Skip to content

Commit 044e4d5

Browse files
lgv5lgv5
committed
Fix SNI tests for LibreSSL
Since beginning of 2022, LibreSSL dropped support for IP addresses in SNI. This is aligned to RFC 6066, section 3: > Literal IPv4 and IPv6 addresses are not permitted in "HostName". In order to deal with it, clients connect to "localhost" instead of "127.0.0.1" and adjust "server.crt" to use "localhost" as Common Name instead of "127.0.0.1". Adjust TLS version for LibreSSL deprecation of TLSv1.1 and older.
1 parent 7a1cd71 commit 044e4d5

File tree

5 files changed

+71
-58
lines changed

5 files changed

+71
-58
lines changed

t/mojo/certs/server.crt

+7-7
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
-----BEGIN CERTIFICATE-----
2-
MIIBsjCCARsCCQCptEBZlSnk3jANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJV
3-
UzELMAkGA1UEAxMCY2EwHhcNMTQxMjEyMDUwMzI1WhcNMzQxMjA3MDUwMzI1WjAh
4-
MQswCQYDVQQGEwJVUzESMBAGA1UEAxMJMTI3LjAuMC4xMIGfMA0GCSqGSIb3DQEB
2+
MIIBsjCCARsCCQCM8WLoRPCPATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
3+
UzELMAkGA1UEAxMCY2EwHhcNMjMwMjI1MTc1NjAwWhcNNDMwMjIwMTc1NjAwWjAh
4+
MQswCQYDVQQGEwJVUzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEB
55
AQUAA4GNADCBiQKBgQDDhbj7nsfzahPilwn6pGdo6nKYCR21WZ73CuwPN86DmsZi
66
5LIRYRfKA0unape2BQBnMnSmInaXvHHBdVsTyt3XSFZj5+iCF9RcorXAqcDygScj
77
8MTWYAZxCu3lGAjtw0bGGYutlLg5jtEXvZwfe61XfJj9xDUPNQrP7mf/HTBmgQID
8-
AQABMA0GCSqGSIb3DQEBBQUAA4GBACRIx9fB4x8UO44C9TGj3bKb1NX3bkuHMz0m
9-
WdhCkzUUiANtRMxp2oLA3KHY4yOusZLZIUNyP10Ri5q/U1mR0poYCMm7AYee2OV7
10-
NdQIyppeDLoWQ9uPISPjp1d+zjpGOrLrSkpD1rYLVw4R56A9ZQks/LNs6TSceZjZ
11-
c5QST/9i
8+
AQABMA0GCSqGSIb3DQEBCwUAA4GBABjuNiXMWmGIr4LU7hypd4QKFZDfHyFFw21h
9+
dRhFp4cBq+A/9cDW7CBmKuVvBwYtkLSzQf0Y2/55mx1hz85NjRiSdDENWLncW8sA
10+
qt0mS9eX6s9HMeYNcT9ngPoAAUmkGT3/tAXwmejvu2XKBt8UBcnpJdt40YYq1wIH
11+
9lcg5Hni
1212
-----END CERTIFICATE-----

t/mojo/daemon_ipv6_tls.t

+3-3
Original file line numberDiff line numberDiff line change
@@ -41,8 +41,8 @@ subtest 'IPv6, TLS, SNI and a proxy' => sub {
4141
$daemon = Mojo::Server::Daemon->new(app => app, silent => 1);
4242
my $listen
4343
= 'https://[::1]'
44-
. '?127.0.0.1_cert=t/mojo/certs/server.crt'
45-
. '&127.0.0.1_key=t/mojo/certs/server.key'
44+
. '?localhost_cert=t/mojo/certs/server.crt'
45+
. '&localhost_key=t/mojo/certs/server.key'
4646
. '&example.com_cert=t/mojo/certs/domain.crt'
4747
. '&example.com_key=t/mojo/certs/domain.key';
4848
my $forward = $daemon->listen([$listen])->start->ports->[0];
@@ -54,7 +54,7 @@ subtest 'IPv6, TLS, SNI and a proxy' => sub {
5454
is $tx->res->code, 200, 'right status';
5555
is $tx->res->body, 'works!', 'right content';
5656
ok !$tx->error, 'no error';
57-
$tx = $ua->get("https://127.0.0.1/");
57+
$tx = $ua->get("https://localhost/");
5858
is $tx->res->code, 200, 'right status';
5959
is $tx->res->body, 'works!', 'right content';
6060
ok !$tx->error, 'no error';

