| # |
| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| # |
| use t::APISIX; |
| |
| repeat_each(1); |
| log_level('info'); |
| no_root_location(); |
| no_shuffle(); |
| |
| my $openssl_bin = $ENV{OPENSSL_BIN}; |
| if (! -x $openssl_bin) { |
| $ENV{OPENSSL_BIN} = '/usr/local/openresty/openssl3/bin/openssl'; |
| if (! -x $ENV{OPENSSL_BIN}) { |
| plan(skip_all => "openssl3 not installed"); |
| } |
| } |
| |
| plan('no_plan'); |
| |
| add_block_preprocessor(sub { |
| my ($block) = @_; |
| |
| my $yaml_config = $block->yaml_config // <<_EOC_; |
| deployment: |
| role: traditional |
| role_traditional: |
| config_provider: etcd |
| admin: |
| admin_key: null |
| apisix: |
| node_listen: 1984 |
| proxy_mode: http&stream |
| stream_proxy: |
| tcp: |
| - 9100 |
| enable_resolv_search_opt: false |
| ssl: |
| ssl_protocols: TLSv1.1 TLSv1.2 TLSv1.3 |
| ssl_ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES256-SHA |
| _EOC_ |
| |
| $block->set_value("yaml_config", $yaml_config); |
| }); |
| |
| run_tests(); |
| |
| __DATA__ |
| |
| === TEST 1: set route |
| --- config |
| location /t { |
| content_by_lua_block { |
| local t = require("lib.test_admin").test |
| local code, body = t('/apisix/admin/routes/1', |
| ngx.HTTP_PUT, |
| [[{ |
| "upstream": { |
| "nodes": { |
| "127.0.0.1:1980": 1 |
| }, |
| "type": "roundrobin" |
| }, |
| "uris": ["/hello", "/world"] |
| }]] |
| ) |
| if code >= 300 then |
| ngx.status = code |
| ngx.say(message) |
| return |
| end |
| ngx.say(body) |
| } |
| } |
| --- request |
| GET /t |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 2: create ssl for test.com (unset ssl_protocols) |
| --- config |
| location /t { |
| content_by_lua_block { |
| local core = require("apisix.core") |
| local t = require("lib.test_admin") |
| |
| local ssl_cert = t.read_file("t/certs/apisix.crt") |
| local ssl_key = t.read_file("t/certs/apisix.key") |
| local data = {cert = ssl_cert, key = ssl_key, sni = "test.com"} |
| |
| local code, body = t.test('/apisix/admin/ssls/1', |
| ngx.HTTP_PUT, |
| core.json.encode(data), |
| [[{ |
| "value": { |
| "sni": "test.com", |
| "ssl_protocols": null, |
| }, |
| "key": "/apisix/ssls/1" |
| }]] |
| ) |
| |
| ngx.status = code |
| ngx.say(body) |
| } |
| } |
| --- request |
| GET /t |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 3: Successfully, access test.com with TLSv1.3 |
| --- exec |
| echo -n "Q" | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat |
| --- response_body eval |
| qr/Server certificate/ |
| |
| |
| |
| === TEST 4: Successfully, access test.com with TLSv1.2 |
| --- exec |
| curl -k -v --tls-max 1.2 --tlsv1.2 --resolve "test.com:1994:127.0.0.1" https://test.com:1994/hello 2>&1 | cat |
| --- response_body eval |
| qr/TLSv1\.2 \(IN\), TLS handshake, Server hello(?s).*hello world/ |
| |
| |
| |
| === TEST 5: Successfully, access test.com with TLSv1.1 |
| --- exec |
| echo -n "Q" | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_1 2>&1 | cat |
| --- response_body eval |
| qr/Server certificate/ |
| |
| |
| |
| === TEST 6: set TLSv1.2 and TLSv1.3 for test.com |
| --- config |
| location /t { |
| content_by_lua_block { |
| local core = require("apisix.core") |
| local t = require("lib.test_admin") |
| |
| local ssl_cert = t.read_file("t/certs/apisix.crt") |
| local ssl_key = t.read_file("t/certs/apisix.key") |
