ruby.git/test/openssl/test_ssl.rb, branch v3_3_11 The Ruby Programming Language [ruby/openssl] ssl: raise SSLError if loading ca_file or ca_path fails 2023-08-16T05:48:41+00:00 Kazuki Yamaguchi k@rhe.jp 2023-08-09T17:45:15+00:00 01d368e7b06ccf34f92c535a117a2856956d2bcb When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: https://github.com/ruby/openssl/issues/649 https://github.com/ruby/openssl/commit/7eb10f7b75 
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.

Also, OpenSSL's error queue is not correctly cleared:

	$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
	-e:1: warning: can't set verify locations
	["error:02001002:system library:fopen:No such file or directory",
	 "error:2006D080:BIO routines:BIO_new_file:no such file",
	 "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]

The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.

This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.

Fixes: https://github.com/ruby/openssl/issues/649

https://github.com/ruby/openssl/commit/7eb10f7b75
[ruby/openssl] Revert "Relax error message check for OpenSSL 3.1" 2023-08-16T05:48:39+00:00 Kazuki Yamaguchi k@rhe.jp 2023-06-07T07:15:29+00:00 4465941e68e076d3198a071600f1047b7a382e0b This reverts commit https://github.com/ruby/openssl/commit/fc4629d246f2. The test case "test_connect_certificate_verify_failed_exception_message" does want to check the reason behind a certificate verification failure to be included in the exception message. https://github.com/ruby/openssl/commit/c309745eb8 
This reverts commit https://github.com/ruby/openssl/commit/fc4629d246f2.

The test case "test_connect_certificate_verify_failed_exception_message"
does want to check the reason behind a certificate verification failure
to be included in the exception message.

https://github.com/ruby/openssl/commit/c309745eb8
[ruby/openssl] Relax error message check for OpenSSL 3.1 2023-03-16T08:17:46+00:00 Nobuyoshi Nakada nobu@ruby-lang.org 2023-03-15T11:34:21+00:00 0b303c683007598a31f2cda3d512d981b278f8bd A tentative measures fo https://github.com/ruby/openssl/issues/606. With OpenSSL 3.1.0, the error message at connection using "self-signed certificate" seems to return `SSL_R_TLSV1_ALERT_UNKNOWN_CA` instead of `SSL_R_CERTIFICATE_VERIFY_FAILED`. https://github.com/ruby/openssl/commit/fc4629d246 
A tentative measures fo https://github.com/ruby/openssl/issues/606.

With OpenSSL 3.1.0, the error message at connection using "self-signed
certificate" seems to return `SSL_R_TLSV1_ALERT_UNKNOWN_CA` instead of
`SSL_R_CERTIFICATE_VERIFY_FAILED`.

https://github.com/ruby/openssl/commit/fc4629d246
[ruby/openssl] test/openssl/test_ssl.rb: do not run SSL tests if not available 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-12-22T19:06:12+00:00 a4b4997c69437e9d2ba09629d72284a4fb9defc5 https://github.com/ruby/openssl/commit/a3d230d4e0 
https://github.com/ruby/openssl/commit/a3d230d4e0
[ruby/openssl] ssl: disable NPN support on LibreSSL 2022-12-23T00:39:15+00:00 Kazuki Yamaguchi k@rhe.jp 2022-10-17T08:33:37+00:00 dd6f3276e07f8f731a3bbcbdd58525ee6dd6581e As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly on LibreSSL. Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is defined or not. NPN is less relevant today anyway. Let's also silence test suite when it's not available. https://github.com/ruby/openssl/commit/289f6e0e1f 
As noted in commit https://github.com/ruby/openssl/commit/a2ed156cc9f1 ("test/test_ssl: do not run NPN tests
for LibreSSL >= 2.6.1", 2017-08-13), NPN is known not to work properly
on LibreSSL.

Disable NPN support on LibreSSL, whether OPENSSL_NO_NEXTPROTONEG is
defined or not.

NPN is less relevant today anyway. Let's also silence test suite when
it's not available.

https://github.com/ruby/openssl/commit/289f6e0e1f
[ruby/openssl] Add support to SSL_CTX_set_keylog_callback 2022-10-17T07:35:35+00:00 Christophe De La Fuente christophe_delafuente@rapid7.com 2022-08-29T18:15:54+00:00 17998ad3bb5864db38ba9e709ed7209da6189f0f - This callback is invoked when TLS key material is generated or received, in order to allow applications to store this keying material for debugging purposes. - It is invoked with an `SSLSocket` and a string containing the key material in the format used by NSS for its SSLKEYLOGFILE debugging output. - This commit adds the Ruby binding `keylog_cb` and the related tests - It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements `SSL_CTX_set_keylog_callback()` from v3.4.2, it does nothing (see https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6) https://github.com/ruby/openssl/commit/3b63232cf1 
- This callback is invoked when TLS key material is generated or
  received, in order to allow applications to store this keying material
  for debugging purposes.
- It is invoked with an `SSLSocket` and a string containing the key
  material in the format used by NSS for its SSLKEYLOGFILE debugging
  output.
- This commit adds the Ruby binding `keylog_cb` and the related tests
- It is only compatible with OpenSSL >= 1.1.1. Even if LibreSSL implements
  `SSL_CTX_set_keylog_callback()` from v3.4.2, it does nothing (see
  https://github.com/libressl-portable/openbsd/commit/648d39f0f035835d0653342d139883b9661e9cb6)

https://github.com/ruby/openssl/commit/3b63232cf1
[ruby/openssl] ssl: enable generating keying material from SSL sessions 2022-10-17T07:35:35+00:00 madblobfish - 2022-08-03T21:24:28+00:00 79543b9a530d85f0487583d96ad412f5e7683ffa Add OpenSSL::SSL::SSLSocket#export_keying_material to support RFC 5705 https://github.com/ruby/openssl/commit/65530b887e 
Add OpenSSL::SSL::SSLSocket#export_keying_material to support RFC 5705

https://github.com/ruby/openssl/commit/65530b887e
[ruby/openssl] Skip a new test when old OpenSSL 2022-07-09T06:26:32+00:00 Nobuyoshi Nakada nobu@ruby-lang.org 2022-07-09T05:29:35+00:00 949c3afb48d2afd02c2bfa569e29f6a3a48c1607 It does not raise an error when setting an invalid value to SSLContext ciphers on Ubuntu 18.04. https://github.com/ruby/openssl/commit/8c96a69b0d 
It does not raise an error when setting an invalid value to SSLContext
ciphers on Ubuntu 18.04.

https://github.com/ruby/openssl/commit/8c96a69b0d
[ruby/openssl] Strip trailing spaces [ci skip] 2022-07-08T15:39:18+00:00 Nobuyoshi Nakada nobu@ruby-lang.org 2022-07-08T14:20:52+00:00 d77ebe8eeaad5d6e31a48eb1ecac2008fe0548f6 https://github.com/ruby/openssl/commit/862d92de93 
https://github.com/ruby/openssl/commit/862d92de93
[ruby/openssl] Fix test of cipher name to pass in LibreSSL 3.4 2022-07-08T14:18:18+00:00 Jeremy Evans code@jeremyevans.net 2022-03-25T20:50:10+00:00 def445303a93c69dd16a9b849b9171d4e89c6dc5 LibreSSL 3.5 switched the cipher naming to match OpenSSL. https://github.com/ruby/openssl/commit/bf198278bd 
LibreSSL 3.5 switched the cipher naming to match OpenSSL.

https://github.com/ruby/openssl/commit/bf198278bd