nghttpx: Refactor code to build cert_tree, add SNI test

4b58b25c · Tatsuhiro Tsujikawa · fbd9bcb0 · 4b58b25c · 4b58b25c · 4b58b25c
Commit 4b58b25c authored Jan 25, 2015 by Tatsuhiro Tsujikawa
5 changed files
--- a/integration-tests/alt-server.crt
+++ b/integration-tests/alt-server.crt
+-----BEGIN CERTIFICATE-----
+MIIDhzCCAm+gAwIBAgIJANfuEldiquMNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxEzARBgNVBAMMCmFsdC1kb21haW4wHhcNMTUwMTI1MDYy
+NTQxWhcNMjUwMTIyMDYyNTQxWjBaMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29t
+ZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMRMwEQYD
+VQQDDAphbHQtZG9tYWluMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+0IwhDOGDipGrJQ9IoRSzPdkU/Ii4aJgGKHlXminym42X0VI3IW61RLvOHRlHVmVH
+JQjFuDo2x+y81t9NlDg3HGUbSpzOzpm6StiutB7c4hreT5G4r0YKya1ugiemN0+p
+qjIPJWm2jVnf448eZvUKRKEQ9W0MLZjiNjVGKrKlwo7fIlXg4N3+YixLYffAT1NV
+d1T6V5jzlbruj15gK2nGjMQ9D1h1t9vTbTxY+mtk72aX0Y64IE6pPBWLFSSH8ozU
+idDoL3AZwz2Jker+ALKK8CM4uho/RPpyW1C06HH+HLdH2MqEjDOROde/Nzxm668O
+gK/JWGIEyUqYiUXx0yhFxwIDAQABo1AwTjAdBgNVHQ4EFgQU/Y0GDN2uPjbyePcu
+95ZvYEK/gHIwHwYDVR0jBBgwFoAU/Y0GDN2uPjbyePcu95ZvYEK/gHIwDAYDVR0T
+BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAodD6LVCzL3wfsZ6TxTzf9TfgIdbj
+ilL3SEMT/xnfTXT3SLYScTRqQIAI29Y7dOLMq89p4hY2wmeUEhBUAz+y9G2JVr8o
+6EbxXrQpWgNJogELqoNnMdrDxB5RsmDDKEJ/rLjDfSkjWbK7B2PZsqVTDgjekCFw
+u6FqTIjn/O1O/L5tjwxwxjHmQod/maFCvXoDOVBuwdHnkp298tqlvsHfHO8m++Wj
+XYB8plMIjpeTh9v4w9Jc4QZ59lK/3Tt4qaENeQrMEubKSY/Zen7L2bzhk+cChWT
+GSGz9uNXieoZaH79D0wnyZaSZ5Ds4ActMevnGg3iYXuzuFqx8Pungn74Vg==
+-----END CERTIFICATE-----
--- a/integration-tests/alt-server.key
+++ b/integration-tests/alt-server.key
+-----BEGIN PRIVATE KEY-----
+MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDQjCEM4YOKkasl
