Compare revisions

9db0d23f · 3c4a7183 · 3c4a7183 · 3c4a7183 · 3c4a7183 · 3c4a7183
--- a/t/certs/voms_example.key.pem
+++ b/t/certs/voms_example.key.pem
-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEAvH/I2h4Nk1C0mCIaL60j9JIrcpESm+/ho6KmAwS9x8J/eFF4
-/ZQG06ro3VaPHdUdpUk/TLJM0T5pLGDAj18PfG2ky1gMbt4zamwyEbvT4U0DE7Uf
-mTUdH6+0e9q2G1p2dlQE8+jXYGvGVdnUEut78j3f7J7a1N8Qr+7cnZbHFIxgFtiS
-yimM3/dPj4ungAHn93pPPDJCr84u+Bp7vLXrIKfVKMGk01TT3MDclnvECcWfL8jb
-c2EB5C6XuQVkGtx2CQnrr75sR7lbQYbBUcD+ZSMrlKywgUaZmsKebwtiAzTTW7Xb
-56w4DjFj7YEfbrxBZYmxjS9f+oraiKz4yz/rKwIDAQABAoIBACXvPXeP1sGP21hG
-fKidmn/Mrsu2oF0bcHhi8i/nU14RKWAIXWYC1UDhw01P7ytcyUOLMx73PvhZLAdP
-TVFNGyu6URDPHmltdEF1lrn059YOjpD3wW0uwDaxQIwwXrewg+iaTgjcEgQIjHiY
-htJr65y7kQXojjeK0KvnUSSxxEzA/uWeyQi/+ZFzPRfrj5o0uwo+qnwwiYn8FSVl
-9S/MPiAXZcvQTojEu5kbH/0iRUwhDzcmtj8O1M3idhMl1G/WtdU2zHsR6p78HuZK
-uZu9JRnSh1K8wiDdT+8TIitvBuv87fVFJg54pbO+Sa6tsfm4q9Vf21DyY7ZVRoie
-Y6IPz8ECgYEA3c8NuLLKCFvU55lZkNWl0ixicD3w4o1k2at9FKYsboPJ9BUIYpVO
-vqSflUKATENNfkoWmT4iTbNq8VJxnLNn1y33uB9ztQIn99Do0YeERSW0JExb363r
-dJNlirxovoXvUT6kGHqFWIJyxXkh6wEZ4gqne94ujtqj9KHWczbpw4sCgYEA2Y5G
-1L49361df9VDblhxS60hNmtNC9h3XTqKwfOXLCHG61JMxNUChhKikUuDsvfmXwta
-dX51WJSL56pDHlk0prLrMWli4zLhiPiXknUIFiUt07lbzfDZ0aehr9xOFM4oBnyV
-oR3eBhE/YJ1W3Xt2DGUySE09eukHoEeZURrq6uECgYAqKDhLam/Ltuh4PEUxqemi
-UJ1FCADIjmckl9tmGU9IkfPIWFcHpakZwuAx1jncRM5tulchORX7/qXMyAaf6dlK
-pIn4jMHJHWfLSgF2EXOqUMg0Pe8YTE38EieyfqzJyVr67hTyMhc2A1UdAzDXIZZx
-x+SdPlVLAXM4A6pmq4EykQKBgQCLq+9HiDe7Edd0SZu4DSn3ltg60tqtHzVK8lnB
-OT01xR2rWLQWrlancvFR7LRJwyPwox5ZTm3SB9RmUAY1Rropx7Z9i5ZEHRd003yk
-N2SQqx/nzRnmdpmxIzkH6Z1reAt0VqnNvZocNRiGU51AJpJcVN/aUVSGQ3N08GK7
-Elf9oQKBgGKL4eCjoLp9Kuvp+UXeKeeTSR2rTSOh36ZjtxDLOhdAj5mXSFj2nvLx
-j2YNCkuU0Y25Vbpt/go7DFRnbZmKucpyUJNC49m3YD4zq0CVMX4BOUkkg3rJjMhP
-Ce3aEfVwC9rF9sFHp5pHTBm6HCBCZikVtpYjn05rUtLYiYcSia88
-----END RSA PRIVATE KEY-----
--- a/t/conf.d/ephemeral_ca.conf
+++ b/t/conf.d/ephemeral_ca.conf
+[ ephemeral_ca ]
+dir                    = ${ENV::CA_NAME}
+certs                  = $dir/certs
+database               = $dir/index.txt
+serial                 = $dir/serial
+certificate            = $dir/ca.crt
+private_key            = $dir/private/ca.key
+default_crl_days       = 30
+default_md             = sha512
+[ ephemeral_ca_cert ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/private/ca.key
+distinguished_name     = ${ENV::CA_NAME}_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = ${ENV::CA_NAME}_extensions
+[ ephemeral_ca_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Ephemeral CA
+[ ephemeral_ca_extensions ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints       = critical, CA:true
+keyUsage               = critical, cRLSign, keyCertSign
--- a/t/conf.d/expired.conf
+++ b/t/conf.d/expired.conf
+[ expired ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/expired.key.pem
+distinguished_name     = expired_dn
+prompt                 = no
+output_password        = pass
+default_md             = sha512
+x509_extensions        = expired_extensions
+[ expired_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Expired
+[ expired_extensions ]
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:expired@cnaf.infn.it
--- a/t/conf.d/igi_test_ca.conf
+++ b/t/conf.d/igi_test_ca.conf
+[ igi_test_ca ]
+dir                    = ${ENV::CA_NAME}
+certs                  = $dir/certs
+database               = $dir/index.txt
+serial                 = $dir/serial
+certificate            = $dir/ca.crt
+private_key            = $dir/private/ca.key
+default_crl_days       = 30
+default_md             = sha512
+[ igi_test_ca_cert ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/private/ca.key
+distinguished_name     = ${ENV::CA_NAME}_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = ${ENV::CA_NAME}_extensions
+[ igi_test_ca_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Test CA
+[ igi_test_ca_extensions ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints       = critical, CA:true
+keyUsage               = critical, cRLSign, keyCertSign
--- a/t/conf.d/igi_test_ca2.conf
+++ b/t/conf.d/igi_test_ca2.conf
+[ igi_test_ca2 ]
+dir                    = ${ENV::CA_NAME}
+certs                  = $dir/certs
+database               = $dir/index.txt
+serial                 = $dir/serial
+certificate            = $dir/ca.crt
+private_key            = $dir/private/ca.key
+default_crl_days       = 30
+default_md             = sha512