| local data = {cert = ssl_cert, key = ssl_key, sni = "test.com", ssl_protocols = {"TLSv1.2", "TLSv1.3"}} |
| |
| local code, body = t.test('/apisix/admin/ssls/1', |
| ngx.HTTP_PUT, |
| core.json.encode(data), |
| [[{ |
| "value": { |
| "sni": "test.com", |
| "ssl_protocols": ["TLSv1.2", "TLSv1.3"], |
| }, |
| "key": "/apisix/ssls/1" |
| }]] |
| ) |
| |
| ngx.status = code |
| ngx.say(body) |
| } |
| } |
| --- request |
| GET /t |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 7: Set TLSv1.3 for the test2.com |
| --- config |
| location /t { |
| content_by_lua_block { |
| local core = require("apisix.core") |
| local t = require("lib.test_admin") |
| |
| local ssl_cert = t.read_file("t/certs/test2.crt") |
| local ssl_key = t.read_file("t/certs/test2.key") |
| local data = {cert = ssl_cert, key = ssl_key, sni = "test2.com", ssl_protocols = {"TLSv1.3"}} |
| |
| local code, body = t.test('/apisix/admin/ssls/2', |
| ngx.HTTP_PUT, |
| core.json.encode(data), |
| [[{ |
| "value": { |
| "sni": "test2.com" |
| }, |
| "key": "/apisix/ssls/2" |
| }]] |
| ) |
| |
| ngx.status = code |
| ngx.say(body) |
| } |
| } |
| --- response_body |
| passed |
| --- request |
| GET /t |
| |
| |
| |
| === TEST 8: Successfully, access test.com with TLSv1.3 |
| --- exec |
| echo -n "Q" | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat |
| --- response_body eval |
| qr/Server certificate/ |
| |
| |
| |
| === TEST 9: Successfully, access test.com with TLSv1.2 |
| --- exec |
| curl -k -v --tls-max 1.2 --tlsv1.2 --resolve "test.com:1994:127.0.0.1" https://test.com:1994/hello 2>&1 | cat |
| --- response_body eval |
| qr/TLSv1\.2 \(IN\), TLS handshake, Server hello(?s).*hello world/ |
| |
| |
| |
| === TEST 10: Successfully, access test2.com with TLSv1.3 |
| --- exec |
| echo -n "Q" | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test2.com -tls1_3 2>&1 | cat |
| --- response_body eval |
| qr/Server certificate/ |
| |
| |
| |
| === TEST 11: Failed, access test2.com with TLSv1.2 |
| --- exec |
| curl -k -v --tls-max 1.2 --tlsv1.2 --resolve "test2.com:1994:127.0.0.1" https://test2.com:1994/hello 2>&1 | cat |
| --- response_body eval |
| qr/TLSv1\.2 \(IN\), TLS alert/ |
| |
| |
| |
| === TEST 12: set TLSv1.1 for test.com |
| --- config |
| location /t { |
| content_by_lua_block { |
| local core = require("apisix.core") |
| local t = require("lib.test_admin") |
| |
| local ssl_cert = t.read_file("t/certs/apisix.crt") |
| local ssl_key = t.read_file("t/certs/apisix.key") |
| local data = {cert = ssl_cert, key = ssl_key, sni = "test.com", ssl_protocols = {"TLSv1.1"}} |
| |
| local code, body = t.test('/apisix/admin/ssls/1', |
| ngx.HTTP_PUT, |
| core.json.encode(data), |
| [[{ |
| "value": { |
| "sni": "test.com", |
| "ssl_protocols": ["TLSv1.1"], |
| }, |
| "key": "/apisix/ssls/1" |
| }]] |
| ) |
| |
| ngx.status = code |
| ngx.say(body) |
| } |
| } |
| --- request |
| GET /t |
| --- response_body |
| passed |
| |
| |
| |
| === TEST 13: Successfully, access test.com with TLSv1.1 |
| --- exec |
| echo -n "Q" | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_1 2>&1 | cat |
| --- response_body eval |
| qr/Server certificate/ |
| |
| |
| |
| === TEST 14: Failed, access test.com with TLSv1.3 |
| --- exec |
| echo -n "Q" | $OPENSSL_BIN s_client -connect 127.0.0.1:1994 -servername test.com -tls1_3 2>&1 | cat |
| --- response_body eval |
| qr/tlsv1 alert/ |
