKI8UnqiT+76RlC3lcyRdAk5LKFofg9
+bPkNm/dw6aDFtfFTE4oNjRXrUK9w3SZsknne2oOveKoGOYg79T/wlgUo++Uwwa8N
+yYujycVhEvqMdvX68awlrQIxMFSOcyeaiGVuZ/gWIq/7VZaDJGEpnm8vXkpkyxhD
+Wa3qQcLqHKbydckEaLHc2BuNjI3yNiYZUxVr8MHRgrBarEXLHz0yarvNNUECAwEA
+AQKCAgEApUnNkoU3QfqtMCA0bvvFt9IlHpneTLW6NhNucwdLBJjC+fr61h5vn/qu
+bh+NkMXfdsHyOb5G8CcWuk6jJouCR8G+sVT/vWt862yrI/S9OK9cX/tIkt1Txu4r
+9+b99xZgWfQUNHNCKfVRGIHtPngwQJYbJVWObHJcbtDX8N984Nqu7b7eqG+cVPcl
+z3O8hDLycQLt1G/5ZXr3PbMxeVJlcavKNTfKB6BY7MrN4Dcc+LujGVUGCHWtIpw0
+6t/Nd/8wmvTVazEVTJs/HjplT7VhADaaLnmb2GuQ0yWoZV6zmUy0bvzkpmH3mUJC
+SjFbHZSu4ldzCGwHXNrdFtITqdtoW81Tj+b3EsqNlB2u1I8DpOMR8vMGy5f0rYhs
+Lf4Vmpvggw4bzLeu9A6XStxiB/wExn1QlQd54X1zfhssoF/pbu2RtCujn+y3zYCd
+2c9gqdN5MaGsr1NSYUPilj39E4S4FwtGnZGIYhClglToy0sMB/8lQvGIz0WRRfSG
+g+LUuiWuqn95ZrnSJvTSYCvsH0OB64IWpd9sHtu/P8Cjms3B/nIYjbG5gj68m319
+AsK1uFAqVmlGYVJVzgND9B9Egd4cODlTSsncEUQlS8PUZaym50FoBuO4vN+IYrZO
+H/yL6+hq3l/va/xlr4ZMEiBdEAiSj7g6XqQGzTgOz47RJn1FAGECggEBAOi8Moix
+SGHhxpJZgeHuL2FgBuNT9GVDoTNbUtEoZ7NsJd4BG3MjbZFluFoSfFiawAqJ3e6c
+ptUSiZ1KXN1gvMwVkget3MyenEzohYczwYOQeREAeRVr25Wq8cegvLaDFejMclCs
+ILC80BaGbVcAmJMdOBzLVqtY/7lps0LWpGd/6KYXTm41erhWJkvx+Vt0uPKVzGqx
+Ijjh/DSc5eX5BIdn2bYHLRu/xqfnX2kSH37PSto55ROSu8D8YwjaOdyQ1Hha6+O1
+Q6E4d2HliYqv1WaDHjyAXjmlP/3ob5f3QdXbqpB1smGPimK3hiZB0sYgdUI3yW9c
+NkynqGBeoTSPjG0CggEBAMCfyVJnG1fCnFZFCtPawYKK/IoMNyYzgIKomlcBdF/8
+J8Gwr6jcFBbdefT+VypVO0DywPrIFppDzjGEmZarFRgXsspGBenQQrZTPG1eUldY
+U89ODTsYNk0AXdctkMvAFSfVbA/4pnXAiXzKeEDk2YOhDYP1Y/T9eZQ3AI+LNeGO
+1Oqd9hGgsW0rqVgW+rCbUTezFE5J+2zbzMu2XnJieueG33iaVMpHzqnLLe27SYcI
+7VmgttZL4eL6/klPHSKC8x3y1c2T88d+HAuW+mB+bQ2iQWYfM82SyxjTER/7jpTy
+Zpj/mibgt2cQxVowWFmMMOLXczhpu/GOgRxxCXVQn6UCggEBAOa30vzxiskGMn1Y
+4EpifnPw50MrMkfFEKRB70rL3GnhV3TK8jRlNbSC+4vHcZ/A4YpQ/EMU5sqp0uSs
+GH2Z7e//nkGgmRf8UQRpKh5LL5bGfU5egqq6vveTfJajARGJyAl9zAGvccTjmQIL
+h49NVvPYbo0VAzlgRDrBz2T+NgMoqTEmP6k/uQXO2a5GFiYVA1fxKrHGIh/z37sk
+o0Aladj2Gby7RnuQ1VYUJ+CYh8KFqzXFWRPbTefWDDN1axD+PrOFpv2Y749+09Kn
+438qKsqyRyJBO6e360VBzIcBJjHkzyTgmNLgopaUSxfX/yRMfxIDDd0os+ev+Vp3
+1SWu/M0CggEAWSvfZCFNPCRggWN27rpPaOJ0pGehRDMFY/cvc+W9fQ3bTcRAnXg8
+aJVg9vSjX3qTcq6ufaoRJJsNIklTXLeYjU2zPAaMiEAcEhGYYL0Qe1Ttf4OPhnLf
++GeaCZoTdO9YG9emLgKa9NoMC9QjNU98Dn6JJjR8cJbDKMUJomn8qI2ZrX8wwdpV
+KMfUnm4M4aMVRybE2LVRCoT6WrfzIxrJ8NK0Mz2m0PnLBzmC6pIQKM4OKrbGzY/V
+Y2F0RHW2dBqQ96VKKuA6M3kC/K6I/BCq5WvewKrjLWCuWrCjNd4blIJe0qdJMoRH
+AxR1eBn3XIUUwH6i3VO9aMbiqEr/6OpI7QKCAQEAslqWEcRSL8bxXTVs1Jqip4wW
+lbJoym+zXhMLiqxCbMukClkkCdaI+lxNVdxs4MpACHYRAhHwVvAujz5JcgiMjSRC
+IK/JGu9uVkSriA/YJxmmMPvTYI1bmT1lT99HUqhzM5COuSFJh9D8cfpHJSUC+6rF
+1U/YcdcrZAMl3UH30XdsJLc6l3L/0gyseohwWT76dSqqOOathvNM5PsE8jNzPEo7
+VUdfrrDpEw0dPjk4IF8cpC389H1j8lnwxkWQtHHhXZTXHJlC9xYPa3PRsRn18pJy
+vxz9r76vJ3YJiQTxv8MKw/AaQrNDZng0Ff5kqQAqc/q/CvHdb2pur8NTsS/09w==
+-----END RSA PRIVATE KEY-----
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+!!!!!DO NOT USE THIS KEY FOR ANYTHING !!!!!!!
+!!!!THIS FILE IS FOR TESTING WGET ONLY!!!!!!
\ No newline at end of file
diff --git a/tests/wgethosts b/tests/wgethosts
new file mode 100644
index 0000000..1697b5f
--- /dev/null
+++ b/tests/wgethosts
@@ -0,0 +1 @@
+WgetTestingServer 127.0.0.1
--
2.7.4