t/mojo/ioloop_tls.t

+19-11
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ plan skip_all => 'IO::Socket::SSL 2.009+ required for this test!' unless Moj
1414
# openssl req -x509 -days 7300 -key ca.key -in ca.csr -out ca.crt
1515
#
1616
# openssl genrsa -out server.key 1024
17-
# openssl req -new -key server.key -out server.csr -subj "/C=US/CN=127.0.0.1"
17+
# openssl req -new -key server.key -out server.csr -subj "/C=US/CN=localhost"
1818
# openssl x509 -req -days 7300 -in server.csr -out server.crt -CA ca.crt \
1919
# -CAkey ca.key -CAcreateserial
2020
#
@@ -46,7 +46,7 @@ my $id = $loop->server(
4646
my $port = $loop->acceptor($id)->port;
4747
my $promise2 = Mojo::Promise->new->ioloop($loop);
4848
$loop->client(
49-
{port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
49+
{address => 'localhost', port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
5050
my ($loop, $err, $stream) = @_;
5151
$stream->write('tset' => sub { shift->write('123') });
5252
$stream->on(close => sub { $promise2->resolve });
@@ -88,6 +88,7 @@ $id = Mojo::IOLoop->server(
8888
$port = Mojo::IOLoop->acceptor($id)->port;
8989
$promise2 = Mojo::Promise->new;
9090
Mojo::IOLoop->client(
91+
address => 'localhost',
9192
port => $port,
9293
tls => 1,
9394
tls_cert => 't/mojo/certs/client.crt',
@@ -118,6 +119,7 @@ ok !$server_err, 'no error';
118119
# Invalid client certificate
119120
my $client_err;
120121
Mojo::IOLoop->client(
122+
address => 'localhost',
121123
port => $port,
122124
tls => 1,
123125
tls_cert => 't/mojo/certs/bad.crt',
@@ -133,7 +135,7 @@ ok $client_err, 'has error';
133135
# Missing client certificate
134136
($server_err, $client_err) = ();
135137
Mojo::IOLoop->client(
136-
{port => $port, tls => 1} => sub {
138+
{address => 'localhost', port => $port, tls => 1} => sub {
137139
shift->stop;
138140
$client_err = shift;
139141
}
@@ -155,6 +157,7 @@ $id = $loop->server(
155157
);
156158
$port = $loop->acceptor($id)->port;
157159
$loop->client(
160+
address => 'localhost',
158161
port => $port,
159162
tls => 1,
160163
tls_cert => 't/mojo/certs/client.crt',
@@ -195,6 +198,7 @@ $id = Mojo::IOLoop->server(
195198
$port = Mojo::IOLoop->acceptor($id)->port;
196199
$promise2 = Mojo::Promise->new;
197200
Mojo::IOLoop->client(
201+
address => 'localhost',
198202
port => $port,
199203
tls => 1,
200204
tls_ca => 't/mojo/certs/ca.crt',
@@ -235,9 +239,10 @@ $id = $loop->server(
235239
);
236240
$port = $loop->acceptor($id)->port;
237241
$loop->client(
238-
port => $port,
239-
tls => 1,
240-
tls_ca => 't/mojo/certs/ca.crt',
242+
address => 'localhost',
243+
port => $port,
244+
tls => 1,
245+
tls_ca => 't/mojo/certs/ca.crt',
241246
sub {
242247
shift->stop;
243248
$client_err = shift;
@@ -259,7 +264,7 @@ $id = $loop->server(
259264
);
260265
$port = $loop->acceptor($id)->port;
261266
$loop->client(
262-
address => '127.0.0.1',
267+
address => 'localhost',
263268
port => $port,
264269
tls => 1,
265270
tls_ca => 't/mojo/certs/ca.crt',
@@ -284,9 +289,10 @@ $id = $loop->server(
284289
);
285290
$port = $loop->acceptor($id)->port;
286291
$loop->client(
287-
port => $port,
288-
tls => 1,
289-
tls_ca => 'no cert',
292+
address => 'localhost',
293+
port => $port,
294+
tls => 1,
295+
tls_ca => 'no cert',
290296
sub {
291297
shift->stop;
292298
$client_err = shift;
@@ -315,6 +321,7 @@ $id = $loop->server(
315321
);
316322
$port = $loop->acceptor($id)->port;
317323
$loop->client(
324+
address => 'localhost',
318325
port => $port,
319326
tls => 1,
320327
tls_cert => 't/mojo/certs/bad.crt',
@@ -350,7 +357,7 @@ $id = Mojo::IOLoop->server(
350357
);
351358
$port = Mojo::IOLoop->acceptor($id)->port;
352359
Mojo::IOLoop->client(
353-
{port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
360+
{address => 'localhost', port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
354361
shift->stop;
355362
$client = 'connected';
356363
$client_err = shift;
@@ -376,6 +383,7 @@ subtest 'ALPN' => sub {
376383
);
377384
$port = Mojo::IOLoop->acceptor($id)->port;
378385
Mojo::IOLoop->client(
386+
address => 'localhost',
379387
port => $port,
380388
tls => 1,
381389
tls_options => {SSL_alpn_protocols => ['baz', 'bar'], SSL_verify_mode => 0x00},