+[ igi_test_ca2_cert ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/private/ca.key
+distinguished_name     = ${ENV::CA_NAME}_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = ${ENV::CA_NAME}_extensions
+[ igi_test_ca2_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Test CA 2
+[ igi_test_ca2_extensions ]
+subjectKeyIdentifier   = hash
+authorityKeyIdentifier = keyid:always, issuer:always
+basicConstraints       = critical, CA:true
+keyUsage               = critical, cRLSign, keyCertSign
--- a/t/conf.d/revoked.conf
+++ b/t/conf.d/revoked.conf
+[ revoked ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/revoked.key.pem
+distinguished_name     = revoked_dn
+prompt                 = no
+output_password        = pass
+default_md             = sha512
+x509_extensions        = revoked_extensions
+[ revoked_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Revoked
+[ revoked_extensions ]
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:revoked@cnaf.infn.it
--- a/t/conf.d/star_test_example.conf
+++ b/t/conf.d/star_test_example.conf
+[ star_test_example ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/star_test_example.key.pem
+distinguished_name     = star_test_example_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = star_test_example_extensions
+[ star_test_example_dn ]
+C                      = IT
+O                      = IGI
+CN                     = *.test.example
+[ star_test_example_extensions ]
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, digitalSignature
+extendedKeyUsage       = serverAuth, clientAuth
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = DNS:*.test.example
--- a/t/conf.d/test0.conf
+++ b/t/conf.d/test0.conf
+[ test0 ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/test0.key.pem
+distinguished_name     = test0_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = test0_extensions
+[ test0_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Test0
+[ test0_extensions ]
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:test0@cnaf.infn.it
--- a/t/conf.d/test1.conf
+++ b/t/conf.d/test1.conf
+[ test1 ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/test1.key.pem
+distinguished_name     = test1_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = test1_extensions
+[ test1_dn ]
+C                      = IT
+O                      = IGI
+CN                     = Test1
+[ test1_extensions ]
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, nonRepudiation, digitalSignature, keyEncipherment
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = email:test1@cnaf.infn.it
--- a/t/conf.d/untrusted_voms.conf
+++ b/t/conf.d/untrusted_voms.conf
+[ untrusted_voms ]
+default_bits           = 2048
+default_keyfile        = ${ENV::CA_NAME}/certs/untrusted_voms.key.pem
+distinguished_name     = untrusted_voms_dn
+prompt                 = no
+encrypt_key            = no
+default_md             = sha512
+x509_extensions        = untrusted_voms_extensions
+[ untrusted_voms_dn ]
+C                      = IT
+O                      = IGI
+CN                     = untrusted-voms.example
+[ untrusted_voms_extensions ]
+basicConstraints       = critical,CA:FALSE
+subjectKeyIdentifier   = hash
+keyUsage               = critical, digitalSignature
+extendedKeyUsage       = serverAuth, clientAuth
+authorityKeyIdentifier = keyid, issuer
+subjectAltName         = DNS:untrusted-voms.example
--- a/t/eec_cert1.t
+++ b/t/eec_cert1.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: RFC proxy certificate, no AC
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;	
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+	location = / {
+            default_type text/plain;
+            return 200 "$ssl_client_ee_s_dn\n$ssl_client_ee_i_dn\n$ssl_client_s_dn\n$ssl_client_i_dn\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/0.cert.pem;
+        proxy_ssl_certificate_key ../../certs/0.key.pem;
+    }
+--- request
+GET / 
+--- response_body eval
+my $ee_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
+my $ee_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
+my $pr_s = `openssl x509 -in t/certs/0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
+my $pr_i = `openssl x509 -in t/certs/0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
+"$ee_s$ee_i$pr_s$pr_i";
+--- error_code: 200
--- a/t/eec_chain.t
+++ b/t/eec_chain.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: EEC chain containing CA certificate
