Skip to content

Commit 4689b47

Browse files
lgv5lgv5
committed
Fix SNI tests for LibreSSL
Since beginning of 2022, LibreSSL dropped support for IP addresses in SNI. This is aligned to RFC 6066, section 3: > Literal IPv4 and IPv6 addresses are not permitted in "HostName". In order to deal with it, make servers listen on and clients connect to "localhost" instead of "127.0.0.1" and adjust "server.crt" to use "localhost" as Common Name instead of "127.0.0.1".
1 parent 03d1b64 commit 4689b47

File tree

5 files changed

+74
-66
lines changed

5 files changed

+74
-66
lines changed

t/mojo/certs/server.crt

+7-7
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,12 @@
11
-----BEGIN CERTIFICATE-----
2-
MIIBsjCCARsCCQCptEBZlSnk3jANBgkqhkiG9w0BAQUFADAaMQswCQYDVQQGEwJV
3-
UzELMAkGA1UEAxMCY2EwHhcNMTQxMjEyMDUwMzI1WhcNMzQxMjA3MDUwMzI1WjAh
4-
MQswCQYDVQQGEwJVUzESMBAGA1UEAxMJMTI3LjAuMC4xMIGfMA0GCSqGSIb3DQEB
2+
MIIBsjCCARsCCQCM8WLoRPCPATANBgkqhkiG9w0BAQsFADAaMQswCQYDVQQGEwJV
3+
UzELMAkGA1UEAxMCY2EwHhcNMjMwMjI1MTc1NjAwWhcNNDMwMjIwMTc1NjAwWjAh
4+
MQswCQYDVQQGEwJVUzESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEB
55
AQUAA4GNADCBiQKBgQDDhbj7nsfzahPilwn6pGdo6nKYCR21WZ73CuwPN86DmsZi
66
5LIRYRfKA0unape2BQBnMnSmInaXvHHBdVsTyt3XSFZj5+iCF9RcorXAqcDygScj
77
8MTWYAZxCu3lGAjtw0bGGYutlLg5jtEXvZwfe61XfJj9xDUPNQrP7mf/HTBmgQID
8-
AQABMA0GCSqGSIb3DQEBBQUAA4GBACRIx9fB4x8UO44C9TGj3bKb1NX3bkuHMz0m
9-
WdhCkzUUiANtRMxp2oLA3KHY4yOusZLZIUNyP10Ri5q/U1mR0poYCMm7AYee2OV7
10-
NdQIyppeDLoWQ9uPISPjp1d+zjpGOrLrSkpD1rYLVw4R56A9ZQks/LNs6TSceZjZ
11-
c5QST/9i
8+
AQABMA0GCSqGSIb3DQEBCwUAA4GBABjuNiXMWmGIr4LU7hypd4QKFZDfHyFFw21h
9+
dRhFp4cBq+A/9cDW7CBmKuVvBwYtkLSzQf0Y2/55mx1hz85NjRiSdDENWLncW8sA
10+
qt0mS9eX6s9HMeYNcT9ngPoAAUmkGT3/tAXwmejvu2XKBt8UBcnpJdt40YYq1wIH
11+
9lcg5Hni
1212
-----END CERTIFICATE-----

t/mojo/daemon_ipv6_tls.t

+3-3
Original file line numberDiff line numberDiff line change
@@ -41,8 +41,8 @@ subtest 'IPv6, TLS, SNI and a proxy' => sub {
4141
$daemon = Mojo::Server::Daemon->new(app => app, silent => 1);
4242
my $listen
4343
= 'https://[::1]'
44-
. '?127.0.0.1_cert=t/mojo/certs/server.crt'
45-
. '&127.0.0.1_key=t/mojo/certs/server.key'
44+
. '?localhost_cert=t/mojo/certs/server.crt'
45+
. '&localhost_key=t/mojo/certs/server.key'
4646
. '&example.com_cert=t/mojo/certs/domain.crt'
4747
. '&example.com_key=t/mojo/certs/domain.key';
4848
my $forward = $daemon->listen([$listen])->start->ports->[0];
@@ -54,7 +54,7 @@ subtest 'IPv6, TLS, SNI and a proxy' => sub {
5454
is $tx->res->code, 200, 'right status';
5555
is $tx->res->body, 'works!', 'right content';
5656
ok !$tx->error, 'no error';
57-
$tx = $ua->get("https://127.0.0.1/");
57+
$tx = $ua->get("https://localhost/");
5858
is $tx->res->code, 200, 'right status';
5959
is $tx->res->body, 'works!', 'right content';
6060
ok !$tx->error, 'no error';