+D0ihFLM92RT8iLhomAYoeVeaKfKbjZfRUjchbrVEu84dGUdWZUclCMW4OjbH7LzW
+302UODccZRtKnM7OmbpK2K60HtziGt5PkbivRgrJrW6CJ6Y3T6mqMg8labaNWd/j
+jx5m9QpEoRD1bQwtmOI2NUYqsqXCjt8iVeDg3f5iLEth98BPU1V3VPpXmPOVuu6P
+XmAracaMxD0PWHW329NtPFj6a2TvZpfRjrggTqk8FYsVJIfyjNSJ0OgvcBnDPYmR
+6v4AsorwIzi6Gj9E+nJbULTocf4ct0fYyoSMM5E51783PGbrrw6Ar8lYYgTJSpiJ
+RfHTKEXHAgMBAAECggEBALTrjFSXY72YB+h7rN+JjMIwDIPUvF6I3HbKZhQpJf6K
+xNVkRM2tNHavku0tm/S4ohLf3F+pqRKiL2Udjjjy1+S7VgTRqpwTQ0lhV5aNW8SP
+2KMg4R61XfB+k+s4KHu9kYxEJ12mqydPe+r3o0FgfYryTDsOYk1AX6b1aqzqFOGF
+7GaqLALSbKU59tcJJ1SZNBbpIKFUrAT9nZt9dW02/foqP5bzUk43Yjw48xmLwegc
+bMXXcpZhNZSktltvwRw7Q4Foc9kuRlMdTAnAD9PnMCcZwicS/YeVVF6Rz4fGviKv
+7/kPHQ7g4YpFktVDzuZ5xw6GDVFeJ6uGMVUX8+EePvkCgYEA+/nrcn82nFHCxm8Q
+0iiUhi/AoXjZg+O5Ytaje9O/YNoX+c4ywe13h0+TXKH79O0KfTwXeJyDgPZbAIFV
+9oURellRYUzKDafnBHis2f+Ywn6GqHL5e2X30ZxIp1GK46pcvne1YuvJhgGmiVay
+vd7sRx09OKU124dG22rIFCis6asCgYEA0+CsA6LrEwQ/aPJYASY3VHNO/WoAOnPg
+Cwsg+02XWsPEwP//lNmpanz8TUm2URS063ZK8bx7t3ejvDgBdsRwwjiMlDp7XTUU
+3Zk+mhCV2qkMi02aKemvz29bDhmh5JoH7W3IwsXtJYO0yZDYrDR3ioiKRccioPoE
+b/Nq781sEFUCgYEA4xqx9xRpaCLY5nicNI6WrwrDF8YQZisNn+PMnYKP7v8itOgA
+H4GkRbSXINpueKZc2dsbXH3UmJtyEdaAYBw3UIrIKmZHhl9afFE3mZQhXssjGxfl
+fC6/WZD+eq+n+uJFjPXf6jSSAdHjA828dB1D4CSeVTuyexZF6uUnR+QRVNkCgYEA
+i+pb7XLSpZYygY03zFp+Q0h6KyKqz+7hTqmkuA8/GfMZpRHop1UtaWLsAeXhfZ2c
+87kEOKptUHSzLYIWhWWnyLorK1+LQ7vf8Y5XJso5C1KDNCKk4XSuYt94U9FddWa6
+QXI0F1s5BYL6Cfma++0R2+va08Vy+rbf40XtojoXWJkCgYEA0hMQSCvok7is27nQ
+G80KXfmghU2eEB7zif3T00/fwJycxEbmnNeof+SKmhdY4ZgqTscfOxlQPflV/eqB
+xs4GnFDDeM0F8KH0BimOXxr7sJPFCg22PCCQQcRtM/KoU+ip/kNmTfwrsC0xMFPU
+HD8M1JCZF2eLMekXXP3cB0U4sUs=
+-----END PRIVATE KEY-----
--- a/integration-tests/nghttpx_http2_test.go
+++ b/integration-tests/nghttpx_http2_test.go
 package nghttp2

