Bugfix: fix NTLS cert check, move sign/enc certficate to upstream

Update to nginx 1.22.1 (alibaba#1719) add reject_handshake, but not fully consider the NTLS. That's okay if no ssl_certificate is configured but ssl_sign_certificate and ssl_enc_certificate are configured when NTLS is enabled. Move sign_certificate, enc_certificate to upstream to adapt to nginx 1.22.1. Rename ngx_openssl_ntls to ngx_tongsuo_ntls. Add test-nginx-ntls CI.
dongbeiouba · Apr 2, 2023 · 900eca9 · 900eca9
1 parent ced71fc
commit 900eca9
Show file tree

Hide file tree

Showing 25 changed files with 295 additions and 202 deletions.
diff --git a/.github/workflows/test-ntls.yml b/.github/workflows/test-ntls.yml
@@ -0,0 +1,63 @@
+name: test tengine ntls
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    branches: [ master ]
+
+jobs:
+  build-and-test:
+    runs-on: "ubuntu-20.04"
+    strategy:
+      fail-fast: false
+      matrix:
+        compiler:
+          - { compiler: GNU,  CC: gcc,  CXX: g++}
+          - { compiler: LLVM, CC: clang, CXX: clang++}
+    steps:
+      - uses: actions/checkout@v3
+        with:
+          path: tengine
+      - name: checkout Tongsuo
+        uses: actions/checkout@v3
+        with:
+          repository: Tongsuo-Project/Tongsuo
+          path: Tongsuo
+      - name: build Tongsuo
+        working-directory: Tongsuo
+        env:
+          CC: ${{ matrix.compiler.CC }}
+        run: |
+          ./config --prefix=${RUNNER_TEMP}/tongsuo enable-ntls no-shared
+          make -s -j4
+          make install_sw
+          make clean
+      - name: build Tengine
+        working-directory: tengine
+        env:
+          CC: ${{ matrix.compiler.CC }}
+          CXX: ${{ matrix.compiler.CXX }}
+        run: |
+          ./configure \
+            --add-module=modules/ngx_tongsuo_ntls \
+            --with-openssl=../Tongsuo \
+            --with-openssl-opt="--api=1.1.1 enable-ntls" \
+            --with-http_ssl_module \
+            --with-stream \
+            --with-stream_ssl_module \
+            --with-stream_sni
+          make -j2
+          sudo make install
+      - name: run test cases
+        working-directory: tengine
+        env:
+          TEST_OPENSSL_BINARY: ${{ runner.temp }}/tongsuo/bin/tongsuo
+          TEST_NGINX_BINARY: /usr/local/nginx/sbin/nginx
+          TEST_NGINX_LEAVE: 1
+        run: |
+          prove -Itests/nginx-tests/nginx-tests/lib/ modules/ngx_tongsuo_ntls/t
+      - name: debug
+        if: ${{ failure() }}
+        run: |
+          for file in `ls /tmp/nginx-test-*/error.log`; do cat $file; done
diff --git a/modules/ngx_openssl_ntls/README.md → modules/ngx_tongsuo_ntls/README.md b/modules/ngx_openssl_ntls/README.md → modules/ngx_tongsuo_ntls/README.md
@@ -16,22 +16,22 @@ git clone https://github.com/alibaba/tengine.git
 