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+	load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+	    location = / {
+            default_type text/plain;
+			return 200 "$ssl_client_ee_s_dn\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/test0+ca.pem;
+        proxy_ssl_certificate_key ../../certs/test0.key.pem;
+    }
+--- request
+GET /
+--- response_body eval
+`openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
+--- error_code: 200
--- a/t/eec_subject2.t
+++ b/t/eec_subject2.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: End-entity X.509 certificate 
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+        location = / {
+            default_type text/plain;
+            return 200 "$ssl_client_ee_s_dn\n$ssl_client_s_dn\n$ssl_client_ee_i_dn\n$ssl_client_i_dn\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/test0.cert.pem;
+        proxy_ssl_certificate_key ../../certs/test0.key.pem;
+    }
+--- request
+GET / 
+--- response_body eval
+my $c_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
+my $c_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
+"$c_s$c_s$c_i$c_i";
+--- error_code: 200
--- a/t/eec_subject3.t
+++ b/t/eec_subject3.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: three delegations proxy
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+	location = / {
+            default_type text/plain;
+            return 200 "$ssl_client_ee_s_dn\n$ssl_client_ee_i_dn\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/6.cert.pem;
+        proxy_ssl_certificate_key ../../certs/6.key.pem;
+    }
+--- request
+GET / 
+--- response_body eval
+my $c_s = `openssl x509 -in t/certs/test0.cert.pem -noout -subject -nameopt RFC2253` =~ s/^subject=//r;
+my $c_i = `openssl x509 -in t/certs/test0.cert.pem -noout -issuer -nameopt RFC2253` =~ s/^issuer=//r;
+"$c_s$c_i";
+--- error_code: 200
--- a/t/encoding.t
+++ b/t/encoding.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: valid AC, verification of VOMS generic attributes encoding
+--- main_config
+    env X509_VOMS_DIR=t/vomsdir;
+    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443 ssl;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
+        ssl_verify_depth 10;
+        ssl_verify_client on;
+        location = / {
+            default_type text/plain;
+            return 200 "$voms_generic_attributes\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass https://localhost:8443/;
+        proxy_ssl_certificate ../../certs/4.cert.pem;
+        proxy_ssl_certificate_key ../../certs/4.key.pem;
+    }
+--- request
+GET / 
+--- response_body
+n=nickname v=sd q=test.vo,n=title v=assegnista%25di%25ricerca%40CNAF q=test.vo
+--- error_code: 200
--- a/t/expired_proxy.t
+++ b/t/expired_proxy.t
@@ -7,23 +7,29 @@ __DATA__
 === TEST 1: https with x509 client authentication, expired client certificate
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1; 
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
 --- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
    server {
        error_log logs/error.log debug;
        listen 8443 ssl;
-        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
-        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
-        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
        ssl_verify_depth 10;
        ssl_verify_client on;
-	location = / {
+        location = / {
            default_type text/plain;
-            echo $ssl_client_s_dn;
+            return 200 "$ssl_client_s_dn\n";
        }
    }
 --- config
    location = / {
+        error_log logs/error-proxy.log debug;
        proxy_pass https://localhost:8443/;
        proxy_ssl_certificate ../../certs/2.cert.pem;
        proxy_ssl_certificate_key ../../certs/2.key.pem;

--- a/t/expired_ac_proxy.t
+++ b/t/expired_ac_proxy.t
@@ -7,32 +7,37 @@ __DATA__
 === TEST 1: https with x509 client authentication, valid proxy certificate with expired VOMS attributes 
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
    env X509_VOMS_DIR=t/vomsdir;
    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
 --- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
    server {
        error_log logs/error.log debug;
        listen 8443 ssl;
-        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
-        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
-        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
        ssl_verify_depth 10;
        ssl_verify_client on;