t/mojo/ioloop_tls.t

+29-21
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,7 @@ plan skip_all => 'IO::Socket::SSL 2.009+ required for this test!' unless Moj
1414
# openssl req -x509 -days 7300 -key ca.key -in ca.csr -out ca.crt
1515
#
1616
# openssl genrsa -out server.key 1024
17-
# openssl req -new -key server.key -out server.csr -subj "/C=US/CN=127.0.0.1"
17+
# openssl req -new -key server.key -out server.csr -subj "/C=US/CN=localhost"
1818
# openssl x509 -req -days 7300 -in server.csr -out server.crt -CA ca.crt \
1919
# -CAkey ca.key -CAcreateserial
2020
#
@@ -36,7 +36,7 @@ utf8::upgrade $upgraded;
3636
my ($server, $client);
3737
my $promise = Mojo::Promise->new->ioloop($loop);
3838
my $id = $loop->server(
39-
{address => '127.0.0.1', tls => 1} => sub {
39+
{address => 'localhost', tls => 1} => sub {
4040
my ($loop, $stream) = @_;
4141
$stream->write($upgraded => sub { shift->write('321') });
4242
$stream->on(close => sub { $promise->resolve });
@@ -46,7 +46,7 @@ my $id = $loop->server(
4646
my $port = $loop->acceptor($id)->port;
4747
my $promise2 = Mojo::Promise->new->ioloop($loop);
4848
$loop->client(
49-
{port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
49+
{address => 'localhost', port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
5050
my ($loop, $err, $stream) = @_;
5151
$stream->write('tset' => sub { shift->write('123') });
5252
$stream->on(close => sub { $promise2->resolve });
@@ -64,7 +64,7 @@ my ($remove, $running, $timeout, $server_err, $server_close, $client_close);
6464
Mojo::IOLoop->remove(Mojo::IOLoop->recurring(0 => sub { $remove++ }));
6565
$promise = Mojo::Promise->new;
6666
$id = Mojo::IOLoop->server(
67-
address => '127.0.0.1',
67+
address => 'localhost',
6868
tls => 1,
6969
tls_ca => 't/mojo/certs/ca.crt',
7070
tls_cert => 't/mojo/certs/server.crt',
@@ -88,6 +88,7 @@ $id = Mojo::IOLoop->server(
8888
$port = Mojo::IOLoop->acceptor($id)->port;
8989
$promise2 = Mojo::Promise->new;
9090
Mojo::IOLoop->client(
91+
address => 'localhost',
9192
port => $port,
9293
tls => 1,
9394
tls_cert => 't/mojo/certs/client.crt',
@@ -118,6 +119,7 @@ ok !$server_err, 'no error';
118119
# Invalid client certificate
119120
my $client_err;
120121
Mojo::IOLoop->client(
122+
address => 'localhost',
121123
port => $port,
122124
tls => 1,
123125
tls_cert => 't/mojo/certs/bad.crt',
@@ -133,7 +135,7 @@ ok $client_err, 'has error';
133135
# Missing client certificate
134136
($server_err, $client_err) = ();
135137
Mojo::IOLoop->client(
136-
{port => $port, tls => 1} => sub {
138+
{address => 'localhost', port => $port, tls => 1} => sub {
137139
shift->stop;
138140
$client_err = shift;
139141
}
@@ -146,7 +148,7 @@ ok $client_err, 'has error';
146148
$loop = Mojo::IOLoop->new;
147149
($server_err, $client_err) = ();
148150
$id = $loop->server(
149-
address => '127.0.0.1',
151+
address => 'localhost',
150152
tls => 1,
151153
tls_ca => 'no cert',
152154
tls_cert => 't/mojo/certs/server.crt',
@@ -155,6 +157,7 @@ $id = $loop->server(
155157
);
156158
$port = $loop->acceptor($id)->port;
157159
$loop->client(
160+
address => 'localhost',
158161
port => $port,
159162
tls => 1,
160163
tls_cert => 't/mojo/certs/client.crt',
@@ -173,7 +176,7 @@ ok $client_err, 'has error';
173176
($client, $client_close) = ();
174177
$promise = Mojo::Promise->new;
175178
$id = Mojo::IOLoop->server(
176-
address => '127.0.0.1',
179+
address => 'localhost',
177180
tls => 1,
178181
tls_ca => 't/mojo/certs/ca.crt',
179182
tls_cert => 't/mojo/certs/server.crt',
@@ -195,6 +198,7 @@ $id = Mojo::IOLoop->server(
195198
$port = Mojo::IOLoop->acceptor($id)->port;
196199
$promise2 = Mojo::Promise->new;
197200
Mojo::IOLoop->client(
201+
address => 'localhost',
198202
port => $port,
199203
tls => 1,
200204
tls_ca => 't/mojo/certs/ca.crt',