 3. Build Tengine
 
-- Add ngx_openssl_ntls module
+- Add ngx_tongsuo_ntls module
 - Set OpenSSL library path to Tongsuo
 - Set build options for Tongsuo: enable-ntls
 
 ```bash
 cd tengine
 
 # For Tongsuo master branch
-./configure --add-module=modules/ngx_openssl_ntls \
+./configure --add-module=modules/ngx_tongsuo_ntls \
     --with-openssl=../Tongsuo \
     --with-openssl-opt="--strict-warnings --api=1.1.1 enable-ntls" \
     --with-http_ssl_module --with-stream \
     --with-stream_ssl_module --with-stream_sni
 
 # for Tongsuo version 8.3 or lower
-./configure --add-module=modules/ngx_openssl_ntls \
+./configure --add-module=modules/ngx_tongsuo_ntls \
     --with-openssl=../Tongsuo \
     --with-openssl-opt="--strict-warnings enable-ntls" \
     --with-http_ssl_module --with-stream \
@@ -109,9 +109,9 @@ cd tengine
 
 TEST_OPENSSL_BINARY=/opt/tongsuo/bin/openssl \
 TEST_NGINX_BINARY=`pwd`/objs/nginx \
-prove -Itests/nginx-tests/nginx-tests/lib/ modules/ngx_openssl_ntls/t -v
+prove -Itests/nginx-tests/nginx-tests/lib/ modules/ngx_tongsuo_ntls/t -v
 ```
 
 ## Reference
 - [Tongsuo website](https://www.tongsuo.net/)
-- [Tongsuo document](https://tongsuo.readthedocs.io/)
+- [Tongsuo document](https://www.yuque.com/tsdoc)
diff --git a/modules/ngx_openssl_ntls/config → modules/ngx_tongsuo_ntls/config b/modules/ngx_openssl_ntls/config → modules/ngx_tongsuo_ntls/config
diff --git a/modules/ngx_openssl_ntls/t/CA.pm → modules/ngx_tongsuo_ntls/t/CA.pm b/modules/ngx_openssl_ntls/t/CA.pm → modules/ngx_tongsuo_ntls/t/CA.pm
diff --git a/modules/ngx_openssl_ntls/t/ntls.t → modules/ngx_tongsuo_ntls/t/ntls.t b/modules/ngx_openssl_ntls/t/ntls.t → modules/ngx_tongsuo_ntls/t/ntls.t
@@ -20,7 +20,7 @@ use CA qw/ make_sm2_ca_subca_end_certs make_rsa_end_cert make_ec_end_cert /;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $openssl = $ENV{'TEST_OPENSSL_BINARY'} || "/opt/babassl/bin/openssl";
+my $openssl = $ENV{'TEST_OPENSSL_BINARY'} || "/opt/tongsuo/bin/openssl";
 
 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->plan(8);
 
@@ -104,14 +104,14 @@ make_sm2_ca_subca_end_certs($t, "server");
 
 $t->run();
 
-my $ret1 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8080 -cipher aRSA -quiet -ign_eof 2>&1`;
-my $ret2 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8080 -cipher aECDSA -quiet -ign_eof 2>&1`;
-my $ret3 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECC-SM2-SM4-CBC-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
-my $ret4 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECC-SM2-SM4-GCM-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
-my $ret5 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECDHE-SM2-SM4-CBC-SM3 -quiet -ign_eof  -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
-my $ret6 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECDHE-SM2-SM4-GCM-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
-my $ret7 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -cipher aRSA -quiet -ign_eof 2>&1`;
-my $ret8 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -cipher aECDSA -quiet -ign_eof 2>&1`;
+my $ret1 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8080 -cipher aRSA -quiet -ign_eof 2>&1`;
+my $ret2 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8080 -cipher aECDSA -quiet -ign_eof 2>&1`;
+my $ret3 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECC-SM2-SM4-CBC-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
+my $ret4 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECC-SM2-SM4-GCM-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
+my $ret5 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECDHE-SM2-SM4-CBC-SM3 -quiet -ign_eof  -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
+my $ret6 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -cipher ECDHE-SM2-SM4-GCM-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
+my $ret7 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -cipher aRSA -quiet -ign_eof 2>&1`;
+my $ret8 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -cipher aECDSA -quiet -ign_eof 2>&1`;
 
 like($ret1, qr/^body TLSv(\d|\.)+/m, 'disable NTLS, TLS handshake success with aRSA');
 like($ret2, qr/^body TLSv(\d|\.)+$/m, 'disable NTLS, TLS handshake success with aECDSA');

diff --git a/...x_openssl_ntls/t/ntls_certificate_chain.t → ...x_tongsuo_ntls/t/ntls_certificate_chain.t b/...x_openssl_ntls/t/ntls_certificate_chain.t → ...x_tongsuo_ntls/t/ntls_certificate_chain.t
@@ -20,7 +20,7 @@ use CA qw/ make_sm2_ca_subca_end_certs /;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $openssl = $ENV{'TEST_OPENSSL_BINARY'} || "/opt/babassl/bin/openssl";
+my $openssl = $ENV{'TEST_OPENSSL_BINARY'} || "/opt/tongsuo/bin/openssl";
 
