Update live_ssl tests

- Replace some hosts with *.badssl.com - Add self signed snake-oil certificate for checking failures rather than using SSL_verify_callback - Test `verify_SSL` parameter in addition to low level SSL_options - Test for PERL_HTTP_TINY_INSECURE=1
chansen · May 21, 2023 · 55814e5 · 55814e5
1 parent 008d26e
commit 55814e5
Show file tree

Hide file tree

Showing 2 changed files with 103 additions and 41 deletions.
diff --git a/t/210_live_ssl.t b/t/210_live_ssl.t
@@ -27,33 +27,56 @@ if ( can_run('openssl') ) {
   diag "\nNote: running test with ", qx/openssl version/;
 }
 
-my $data = {
-    'https://www.google.ca/' => {
-        host => 'www.google.ca',
-        pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'www.google.ca', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
-        fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 },
-        default_should_yield => '1',
-    },
-    'https://twitter.com/' => {
-        host => 'twitter.com',
-        pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'twitter.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
-        fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 },
-        default_should_yield => '1',
-    },
-    'https://github.com/' => {
-        host => 'github.com',
-        pass => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'github.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
-        fail => { SSL_verify_callback => sub { 0 }, SSL_verify_mode => 0x01 },
+test_ssl('https://cpan.org/' => {
+    host => 'cpan.org',
+    pass => { verify_SSL => 1 },
+    fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } },
+    default_should_yield => '1',
+});
+
+test_ssl('https://github.com/' => {
+    host => 'github.com',
+    pass => { verify_SSL => 1 },
+    fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } },
+    default_should_yield => '1',
+});
+
+test_ssl('https://wrong.host.badssl.com/' => {
+    host => 'wrong.host.badssl.com',
+    pass => { SSL_options => { SSL_verifycn_scheme => 'none', SSL_verifycn_name => 'wrong.host.badssl.com', SSL_verify_mode => 0x00 } },
+    fail => { SSL_options => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'wrong.host.badssl.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() } },
+    default_should_yield => '',
+});
+
+test_ssl('https://untrusted-root.badssl.com/' => {
+    host => 'untrusted-root.badssl.com',
+    pass => { verify_SSL => 0 },
+    fail => { verify_SSL => 1 },
+    default_should_yield => '',
+});
+
+test_ssl('https://mozilla-modern.badssl.com/' => {
+    host => 'mozilla-modern.badssl.com',
+    pass => { verify_SSL => 1 },
+    fail => { verify_SSL => 1, SSL_options => { SSL_ca_file => "t/snake-oil.crt" } },
+    default_should_yield => '1',
+});
+
+{
+    local $ENV{PERL_HTTP_TINY_INSECURE} = 1;
+    test_ssl('https://wrong.host.badssl.com/' => {
+        host => 'wrong.host.badssl.com',
+        pass => { verify_SSL => 1 },
         default_should_yield => '1',
-    },
-    'https://spinrite.com/' => {
-        host => 'spinrite.com',
-        pass => { SSL_verifycn_scheme => 'none', SSL_verifycn_name => 'spinrite.com', SSL_verify_mode => 0x00 },
-        fail => { SSL_verifycn_scheme => 'http', SSL_verifycn_name => 'spinrite.com', SSL_verify_mode => 0x01, SSL_ca_file => Mozilla::CA::SSL_ca_file() },
-        default_should_yield => '',
-    }
-};
-plan tests => 1+ scalar keys %$data;
+    });
+}
+
+test_ssl('https://wrong.host.badssl.com/' => {
+    host => 'wrong.host.badssl.com',
+    fail => { verify_SSL => 1 },
+    default_should_yield => '',
+});
+
 
 subtest "can_ssl" => sub {
     ok( HTTP::Tiny->can_ssl, "class method" );
@@ -69,8 +92,10 @@ subtest "can_ssl" => sub {
     like( $why, qr/not found or not readable/, "failure reason" );
 };
 
+done_testing();
 
-while (my ($url, $data) = each %$data) {
+sub test_ssl {
+    my ($url, $data) = @_;
     subtest $url => sub {
         plan 'skip_all' => 'Internet connection timed out'
             unless IO::Socket::INET->new(
@@ -90,21 +115,25 @@ while (my ($url, $data) = each %$data) {
             };
 
         # force validation to succeed
-        my $pass = HTTP::Tiny->new( SSL_options => $data->{pass} )->get($url);
-        isnt $pass->{status}, '599', "Request to $url completed (forced pass)"
-            or do {
-                $pass->{content} =~ s{\n.*}{}s;
-                diag explain $pass
-            };
-        ok $pass->{content}, 'Got some content';
+        if ($data->{pass}) {
+            my $pass = HTTP::Tiny->new( %{$data->{pass}} )->get($url);
+            isnt $pass->{status}, '599', "Request to $url completed (forced pass)"
+              or do {
+                  $pass->{content} =~ s{\n.*}{}s;
+                  diag explain $pass
+              };
+            ok $pass->{content}, 'Got some content';
+        }
 