@@ -227,17 +231,18 @@ ok !$server_err, 'no error';
227231
$loop = Mojo::IOLoop->new;
228232
($server_err, $client_err) = ();
229233
$id = $loop->server(
230-
address => '127.0.0.1',
234+
address => 'localhost',
231235
tls => 1,
232236
tls_cert => 't/mojo/certs/bad.crt',
233237
tls_key => 't/mojo/certs/bad.key',
234238
sub { $server_err = 'accepted' }
235239
);
236240
$port = $loop->acceptor($id)->port;
237241
$loop->client(
238-
port => $port,
239-
tls => 1,
240-
tls_ca => 't/mojo/certs/ca.crt',
242+
address => 'localhost',
243+
port => $port,
244+
tls => 1,
245+
tls_ca => 't/mojo/certs/ca.crt',
241246
sub {
242247
shift->stop;
243248
$client_err = shift;
@@ -251,15 +256,15 @@ ok $client_err, 'has error';
251256
$loop = Mojo::IOLoop->new;
252257
($server_err, $client_err) = ();
253258
$id = $loop->server(
254-
address => '127.0.0.1',
259+
address => 'localhost',
255260
tls => 1,
256261
tls_cert => 't/mojo/certs/bad.crt',
257262
tls_key => 't/mojo/certs/bad.key',
258263
sub { $server_err = 'accepted' }
259264
);
260265
$port = $loop->acceptor($id)->port;
261266
$loop->client(
262-
address => '127.0.0.1',
267+
address => 'localhost',
263268
port => $port,
264269
tls => 1,
265270
tls_ca => 't/mojo/certs/ca.crt',
@@ -276,17 +281,18 @@ ok $client_err, 'has error';
276281
$loop = Mojo::IOLoop->new;
277282
($server_err, $client_err) = ();
278283
$id = $loop->server(
279-
address => '127.0.0.1',
284+
address => 'localhost',
280285
tls => 1,
281286
tls_cert => 't/mojo/certs/bad.crt',
282287
tls_key => 't/mojo/certs/bad.key',
283288
sub { $server_err = 'accepted' }
284289
);
285290
$port = $loop->acceptor($id)->port;
286291
$loop->client(
287-
port => $port,
288-
tls => 1,
289-
tls_ca => 'no cert',
292+
address => 'localhost',
293+
port => $port,
294+
tls => 1,
295+
tls_ca => 'no cert',
290296
sub {
291297
shift->stop;
292298
$client_err = shift;
@@ -301,7 +307,7 @@ $loop = Mojo::IOLoop->new;
301307
my ($cipher, $version);
302308
($server, $client, $client_err) = ();
303309
$id = $loop->server(
304-
address => '127.0.0.1',
310+
address => 'localhost',
305311
tls => 1,
306312
tls_ca => 't/mojo/certs/ca.crt',
307313
tls_cert => 't/mojo/certs/server.crt',
@@ -315,6 +321,7 @@ $id = $loop->server(
315321
);
316322
$port = $loop->acceptor($id)->port;
317323
$loop->client(
324+
address => 'localhost',
318325
port => $port,
319326
tls => 1,
320327
tls_cert => 't/mojo/certs/bad.crt',
@@ -340,7 +347,7 @@ is $cipher, $expect, "$expect has been negotiatied";
340347
# Ignore missing client certificate
341348
($server, $client, $client_err) = ();
342349
$id = Mojo::IOLoop->server(
343-
address => '127.0.0.1',
350+
address => 'localhost',
344351
tls => 1,
345352
tls_ca => 't/mojo/certs/ca.crt',
346353
tls_cert => 't/mojo/certs/server.crt',
@@ -350,7 +357,7 @@ $id = Mojo::IOLoop->server(
350357
);
351358
$port = Mojo::IOLoop->acceptor($id)->port;
352359
Mojo::IOLoop->client(
353-
{port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
360+
{address => 'localhost', port => $port, tls => 1, tls_options => {SSL_verify_mode => 0x00}} => sub {
354361
shift->stop;
355362
$client = 'connected';
356363
$client_err = shift;
@@ -365,7 +372,7 @@ subtest 'ALPN' => sub {
365372
plan skip_all => 'ALPN support required!' unless IO::Socket::SSL->can_alpn;
366373
my ($server_proto, $client_proto);
367374
$id = Mojo::IOLoop->server(
368-
address => '127.0.0.1',
375+
address => 'localhost',
369376
tls => 1,
370377
tls_options => {SSL_alpn_protocols => ['foo', 'bar', 'baz']},
371378
sub {
@@ -376,6 +383,7 @@ subtest 'ALPN' => sub {
376383
);
377384
$port = Mojo::IOLoop->acceptor($id)->port;
378385
Mojo::IOLoop->client(
386+
address => 'localhost',
379387
port => $port,
380388
tls => 1,
381389
tls_options => {SSL_alpn_protocols => ['baz', 'bar'], SSL_verify_mode => 0x00},