 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->plan(3);
 
@@ -102,9 +102,9 @@ $t->run();
 
 my $d = $t->testdir();
 
-my $ret1 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8080 -verify_return_error -quiet -enable_ntls -ntls 2>&1`;
-my $ret2 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -CAfile $d/server_ca.crt -verify_return_error -quiet -enable_ntls -ntls 2>&1`;
-my $ret3 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -CAfile $d/server_ca.crt -verify_return_error -quiet -enable_ntls -ntls 2>&1`;
+my $ret1 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8080 -verify_return_error -quiet -enable_ntls -ntls 2>&1`;
+my $ret2 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -CAfile $d/server_ca.crt -verify_return_error -quiet -enable_ntls -ntls 2>&1`;
+my $ret3 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -CAfile $d/server_ca.crt -verify_return_error -quiet -enable_ntls -ntls 2>&1`;
 
 like($ret1, qr/^verify error/m, 'NTLS handshake no issuer certificate');
 like($ret2, qr/^body NTLSv(\d|\.)+$/m, 'NTLS handshake success with subca');

diff --git a/modules/ngx_openssl_ntls/t/ntls_proxy.t → modules/ngx_tongsuo_ntls/t/ntls_proxy.t b/modules/ngx_openssl_ntls/t/ntls_proxy.t → modules/ngx_tongsuo_ntls/t/ntls_proxy.t
@@ -57,7 +57,7 @@ http {
         ssl_trusted_certificate     client_ca_chain.crt;
 
         location / {
-            return 200 "ssl_protocal=$ssl_protocol, ssl_cipher=$ssl_cipher";
+            return 200 "ssl_protocol=$ssl_protocol, ssl_cipher=$ssl_cipher";
         }
     }
 
@@ -117,24 +117,24 @@ make_sm2_ca_subca_end_certs($t, "server");
 
 $t->run();
 