 import (
+	"crypto/tls"
 	"fmt"
 	"github.com/bradfitz/http2"
 	"github.com/bradfitz/http2/hpack"
@@ -358,6 +359,21 @@ func TestH2H1TEGzip(t *testing.T) {
 	}
 }

+func TestH2H1SNI(t *testing.T) {
+	st := newServerTesterTLSConfig([]string{"--subcert=" + testDir + "/alt-server.key:" + testDir + "/alt-server.crt"}, t, noopHandler, &tls.Config{
+		ServerName: "alt-domain",
+	})
+	defer st.Close()
+
+	tlsConn := st.conn.(*tls.Conn)
+	connState := tlsConn.ConnectionState()
+	cert := connState.PeerCertificates[0]
+
+	if got, want := cert.Subject.CommonName, "alt-domain"; got != want {
+		t.Errorf("CommonName: %v; want %v", got, want)
+	}
+}
+
 // TestH2H1GracefulShutdown tests graceful shutdown.
 func TestH2H1GracefulShutdown(t *testing.T) {
 	st := newServerTester(nil, t, noopHandler)

--- a/integration-tests/server_tester.go
+++ b/integration-tests/server_tester.go
@@ -60,17 +60,23 @@ type serverTester struct {
 // newServerTester creates test context for plain TCP frontend
 // connection.
 func newServerTester(args []string, t *testing.T, handler http.HandlerFunc) *serverTester {
-	return newServerTesterInternal(args, t, handler, false)
+	return newServerTesterInternal(args, t, handler, false, nil)
 }

 // newServerTester creates test context for TLS frontend connection.
 func newServerTesterTLS(args []string, t *testing.T, handler http.HandlerFunc) *serverTester {
-	return newServerTesterInternal(args, t, handler, true)
+	return newServerTesterInternal(args, t, handler, true, nil)
+}
+
+// newServerTester creates test context for TLS frontend connection
+// with given clientConfig
+func newServerTesterTLSConfig(args []string, t *testing.T, handler http.HandlerFunc, clientConfig *tls.Config) *serverTester {
+	return newServerTesterInternal(args, t, handler, true, clientConfig)
 }

 // newServerTesterInternal creates test context.  If frontendTLS is
 // true, set up TLS frontend connection.
-func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFunc, frontendTLS bool) *serverTester {
+func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFunc, frontendTLS bool, clientConfig *tls.Config) *serverTester {
 	ts := httptest.NewUnstartedServer(handler)

 	backendTLS := false
@@ -134,10 +140,14 @@ func newServerTesterInternal(args []string, t *testing.T, handler http.HandlerFu
 		var conn net.Conn
 		var err error
 		if frontendTLS {
-			tlsConfig := &tls.Config{
-				InsecureSkipVerify: true,
-				NextProtos:         []string{"h2-14", "spdy/3.1"},
+			var tlsConfig *tls.Config
+			if clientConfig == nil {
+				tlsConfig = new(tls.Config)
+			} else {
+				tlsConfig = clientConfig
 			}
+			tlsConfig.InsecureSkipVerify = true
+			tlsConfig.NextProtos = []string{"h2-14", "spdy/3.1"}
 			conn, err = tls.Dial("tcp", authority, tlsConfig)
 		} else {
 			conn, err = net.Dial("tcp", authority)

--- a/src/shrpx_ssl.cc
+++ b/src/shrpx_ssl.cc
@@ -950,8 +950,12 @@ SSL_CTX *setup_server_ssl_context() {
  auto ssl_ctx = ssl::create_ssl_context(get_config()->private_key_file.get(),
                                         get_config()->cert_file.get());

-  auto cert_tree =
-      get_config()->subcerts.empty() ? nullptr : cert_lookup_tree_new();
+  if (get_config()->subcerts.empty()) {
+    return ssl_ctx;
+  }
+
+  auto cert_tree = cert_lookup_tree_new();
+
  worker_config->cert_tree = cert_tree;

  for (auto &keycert : get_config()->subcerts) {
@@ -964,12 +968,10 @@ SSL_CTX *setup_server_ssl_context() {
    }
  }

-  if (cert_tree) {
-    if (ssl::cert_lookup_tree_add_cert_from_file(
-            cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) {
-      LOG(FATAL) << "Failed to add default certificate.";
-      DIE();
-    }
+  if (ssl::cert_lookup_tree_add_cert_from_file(
+          cert_tree, ssl_ctx, get_config()->cert_file.get()) == -1) {
+    LOG(FATAL) << "Failed to add default certificate.";
+    DIE();
  }

  return ssl_ctx;