         # force validation to fail
-        my $fail = HTTP::Tiny->new( SSL_options => $data->{fail} )->get($url);
-        is $fail->{status}, '599', "Request to $url failed (forced fail)"
-            or do {
-                $fail->{content} =~ s{\n.*}{}s;
-                diag explain [IO::Socket::SSL::errstr(), $fail]
-            };
-        ok $fail->{content}, 'Got some content';
+        if ($data->{fail}) {
+            my $fail = HTTP::Tiny->new( %{$data->{fail}} )->get($url);
+            is $fail->{status}, '599', "Request to $url failed (forced fail)"
+              or do {
+                  $fail->{content} =~ s{\n.*}{}s;
+                  diag explain [IO::Socket::SSL::errstr(), $fail]
+              };
+            ok $fail->{content}, 'Got some content';
+        }
     };
 }
diff --git a/t/snake-oil.crt b/t/snake-oil.crt
@@ -0,0 +1,33 @@
+Generated with:
+
+   openssl req -new -newkey rsa:4096 -x509 -new -nodes -sha256 -days 7300 -keyout /dev/null -out snake-oil.crt -subj '/CN=snake.oil/'
+
+-----BEGIN CERTIFICATE-----
+MIIFCTCCAvGgAwIBAgIUUUWe96AgoaW3pyYxlJfMxUMA6bgwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJc25ha2Uub2lsMB4XDTIzMDUyMTE1NDkxMVoXDTQzMDUx
+NjE1NDkxMVowFDESMBAGA1UEAwwJc25ha2Uub2lsMIICIjANBgkqhkiG9w0BAQEF
+AAOCAg8AMIICCgKCAgEAnScXg4MGa6CmCFOYzr8ggzqsDAR0CoVdOaqQ6XtRoRcP
+PzptoqHDFtr4NqWwmeWAGIcey6CKFZXsm9LvPly/VUDDjctYZig3UoLaoQpygwae
+2BgslsfuhwomxXuinatF6bo1vz+EaRpASJyHOBOp3Yvh2cLSXmD+YuTU8rci1IG/
+FFmjsrftPsxKFZiI9meAtsGayQGdUIBsEvawhs5y7TDcblPfbBM21sg3touTrfzZ
+Yk9dXd7hX3uq5ZX4H9BWcqeGux3speYC2STClnGMl8DqGdAV4XssbFCVqIhvmzrW
+L6Ce9vt0x/gxQQB4EYJlvECSqm7IiwO85I8XJ04EzmVU4e2+c1B7WS/swhGLr8JJ
+4yk/gbCe98ErU3ccnXPzZznNQXTt2iAQLqa5zNDmxjzyZXhDA1nijg2cJb1RnQVu
+m5YrUXOXt9b5664nLCVUf0s/yMqPbcIUA3puAPS6BgDEExnYL48rmTT1gazMO6S5
+ZwpycEVkwYUFj364vIHJvQO0xB54dqNul9kMLUwPLmP9H6nBIsGgJhZCAp+WDEzp
+Y4eqp0drTlJlpfjd/QOaOsKZgwrqiD0yh35bj43zcVHKaFYGLcS8M1+XlbYNYx90
+w7+GpbY+MebCYF//dXAFXzORxdA1XZ30I7CAxAVK5l5cokrMIHJ01kkzYEGA1Y0C
+AwEAAaNTMFEwHQYDVR0OBBYEFAyj5N91aOt4TxNEOJ18JUPEBsOyMB8GA1UdIwQY
+MBaAFAyj5N91aOt4TxNEOJ18JUPEBsOyMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZI
+hvcNAQELBQADggIBAHGiT2h0SU2tlFmUQ8CzgJ7JRTg91ltRwEvs/SQ/YN7DdDwt
+dQy/0nMIeFstdDIkdQyjcAUO92msLzd8AniiwAjynxamiQqdA57+rdhp7oEbFgw+
+nF56bG4tiBG1gAIxtY9f2sG/Sqf6UuimxOX43nybG8RdRu8hOh/TQXcj8raa2PMT
+pTdphjMJUKSplHtFpbLFuf5FxklpeAYxYAReMzQhVgTzi7fcz3QhT/l6eqK6G05v
+gi+QsgesMiGdHKiTtx8N70JFZ+8BzJ0CJDI8PR2XZTLbpKxNfk426hTjJBkRULT5
+s7IWuuEO4Bb1p27K2WgHGh0mxFk4POPFmotxupVqzl8g2umcfWLDq0UR3BcRyR3B
+GWZNCcDTVLaAsarbSJoY1L/6j4O0RQdgpOWiENLbEcelGprGLBVe4s/NDA6aUYA+
+2Dll+0tHe6oKI+RCRoDhhiAH7UVIGQdORzcbY3Fxbf1OlFdpOyXLI751b1DjSYRu
+9cVFXZIBRTTiEvGbUfoDEXDmKxpWHkGRel2864FBodcwGv7yW6mC3o6vpOqQFcW7
+MjJsFhtVj8PdPmue+ye766PeH45ydDD01nr1I92w6E1C0pEEqRNEpoOGgORyNgit
+EZag4DlWFs5MFdlj32haztRgi2dhVuJxlzx4lAmvOoqvGVQVIicN1JSlikBk
+-----END CERTIFICATE-----