|
Packit |
4e8bc4 |
#!/usr/bin/perl
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
use strict;
|
|
Packit |
4e8bc4 |
use warnings;
|
|
Packit |
4e8bc4 |
use File::Copy;
|
|
Packit |
4e8bc4 |
use Test::More;
|
|
Packit |
4e8bc4 |
use FindBin qw($Bin);
|
|
Packit |
4e8bc4 |
use lib "$Bin/lib";
|
|
Packit |
4e8bc4 |
use MemcachedTest;
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
if (!enabled_tls_testing()) {
|
|
Packit |
4e8bc4 |
plan skip_all => 'SSL testing is not enabled';
|
|
Packit |
4e8bc4 |
exit 0;
|
|
Packit |
4e8bc4 |
}
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
my $ca_cert = "t/" . MemcachedTest::CA_CRT;
|
|
Packit |
4e8bc4 |
my $cert = "t/". MemcachedTest::SRV_CRT;
|
|
Packit |
4e8bc4 |
my $key = "t/". MemcachedTest::SRV_KEY;
|
|
Packit |
4e8bc4 |
my $ca_cert_back = "t/ca_cert_back";
|
|
Packit |
4e8bc4 |
my $cert_back = "t/cert_back";
|
|
Packit |
4e8bc4 |
my $key_back = "t/pkey_back";
|
|
Packit |
4e8bc4 |
my $new_cert_key = "t/server.pem";
|
|
Packit |
4e8bc4 |
my $default_crt_ou = "OU=Subunit of Test Organization";
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
my $server = new_memcached("-o ssl_ca_cert=$ca_cert");
|
|
Packit |
4e8bc4 |
my $stats = mem_stats($server->sock);
|
|
Packit |
4e8bc4 |
my $pid = $stats->{pid};
|
|
Packit |
4e8bc4 |
my $sock = $server->sock;
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# This connection should return the default server certificate
|
|
Packit |
4e8bc4 |
# memcached was started with.
|
|
Packit |
4e8bc4 |
my $cert_details =$sock->dump_peer_certificate();
|
|
Packit |
4e8bc4 |
$cert_details =~ m/(OU=([^\/\n]*))/;
|
|
Packit |
4e8bc4 |
is($1, $default_crt_ou, 'Got the default cert');
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Swap a new certificate with a key
|
|
Packit |
4e8bc4 |
copy($ca_cert, $ca_cert_back) or die "CA cert backup failed: $!";
|
|
Packit |
4e8bc4 |
copy($cert, $cert_back) or die "Cert backup failed: $!";
|
|
Packit |
4e8bc4 |
copy($key, $key_back) or die "Key backup failed: $!";
|
|
Packit |
4e8bc4 |
copy($new_cert_key, $ca_cert) or die "New CA cert copy failed: $!";
|
|
Packit |
4e8bc4 |
copy($new_cert_key, $cert) or die "New Cert copy failed: $!";
|
|
Packit |
4e8bc4 |
copy($new_cert_key, $key) or die "New key copy failed: $!";
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Ask server to refresh certificates
|
|
Packit |
4e8bc4 |
print $sock "refresh_certs\r\n";
|
|
Packit |
4e8bc4 |
is(scalar <$sock>, "OK\r\n", "refreshed certificates");
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# New connections should use the new certificate
|
|
Packit |
4e8bc4 |
$cert_details = $server->new_sock->dump_peer_certificate();
|
|
Packit |
4e8bc4 |
$cert_details =~ m/(OU=([^\/]*))/;
|
|
Packit |
4e8bc4 |
is($1, 'OU=FOR TESTING PURPOSES ONLY','Got the new cert');
|
|
Packit |
4e8bc4 |
# Old connection should use the previous certificate
|
|
Packit |
4e8bc4 |
$cert_details = $sock->dump_peer_certificate();
|
|
Packit |
4e8bc4 |
$cert_details =~ m/(OU=([^\/\n]*))/;
|
|
Packit |
4e8bc4 |
is($1, $default_crt_ou, 'Old connection still has the old cert');
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Just sleep a while to test the time_since_server_cert_refresh as it's counted
|
|
Packit |
4e8bc4 |
# in seconds.
|
|
Packit |
4e8bc4 |
sleep 2;
|
|
Packit |
4e8bc4 |
$stats = mem_stats($sock);
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# Restore and ensure previous certificate is back for new connections.
|
|
Packit |
4e8bc4 |
move($ca_cert_back, $ca_cert) or die "CA cert restore failed: $!";
|
|
Packit |
4e8bc4 |
move($cert_back, $cert) or die "Cert restore failed: $!";
|
|
Packit |
4e8bc4 |
move($key_back, $key) or die "Key restore failed: $!";
|
|
Packit |
4e8bc4 |
print $sock "refresh_certs\r\n";
|
|
Packit |
4e8bc4 |
is(scalar <$sock>, "OK\r\n", "refreshed certificates");
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
$cert_details = $server->new_sock->dump_peer_certificate();
|
|
Packit |
4e8bc4 |
$cert_details =~ m/(OU=([^\/\n]*))/;
|
|
Packit |
4e8bc4 |
is($1, $default_crt_ou, 'Got the old cert back');
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
my $stats_after = mem_stats($sock);
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
# We should see last refresh time is reset; hence the new
|
|
Packit |
4e8bc4 |
# time_since_server_cert_refresh should be less.
|
|
Packit |
4e8bc4 |
cmp_ok($stats_after->{time_since_server_cert_refresh}, '<',
|
|
Packit |
4e8bc4 |
$stats->{time_since_server_cert_refresh}, 'Certs refreshed');
|
|
Packit |
4e8bc4 |
|
|
Packit |
4e8bc4 |
done_testing();
|