-my $ret1 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher AES128-GCM-SHA256 -quiet -ign_eof 2>&1`;
-my $ret2 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-CBC-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
-my $ret3 = `echo -e "GET /?enable_ntls=on HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher AES128-GCM-SHA256 -quiet -ign_eof 2>&1`;
-my $ret4 = `echo -e "GET /?enable_ntls=on HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-CBC-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
-my $ret5 = `echo -e "GET /?enable_ntls=off HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-GCM-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
-my $ret6 = `echo -e "GET /?enable_ntls=xxxxx HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-GCM-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
-my $ret7 = `echo -e "GET /ecdhe HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECDHE-SM2-SM4-CBC-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
-my $ret8 = `echo -e "GET /ecdhe?enable_ntls=on HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECDHE-SM2-SM4-GCM-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
-my $ret9 = `echo -e "GET /ecdhe?enable_ntls=off HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECDHE-SM2-SM4-GCM-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
-
-like($ret1, qr/^ssl_protocal=TLSv1\.2.*$/m, 'client -----(TLSv1.2 AES128-GCM-SHA256)-----> server(no proxy_enable_ntls) -----(TLSv1.2)-----> origin');
-like($ret2, qr/^ssl_protocal=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> server(no proxy_enable_ntls) -----(TLSv1.2)-----> origin');
-like($ret3, qr/^ssl_protocal=NTLSv1\.1, ssl_cipher=ECC-SM2-SM4-CBC-SM3/m, 'client -----(TLSv1.2 AES128-GCM-SHA256)-----> server(proxy_enable_ntls=on) -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> origin');
-like($ret4, qr/^ssl_protocal=NTLSv1\.1, ssl_cipher=ECC-SM2-SM4-CBC-SM3/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> server(proxy_enable_ntls=on) -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> origin');
-like($ret5, qr/^ssl_protocal=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-GCM-SM3)-----> server(proxy_enable_ntls=off) -----(TLSv1.2)-----> origin');
-like($ret6, qr/^ssl_protocal=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-GCM-SM3)-----> server(proxy_enable_ntls=xxxxx) -----(TLSv1.2)-----> origin');
-like($ret7, qr/^ssl_protocal=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> server(no proxy_enable_ntls) -----(TLSv1.2)-----> origin');
-like($ret8, qr/^ssl_protocal=NTLSv1\.1, ssl_cipher=ECDHE-SM2-SM4-GCM-SM3/m, 'client -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> server(proxy_enable_ntls=on) -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> origin');
-like($ret9, qr/^ssl_protocal=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> server(proxy_enable_ntls=off) -----(TLSv1.2)-----> origin');
+my $ret1 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher AES128-GCM-SHA256 -quiet -ign_eof 2>&1`;
+my $ret2 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-CBC-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
+my $ret3 = `/bin/echo -e "GET /?enable_ntls=on HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher AES128-GCM-SHA256 -quiet -ign_eof 2>&1`;
+my $ret4 = `/bin/echo -e "GET /?enable_ntls=on HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-CBC-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
+my $ret5 = `/bin/echo -e "GET /?enable_ntls=off HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-GCM-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
+my $ret6 = `/bin/echo -e "GET /?enable_ntls=xxxxx HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECC-SM2-SM4-GCM-SM3 -quiet -ign_eof -enable_ntls -ntls 2>&1`;
+my $ret7 = `/bin/echo -e "GET /ecdhe HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECDHE-SM2-SM4-CBC-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
+my $ret8 = `/bin/echo -e "GET /ecdhe?enable_ntls=on HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECDHE-SM2-SM4-GCM-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
+my $ret9 = `/bin/echo -e "GET /ecdhe?enable_ntls=off HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -cipher ECDHE-SM2-SM4-GCM-SM3 -quiet -ign_eof -enc_cert $d/client_enc.crt -enc_key $d/client_enc.key -sign_cert $d/client_sign.crt -sign_key $d/client_sign.key -enable_ntls -ntls 2>&1`;
+
+like($ret1, qr/^ssl_protocol=TLSv1\.2.*$/m, 'client -----(TLSv1.2 AES128-GCM-SHA256)-----> server(no proxy_enable_ntls) -----(TLSv1.2)-----> origin');
+like($ret2, qr/^ssl_protocol=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> server(no proxy_enable_ntls) -----(TLSv1.2)-----> origin');
+like($ret3, qr/^ssl_protocol=NTLSv1\.1, ssl_cipher=ECC-SM2-SM4-CBC-SM3/m, 'client -----(TLSv1.2 AES128-GCM-SHA256)-----> server(proxy_enable_ntls=on) -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> origin');
+like($ret4, qr/^ssl_protocol=NTLSv1\.1, ssl_cipher=ECC-SM2-SM4-CBC-SM3/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> server(proxy_enable_ntls=on) -----(NTLSv1.1 ECC-SM2-SM4-CBC-SM3)-----> origin');
+like($ret5, qr/^ssl_protocol=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-GCM-SM3)-----> server(proxy_enable_ntls=off) -----(TLSv1.2)-----> origin');
+like($ret6, qr/^ssl_protocol=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECC-SM2-SM4-GCM-SM3)-----> server(proxy_enable_ntls=xxxxx) -----(TLSv1.2)-----> origin');
+like($ret7, qr/^ssl_protocol=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> server(no proxy_enable_ntls) -----(TLSv1.2)-----> origin');
+like($ret8, qr/^ssl_protocol=NTLSv1\.1, ssl_cipher=ECDHE-SM2-SM4-GCM-SM3/m, 'client -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> server(proxy_enable_ntls=on) -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> origin');
+like($ret9, qr/^ssl_protocol=TLSv1\.2.*$/m, 'client -----(NTLSv1.1 ECDHE-SM2-SM4-CBC-SM3)-----> server(proxy_enable_ntls=off) -----(TLSv1.2)-----> origin');
 
