Adds a regression test for the tls client authentication diff from my
last post.
Index: tests/Client.pm
===================================================================
RCS file: /cvs/src/regress/usr.sbin/httpd/tests/Client.pm,v
retrieving revision 1.1
diff -u -p -r1.1 Client.pm
--- tests/Client.pm 16 Jul 2015 16:35:57 -0000 1.1
+++ tests/Client.pm 16 May 2018 08:04:54 -0000
@@ -59,6 +59,11 @@ sub child {
PeerAddr => $self->{connectaddr},
PeerPort => $self->{connectport},
SSL_verify_mode => SSL_VERIFY_NONE,
+ SSL_use_cert => $self->{offertlscert} ? 1 : 0,
+ SSL_cert_file => $self->{offertlscert} ?
+ $self->{chroot}."/client.crt" : "",
+ SSL_key_file => $self->{offertlscert} ?
+ $self->{chroot}."/client.key" : "",
) or die ref($self), " $iosocket socket connect failed: $!,$SSL_ERROR";
print STDERR "connect sock: ",$cs->sockhost()," ",$cs->sockport(),"\n";
print STDERR "connect peer: ",$cs->peerhost()," ",$cs->peerport(),"\n";
Index: tests/Httpd.pm
===================================================================
RCS file: /cvs/src/regress/usr.sbin/httpd/tests/Httpd.pm,v
retrieving revision 1.2
diff -u -p -r1.2 Httpd.pm
--- tests/Httpd.pm 30 Jan 2017 21:18:24 -0000 1.2
+++ tests/Httpd.pm 16 May 2018 08:04:54 -0000
@@ -72,6 +72,8 @@ sub new {
print $fh "\n";
print $fh "\ttls certificate \"".$args{chroot}."/server.crt\"\n";
print $fh "\ttls key \"".$args{chroot}."/server.key\"";
+ $self->{verifytls}
+ and print $fh "\n\ttls client ca \"".$args{chroot}."/ca.crt\"";
}
print $fh "\n\troot \"/\"";
print $fh "\n\tlog style combined";
Index: tests/Makefile
===================================================================
RCS file: /cvs/src/regress/usr.sbin/httpd/tests/Makefile,v
retrieving revision 1.9
diff -u -p -r1.9 Makefile
--- tests/Makefile 10 Nov 2017 23:29:09 -0000 1.9
+++ tests/Makefile 16 May 2018 08:04:54 -0000
@@ -77,10 +77,16 @@ ca.crt:
server.req:
openssl req -batch -new -subj
/L=OpenBSD/O=httpd-regress/OU=server/CN=localhost/ -nodes -newkey rsa -keyout
server.key -out server.req
+client.req:
+ openssl req -batch -new -subj
/L=OpenBSD/O=httpd-regress/OU=client/CN=localhost/ -nodes -newkey rsa -keyout
client.key -out $@
+
server.crt: ca.crt server.req
openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in
server.req -out server.crt
-${REGRESS_TARGETS:M*tls*} ${REGRESS_TARGETS:M*https*}: server.crt
+client.crt: ca.crt client.req
+ openssl x509 -CAcreateserial -CAkey ca.key -CA ca.crt -req -in
client.req -out $@
+
+${REGRESS_TARGETS:M*tls*} ${REGRESS_TARGETS:M*https*}: server.crt client.crt
# make perl syntax check for all args files
Index: tests/args-tls-verify.pl
===================================================================
RCS file: tests/args-tls-verify.pl
diff -N tests/args-tls-verify.pl
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tests/args-tls-verify.pl 16 May 2018 08:04:54 -0000
@@ -0,0 +1,20 @@
+# test https connection, verifying client cert
+
+use strict;
+use warnings;
+
+our %args = (
+ client => {
+ tls => 1,
+ offertlscert => 1,
+ loggrep => 'Issuer.*/OU=ca/',
+ },
+ httpd => {
+ listentls => 1,
+ verifytls => 1,
+ },
+ len => 512,
+ md5 => path_md5("512")
+);
+
+1;