t/mojo/user_agent_tls.t

+15-15
Original file line numberDiff line numberDiff line change
@@ -21,28 +21,28 @@ get '/' => {text => 'works!'};
2121
subtest 'Web server with valid certificates' => sub {
2222
my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
2323
my $listen
24-
= 'https://127.0.0.1'
24+
= 'https://localhost'
2525
. '?cert=t/mojo/certs/server.crt'
2626
. '&key=t/mojo/certs/server.key'
2727
. '&ca=t/mojo/certs/ca.crt&verify=0x03';
2828
my $port = $daemon->listen([$listen])->start->ports->[0];
2929

3030
subtest 'No certificate' => sub {
3131
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
32-
my $tx = $ua->get("https://127.0.0.1:$port");
32+
my $tx = $ua->get("https://localhost:$port");
3333
ok $tx->error, 'has error';
34-
$tx = $ua->get("https://127.0.0.1:$port");
34+
$tx = $ua->get("https://localhost:$port");
3535
ok $tx->error, 'has error';
36-
$tx = $ua->ca('t/mojo/certs/ca.crt')->get("https://127.0.0.1:$port");
36+
$tx = $ua->ca('t/mojo/certs/ca.crt')->get("https://localhost:$port");
3737
ok $tx->error, 'has error';
38-
$tx = $ua->get("https://127.0.0.1:$port");
38+
$tx = $ua->get("https://localhost:$port");
3939
ok $tx->error, 'has error';
4040
};
4141