t/mojo/user_agent_tls.t

+23-18
Original file line numberDiff line numberDiff line change
@@ -29,20 +29,20 @@ subtest 'Web server with valid certificates' => sub {
2929

3030
subtest 'No certificate' => sub {
3131
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
32-
my $tx = $ua->get("https://127.0.0.1:$port");
32+
my $tx = $ua->get("https://localhost:$port");
3333
ok $tx->error, 'has error';
34-
$tx = $ua->get("https://127.0.0.1:$port");
34+
$tx = $ua->get("https://localhost:$port");
3535
ok $tx->error, 'has error';
36-
$tx = $ua->ca('t/mojo/certs/ca.crt')->get("https://127.0.0.1:$port");
36+
$tx = $ua->ca('t/mojo/certs/ca.crt')->get("https://localhost:$port");
3737
ok $tx->error, 'has error';
38-
$tx = $ua->get("https://127.0.0.1:$port");
38+
$tx = $ua->get("https://localhost:$port");
3939
ok $tx->error, 'has error';
4040
};
4141

4242
subtest 'Valid certificates' => sub {
4343
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
4444
$ua->ca('t/mojo/certs/ca.crt')->cert('t/mojo/certs/client.crt')->key('t/mojo/certs/client.key');
45-
my $tx = $ua->get("https://127.0.0.1:$port");
45+
my $tx = $ua->get("https://localhost:$port");
4646
ok !$tx->error, 'no error';
4747
is $tx->res->code, 200, 'right status';
4848
is $tx->res->body, 'works!', 'right content';
@@ -54,7 +54,7 @@ subtest 'Web server with valid certificates' => sub {
5454
local $ENV{MOJO_CERT_FILE} = 't/mojo/certs/client.crt';
5555
local $ENV{MOJO_KEY_FILE} = 't/mojo/certs/client.key';
5656
local $ENV{MOJO_INSECURE} = 0;
57-
my $tx = $ua->get("https://127.0.0.1:$port");
57+
my $tx = $ua->get("https://localhost:$port");
5858
is $ua->ca, 't/mojo/certs/ca.crt', 'right path';
5959
is $ua->cert, 't/mojo/certs/client.crt', 'right path';
6060
is $ua->key, 't/mojo/certs/client.key', 'right path';
@@ -67,7 +67,7 @@ subtest 'Web server with valid certificates' => sub {
6767
subtest 'Invalid certificate' => sub {
6868
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
6969
$ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
70-
my $tx = $ua->get("https://127.0.0.1:$port");
70+
my $tx = $ua->get("https://localhost:$port");
7171
ok $tx->error, 'has error';
7272
};
7373
};
@@ -82,43 +82,48 @@ subtest 'Web server with valid certificates and no verification' => sub {
8282
. '&ca=t/mojo/certs/ca.crt'
8383
. '&ciphers=AES256-SHA:ALL'
8484
. '&verify=0x00'
85-
. '&version=TLSv1';
85+
. '&version=TLSv1_2';
8686
my $port = $daemon->listen([$listen])->start->ports->[0];
8787

8888
