SSL cache part 2 #9
Conversation
|
|
||
| like(http_get('/enc/?cert=e'), qr/CN=e.example.com/, 'encrypted'); | ||
|
|
||
| # encrypted certificate keys should not spill to the parent cache context |
There was a problem hiding this comment.
The comment no longer reflects what's being verified here. We don't cache the encrypted keys, so there's nothing to leak to another cache context. All the test checks now is that ssl_password_file effect is restricted to the context where it is been set.
| my ($t, $old, $new) = @_; | ||
|
|
||
| for my $ext ("crt", "key") { | ||
| unlink "$d/$old.$ext"; |
There was a problem hiding this comment.
Depending on the filesystem implementation, a combination of unlink + write_file may result in reusing the same inode. This is consistently reproducible on Solaris with zfs (both 11.4 CBE and Illumos), but doesn't seem to affect any other of my test systems.
# update /tmp/nginx-test-_KNG2zuMeT/2.example.com.crt: ino 82596160 -> 82596160, mtime 1732479699 -> 1732479699
# update /tmp/nginx-test-_KNG2zuMeT/2.example.com.key: ino 81748352 -> 81748352, mtime 1732479699 -> 1732479699
...
not ok 11 - certificate 2 expired # Failed test 'certificate 2 expired'
# at tests/ssl_certificate_cache.t line 117.
# 'Subject Name: /CN=2.example.com
# Issuer Name: /CN=2.example.com
# '
# doesn't match '(?^:CN=dummy)'
Consider implementing $new branch as write_file($old.$ext.tmp) + rename, just like update_metadata in the other test.
|
|
||
| daemon off; | ||
|
|
||
| ssl_object_cache_inherit on; |
There was a problem hiding this comment.
"inheritable", following the changes in the nginx PR
No description provided.