4242
subtest 'Valid certificates' => sub {
4343
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
4444
$ua->ca('t/mojo/certs/ca.crt')->cert('t/mojo/certs/client.crt')->key('t/mojo/certs/client.key');
45-
my $tx = $ua->get("https://127.0.0.1:$port");
45+
my $tx = $ua->get("https://localhost:$port");
4646
ok !$tx->error, 'no error';
4747
is $tx->res->code, 200, 'right status';
4848
is $tx->res->body, 'works!', 'right content';
@@ -54,7 +54,7 @@ subtest 'Web server with valid certificates' => sub {
5454
local $ENV{MOJO_CERT_FILE} = 't/mojo/certs/client.crt';
5555
local $ENV{MOJO_KEY_FILE} = 't/mojo/certs/client.key';
5656
local $ENV{MOJO_INSECURE} = 0;
57-
my $tx = $ua->get("https://127.0.0.1:$port");
57+
my $tx = $ua->get("https://localhost:$port");
5858
is $ua->ca, 't/mojo/certs/ca.crt', 'right path';
5959
is $ua->cert, 't/mojo/certs/client.crt', 'right path';
6060
is $ua->key, 't/mojo/certs/client.key', 'right path';
@@ -67,7 +67,7 @@ subtest 'Web server with valid certificates' => sub {
6767
subtest 'Invalid certificate' => sub {
6868
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
6969
$ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
70-
my $tx = $ua->get("https://127.0.0.1:$port");
70+
my $tx = $ua->get("https://localhost:$port");
7171
ok $tx->error, 'has error';
7272
};
7373
};
@@ -76,7 +76,7 @@ subtest 'Web server with valid certificates' => sub {
7676
subtest 'Web server with valid certificates and no verification' => sub {
7777
my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
7878
my $listen
79-
= 'https://127.0.0.1'
79+
= 'https://localhost'
8080
. '?cert=t/mojo/certs/server.crt'
8181
. '&key=t/mojo/certs/server.key'
8282
. '&ca=t/mojo/certs/ca.crt'
@@ -88,36 +88,36 @@ subtest 'Web server with valid certificates and no verification' => sub {
8888
# Invalid certificate
8989
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
9090
$ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
91-
my $tx = $ua->get("https://127.0.0.1:$port");
91+
my $tx = $ua->get("https://localhost:$port");
9292
ok $tx->error, 'has error';
9393
$ua = Mojo::UserAgent->new(ioloop => $ua->ioloop, insecure => 1);
9494
$ua->cert('t/mojo/certs/bad.crt')->key('t/mojo/certs/bad.key');
95-
$tx = $ua->get("https://127.0.0.1:$port");
95+
$tx = $ua->get("https://localhost:$port");
9696
ok !$tx->error, 'no error';
9797
is $ua->ioloop->stream($tx->connection)->handle->get_cipher, 'AES256-SHA', 'AES256-SHA has been negotiatied';
9898
is $ua->ioloop->stream($tx->connection)->handle->get_sslversion, 'TLSv1', 'TLSv1 has been negotiatied';
9999
};
100100

101101
subtest 'Client side TLS options' => sub {
102102
my $daemon = Mojo::Server::Daemon->new(app => app, ioloop => Mojo::IOLoop->singleton, silent => 1);
103-
my $listen = 'https://127.0.0.1/?version=TLSv1_1';
103+
my $listen = 'https://localhost/?version=TLSv1_1';
104104
my $port = $daemon->listen([$listen])->start->ports->[0];
105105

106106
subtest '(Not) setting verification mode' => sub {
107107
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
108-
my $tx = $ua->get("https://127.0.0.1:$port");
108+
my $tx = $ua->get("https://localhost:$port");
109109
like $tx->error->{message}, qr/certificate verify failed/, 'has error';
110110

111111
$ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
112112
$ua->tls_options({SSL_verify_mode => 0x00});
113-
$tx = $ua->get("https://127.0.0.1:$port");
113+
$tx = $ua->get("https://localhost:$port");
114114
ok !$tx->error, 'no error';
115115
};
116116

117117
subtest 'Setting acceptable protocol version' => sub {
118118
my $ua = Mojo::UserAgent->new(ioloop => Mojo::IOLoop->singleton);
119119
$ua->tls_options({SSL_version => 'TLSv1_2'});
120-
my $tx = $ua->get("https://127.0.0.1:$port");
120+
my $tx = $ua->get("https://localhost:$port");
121121
like $tx->error->{message}, qr/wrong ssl version/, 'has error';
122122
};
123123
};

0 commit comments

Comments
 (0)