 $t->stop();
diff --git a/...s/ngx_openssl_ntls/t/ntls_session_cache.t → ...s/ngx_tongsuo_ntls/t/ntls_session_cache.t b/...s/ngx_openssl_ntls/t/ntls_session_cache.t → ...s/ngx_tongsuo_ntls/t/ntls_session_cache.t
@@ -20,7 +20,7 @@ use CA qw/ make_sm2_ca_subca_end_certs /;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $openssl = $ENV{'TEST_OPENSSL_BINARY'} || "/opt/babassl/bin/openssl";
+my $openssl = $ENV{'TEST_OPENSSL_BINARY'} || "/opt/tongsuo/bin/openssl";
 
 my $t = Test::Nginx->new()->has(qw/http http_ssl/)->plan(11);
 
@@ -116,19 +116,19 @@ make_sm2_ca_subca_end_certs($t, "server");
 
 $t->run();
 
-my $ret1 = `echo -e "GET /reuse HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8085 -quiet -sess_out 1.sess -enable_ntls -ntls 2>&1`;
-my $ret2 = `echo -e "GET /reuse HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8085 -quiet -sess_in 1.sess -enable_ntls -ntls 2>&1`;
-my $ret3 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -quiet -sess_out 3.sess -enable_ntls -ntls 2>&1`;
-my $ret4 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -quiet -sess_in 3.sess -enable_ntls -ntls 2>&1`;
-my $ret5 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -quiet -sess_out 5.sess -enable_ntls -ntls 2>&1`;
-my $ret6 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -quiet -sess_in 5.sess -enable_ntls -ntls 2>&1`;
-my $ret7 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -quiet -sess_out 7.sess -enable_ntls -ntls 2>&1`;
-my $ret8 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -quiet -sess_in 7.sess -enable_ntls -ntls 2>&1`;
-my $ret9 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8084 -quiet -sess_out 9.sess -enable_ntls -ntls 2>&1`;
+my $ret1 = `/bin/echo -e "GET /reuse HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8085 -quiet -sess_out 1.sess -enable_ntls -ntls 2>&1`;
+my $ret2 = `/bin/echo -e "GET /reuse HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8085 -quiet -sess_in 1.sess -enable_ntls -ntls 2>&1`;
+my $ret3 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -quiet -sess_out 3.sess -enable_ntls -ntls 2>&1`;
+my $ret4 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -quiet -sess_in 3.sess -enable_ntls -ntls 2>&1`;
+my $ret5 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -quiet -sess_out 5.sess -enable_ntls -ntls 2>&1`;
+my $ret6 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8082 -quiet -sess_in 5.sess -enable_ntls -ntls 2>&1`;
+my $ret7 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -quiet -sess_out 7.sess -enable_ntls -ntls 2>&1`;
+my $ret8 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8083 -quiet -sess_in 7.sess -enable_ntls -ntls 2>&1`;
+my $ret9 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8084 -quiet -sess_out 9.sess -enable_ntls -ntls 2>&1`;
 
 # session timeout
 select undef, undef, undef, 2.1;
-my $ret11 = `echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -quiet -sess_in 3.sess -enable_ntls -ntls 2>&1`;
+my $ret11 = `/bin/echo -e "GET / HTTP/1.0\r\n\r\n" | $openssl s_client -connect localhost:8081 -quiet -sess_in 3.sess -enable_ntls -ntls 2>&1`;
 
 like($ret1, qr/^body \.$/m, 'shared initial session');
 like($ret2, qr/^body r$/m, 'shared session reused');