X-Git-Url: http://www.git.stargrave.org/?a=blobdiff_plain;f=t%2Fhttpd-https.t;h=b0cd7eab51d4719321f954730843585a4bfdc1fb;hb=5f9baf72510643f3865223b5fe4ddb8768a3996c;hp=1d2e4d5c25e0aa51da150d5985808b9277865c1c;hpb=3c313f9034aac96182e2efdc2f92c40803626f32;p=public-inbox.git

diff --git a/t/httpd-https.t b/t/httpd-https.t
index 1d2e4d5c..b0cd7eab 100644
--- a/t/httpd-https.t
+++ b/t/httpd-https.t
@@ -1,30 +1,41 @@
-# Copyright (C) 2019 all contributors <meta@public-inbox.org>
+#!perl -w
+# Copyright (C) all contributors <meta@public-inbox.org>
 # License: AGPL-3.0+ <https://www.gnu.org/licenses/agpl-3.0.txt>
-use strict;
-use warnings;
-use Test::More;
+use v5.12;
 use Socket qw(SOCK_STREAM IPPROTO_TCP SOL_SOCKET);
+use PublicInbox::TestCommon;
+use File::Copy qw(cp);
 # IO::Poll is part of the standard library, but distros may split them off...
-foreach my $mod (qw(IO::Socket::SSL IO::Poll)) {
-	eval "require $mod";
-	plan skip_all => "$mod missing for $0" if $@;
-}
-my $cert = 'certs/server-cert.pem';
-my $key = 'certs/server-key.pem';
-unless (-r $key && -r $cert) {
+require_mods(qw(IO::Socket::SSL IO::Poll Plack::Util));
+my @certs = qw(certs/server-cert.pem certs/server-key.pem
+	certs/server2-cert.pem certs/server2-key.pem);
+if (scalar(grep { -r $_ } @certs) != scalar(@certs)) {
 	plan skip_all =>
 		"certs/ missing for $0, run $^X ./create-certs.perl in certs/";
 }
 use_ok 'PublicInbox::TLS';
 use_ok 'IO::Socket::SSL';
-use PublicInbox::TestCommon;
 my $psgi = "./t/httpd-corner.psgi";
 my ($tmpdir, $for_destroy) = tmpdir();
 my $err = "$tmpdir/stderr.log";
 my $out = "$tmpdir/stdout.log";
 my $https = tcp_server();
 my $td;
-my $https_addr = $https->sockhost . ':' . $https->sockport;
+my $https_addr = tcp_host_port($https);
+my $cert = "$tmpdir/cert.pem";
+my $key = "$tmpdir/key.pem";
+cp('certs/server-cert.pem', $cert) or xbail $!;
+cp('certs/server-key.pem', $key) or xbail $!;
+
+my $check_url_scheme = sub {
+	my ($s, $line) = @_;
+	$s->print("GET /url_scheme HTTP/1.1\r\n\r\nHost: example.com\r\n\r\n")
+		or xbail "failed to write HTTP request: $! (line $line)";
+	my $buf = '';
+	sysread($s, $buf, 2007, length($buf)) until $buf =~ /\r\n\r\nhttps?/;
+	like($buf, qr!\AHTTP/1\.1 200!, "read HTTPS response (line $line)");
+	like($buf, qr!\r\nhttps\z!, "psgi.url_scheme is 'https' (line $line)");
+};
 
 for my $args (
 	[ "-lhttps://$https_addr/?key=$key,cert=$cert" ],
@@ -56,11 +67,7 @@ for my $args (
 	# normal HTTPS
 	my $c = tcp_connect($https);
 	IO::Socket::SSL->start_SSL($c, %o);
-	ok($c->print("GET /empty HTTP/1.1\r\n\r\nHost: example.com\r\n\r\n"),
-		'wrote HTTP request');
-	my $buf = '';
-	sysread($c, $buf, 2007, length($buf)) until $buf =~ /\r\n\r\n/;
-	like($buf, qr!\AHTTP/1\.1 200!, 'read HTTP response');
+	$check_url_scheme->($c, __LINE__);
 
 	# HTTPS with bad hostname
 	$c = tcp_connect($https);
@@ -83,14 +90,14 @@ for my $args (
 	$slow->blocking(1);
 	ok($slow->print("GET /empty HTTP/1.1\r\n\r\nHost: example.com\r\n\r\n"),
 		'wrote HTTP request from slow');
-	$buf = '';
+	my $buf = '';
 	sysread($slow, $buf, 666, length($buf)) until $buf =~ /\r\n\r\n/;
 	like($buf, qr!\AHTTP/1\.1 200!, 'read HTTP response from slow');
 	$slow = undef;
 
 	SKIP: {
 		skip 'TCP_DEFER_ACCEPT is Linux-only', 2 if $^O ne 'linux';
-		my $var = Socket::TCP_DEFER_ACCEPT();
+		my $var = eval { Socket::TCP_DEFER_ACCEPT() } // 9;
 		defined(my $x = getsockopt($https, IPPROTO_TCP, $var)) or die;
 		ok(unpack('i', $x) > 0, 'TCP_DEFER_ACCEPT set on https');
 	};
@@ -100,12 +107,34 @@ for my $args (
 			skip 'accf_data not loaded? kldload accf_data', 2;
 		}
 		require PublicInbox::Daemon;
-		my $var = PublicInbox::Daemon::SO_ACCEPTFILTER();
-		my $x = getsockopt($https, SOL_SOCKET, $var);
+		ok(defined($PublicInbox::Daemon::SO_ACCEPTFILTER),
+			'SO_ACCEPTFILTER defined');
+		my $x = getsockopt($https, SOL_SOCKET,
+				$PublicInbox::Daemon::SO_ACCEPTFILTER);
 		like($x, qr/\Adataready\0+\z/, 'got dataready accf for https');
 	};
 
-	$c = undef;
+	# switch cert and key:
+	cp('certs/server2-cert.pem', $cert) or xbail $!;
+	cp('certs/server2-key.pem', $key) or xbail $!;
+	$td->kill('HUP') or xbail "kill: $!";
+	tick(); # wait for SIGHUP to take effect (hopefully :x)
+
+	my $d = tcp_connect($https);
+	$d = IO::Socket::SSL->start_SSL($d, %o);
+	is($d, undef, 'HTTPS fails with bad hostname after new cert on HUP');
+
+	$d = tcp_connect($https);
+	$o{SSL_hostname} = $o{SSL_verifycn_name} = 'server2.local';
+	is(IO::Socket::SSL->start_SSL($d, %o), $d,
+		'new hostname to match cert works after HUP');
+	$check_url_scheme->($d, __LINE__);
+
+	# existing connection w/ old cert still works:
+	$check_url_scheme->($c, __LINE__);
+
+	undef $c;
+	undef $d;
 	$td->kill;
 	$td->join;
 	is($?, 0, 'no error in exited process');