-	location = / {
+        location = / {
            default_type text/plain;
-            echo $voms_fqans;
+            return 200 "$voms_fqans\n$voms_user\n";
-            echo $voms_user;
        }
    }
 --- config
-    location = / {
+    location = / { 
+        error_log logs/error-proxy.log debug;
        proxy_pass https://localhost:8443/;
        proxy_ssl_certificate ../../certs/1.cert.pem;
        proxy_ssl_certificate_key ../../certs/1.key.pem;
    }
 --- request
-GET / 
+GET /
 --- response_body_like eval
 qr/\n\n/
 --- error_log

--- a/t/empty_voms_proxy.t
+++ b/t/empty_voms_proxy.t
 use Test::Nginx::Socket 'no_plan';
 run_tests();
 __DATA__
-=== TEST 1: https with x509 client authentication, valid proxy certificate with no VOMS attributes 
+=== TEST 1: HTTPS with X.509 client authentication, valid proxy certificate with no VOMS attributes
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1; 
    env X509_VOMS_DIR=t/vomsdir;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
 --- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
    server {
        error_log logs/error.log debug;
        listen 8443 ssl;
-        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
-        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
-        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca.pem;
        ssl_verify_depth 10;
        ssl_verify_client on;
-	location = / {
+        location = / {
            default_type text/plain;
-            echo $voms_fqans;
+            return 200 "$voms_fqans\n$voms_user\n";
-            echo $voms_user;
        }
    }
 --- config
    location = / {
+        error_log logs/error-proxy.log debug;
        proxy_pass https://localhost:8443/;
        proxy_ssl_certificate ../../certs/0.cert.pem;
        proxy_ssl_certificate_key ../../certs/0.key.pem;
    }
 --- request
-GET / 
+GET /
 --- response_body_like eval
 qr/\n\n/
 --- error_log

--- a/t/no_ssl.t
+++ b/t/no_ssl.t
+use Test::Nginx::Socket 'no_plan';
+run_tests();
+__DATA__
+=== TEST 1: HTTP connection, no SSL
+--- main_config
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
+--- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
+    server {
+        error_log logs/error.log debug;
+        listen 8443;
+        location = / {
+            default_type text/plain;
+            return 200 "$voms_user\n";
+        }
+    }
+--- config
+    location = / {
+        error_log logs/error-proxy.log debug;
+        proxy_pass http://localhost:8443/;
+    }
+--- request
+GET /
+--- response_body_like eval
+qr/\n/
+--- error_log
+SSL not enabled
+--- error_code: 200
--- a/t/voms_attributes.t
+++ b/t/voms_attributes.t
 use Test::Nginx::Socket 'no_plan';
 run_tests();
 __DATA__
-=== TEST 1: https with x509 client authentication, verification of valid VOMS attributes extracted by ngx_http_voms_module 
+=== TEST 1: Valid proxy, wrong client trust-anchor
 --- main_config
-    env OPENSSL_ALLOW_PROXY_CERTS=1;
    env X509_VOMS_DIR=t/vomsdir;
    env X509_CERT_DIR=t/trust-anchors;
+    load_module /etc/nginx/modules/ngx_http_voms_module.so;
 --- http_config
+    client_body_temp_path /tmp/client_temp;
+    proxy_temp_path       /tmp/proxy_temp_path;
+    fastcgi_temp_path     /tmp/fastcgi_temp;
+    uwsgi_temp_path       /tmp/uwsgi_temp;
+    scgi_temp_path        /tmp/scgi_temp;
    server {
        error_log logs/error.log debug;
        listen 8443 ssl;
-        ssl_certificate ../../certs/nginx_voms_example.cert.pem;
+        ssl_certificate ../../certs/star_test_example.cert.pem;
-        ssl_certificate_key ../../certs/nginx_voms_example.key.pem;
+        ssl_certificate_key ../../certs/star_test_example.key.pem;
-        ssl_client_certificate ../../trust-anchors/igi-test-ca.pem;
+        ssl_client_certificate ../../trust-anchors/igi_test_ca2.pem;
        ssl_verify_depth 10;
        ssl_verify_client on;
-	location = / {
+        location = / {
            default_type text/plain;
-            echo $voms_fqans;
+            return 200 "$voms_fqans\n";
-            echo $voms_user;
        }
    }
 --- config
    location = / {
+        error_log logs/error-proxy.log debug;
        proxy_pass https://localhost:8443/;
        proxy_ssl_certificate ../../certs/3.cert.pem;
        proxy_ssl_certificate_key ../../certs/3.key.pem;
    }
 --- request
-GET / 
+GET /
--- response_body
+--- error_code: 400
-/test
-/C=IT/O=IGI/CN=test0
--- error_code: 200
No results found