# Invalid certificate
8989
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
9090
$ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
91-
my $tx = $ua->get("https://127.0.0.1:$port");
91+
my $tx = $ua->get("https://localhost:$port");
9292
ok $tx->error, 'has error';
9393
$ua = Mojo::UserAgent->new(ioloop => $ua->ioloop, insecure => 1);
9494
$ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
95-
$tx = $ua->get("https://127.0.0.1:$port");
95+
$tx = $ua->get("https://localhost:$port");
9696
ok !$tx->error, 'no error';
9797
is $ua->ioloop->stream($tx->connection)->handle->get_cipher, 'AES256-SHA', 'AES256-SHA has been negotiatied';
98-
is $ua->ioloop->stream($tx->connection)->handle->get_sslversion, 'TLSv1', 'TLSv1 has been negotiatied';
98+
is $ua->ioloop->stream($tx->connection)->handle->get_sslversion, 'TLSv1_2', 'TLSv1.2 has been negotiatied';
9999
};
100100

101101
subtest 'Client side TLS options' => sub {
102102
my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
103-
my $listen = 'https://127.0.0.1/?version=TLSv1_1';
104-
my $port = $daemon->listen([$listen])->start->ports->[0];
103+
my $listen
104+
= 'https://127.0.0.1'
105+
. '?cert=t/mojo/certs/server.crt'
106+
. '&key=t/mojo/certs/server.key'
107+
. '&ca=t/mojo/certs/ca.crt'
108+
. '&version=TLSv1_2';
109+
my $port = $daemon->listen([$listen])->start->ports->[0];
105110

106111
subtest '(Not) setting verification mode' => sub {
107112
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
108-
my $tx = $ua->get("https://127.0.0.1:$port");
113+
my $tx = $ua->get("https://localhost:$port");
109114
like $tx->error->{message}, qr/certificate verify failed/, 'has error';
110115

111116
$ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
112117
$ua->tls_options({SSL_verify_mode => 0x00});
113-
$tx = $ua->get("https://127.0.0.1:$port");
118+
$tx = $ua->get("https://localhost:$port");
114119
ok !$tx->error, 'no error';
115120
};
116121

117122
subtest 'Setting acceptable protocol version' => sub {
118123
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
119-
$ua->tls_options({SSL_version => 'TLSv1_2'});
120-
my $tx = $ua->get("https://127.0.0.1:$port");
121-
like $tx->error->{message}, qr/wrong ssl version/, 'has error';
124+
$ua->tls_options({SSL_version => 'TLSv1_3'});
125+
my $tx = $ua->get("https://localhost:$port");
126+
like $tx->error->{message}, qr/tlsv1 alert protocol version/, 'has error';
122127
};
123128
};
124129

0 commit comments

Comments
 (0)