ruby.git/test/openssl/test_x509store.rb, branch v3_2_11 The Ruby Programming Language [ruby/openssl] test: adjust test cases for LibreSSL 3.2.4 2021-03-16T10:37:06+00:00 Kazuki Yamaguchi k@rhe.jp 2021-02-25T08:28:23+00:00 a3f97007bbd1012a4b7662b8166118b81b52527a LibreSSL 3.2.4 made the certificate verification logic back closer to pre-3.2.2 one, which is more compatible with OpenSSL. Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only (and ~3.3.1, however 3.3 does not have a stable release yet). Since both releases are security fix, it should be safe to remove those special treatment from our test suite. While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and TLS 1.3 variants for clarity. https://github.com/ruby/openssl/commit/a9954bac22 
LibreSSL 3.2.4 made the certificate verification logic back closer to
pre-3.2.2 one, which is more compatible with OpenSSL.

Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support
on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only
(and ~3.3.1, however 3.3 does not have a stable release yet). Since both
releases are security fix, it should be safe to remove those special
treatment from our test suite.

While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and
TLS 1.3 variants for clarity.

https://github.com/ruby/openssl/commit/a9954bac22
[ruby/openssl] Enhance TLS 1.3 support on LibreSSL 3.2/3.3 2021-03-16T10:37:06+00:00 Jeremy Evans code@jeremyevans.net 2020-12-03T17:12:12+00:00 e2ce3830447b95fbb7d9b8dff80b8c1716688da0 This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c*.example.com and d.*.example.com, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3. https://github.com/ruby/openssl/commit/a0e98d48c9 
This defines TLS1_3_VERSION when using LibreSSL 3.2+.  LibreSSL 3.2/3.3
doesn't advertise this by default, even though it will use TLS 1.3
in both client and server modes.

Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining
TLS1_3_VERSION by itself fixes 1 test failure.  A few tests now
fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version,
and this adjusts those tests.  The client CA test doesn't work in
LibreSSL 3.2+, so I've marked that as pending.

For the hostname verification, LibreSSL 3.2.2+ has a new stricter
hostname verifier that doesn't like subjectAltName such as
c*.example.com and d.*.example.com, so adjust the related tests.

With these changes, the tests pass on LibreSSL 3.2/3.3.

https://github.com/ruby/openssl/commit/a0e98d48c9
[ruby/openssl] test/openssl/test_x509store: tidy up tests for X509::Store#add_cert 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-11T15:00:40+00:00 0b1bb1bc32906a07ed0c3cdf3e64bc10663b011d Rename the test case to test_add_cert_duplicate to clarify what it is actually testing. https://github.com/ruby/openssl/commit/4cc3c4110f 
Rename the test case to test_add_cert_duplicate to clarify what it is
actually testing.

https://github.com/ruby/openssl/commit/4cc3c4110f
[ruby/openssl] test/openssl/test_x509store: break up test_verify 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-11T09:52:37+00:00 d4ad1e71ca6c1b58e5ea1b518e406a0251ca812f The test case is huge and too complex. Break it up into separate test cases for better documentation. https://github.com/ruby/openssl/commit/61012df03b 
The test case is huge and too complex. Break it up into separate test
cases for better documentation.

https://github.com/ruby/openssl/commit/61012df03b
[ruby/openssl] x509store: emit warning if arguments are given to X509::Store.new 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-08T10:28:11+00:00 08c99a4208af1a50e0ee2446ad4bb235edea00e5 Anything passed to OpenSSL::X509::Store.new was always ignored. Let's emit an explicit warning to not confuse users. https://github.com/ruby/openssl/commit/d173700eeb 
Anything passed to OpenSSL::X509::Store.new was always ignored. Let's
emit an explicit warning to not confuse users.

https://github.com/ruby/openssl/commit/d173700eeb
[ruby/openssl] x509store: let X509::Store#add_file raise TypeError if nil is given 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-08T10:03:46+00:00 88b8b3ac15223d65cf4b40cfc7d193b54b6e2f09 Undo special treatment of nil and simply pass the value to StringValueCStr(). nil was never a valid argument for the method; OpenSSL::X509::StoreError with an unhelpful error message "system lib" was raised in that case. https://github.com/ruby/openssl/commit/fb2fcbb137 
Undo special treatment of nil and simply pass the value to
StringValueCStr().

nil was never a valid argument for the method; OpenSSL::X509::StoreError
with an unhelpful error message "system lib" was raised in that case.

https://github.com/ruby/openssl/commit/fb2fcbb137
Revert the related commits about `Tempfile.open` change. 2020-09-09T12:10:48+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2020-09-09T11:52:48+00:00 b194973dcd5eda6c9e256029ea39dc532ae18962 Start with https://github.com/ruby/ruby/commit/fa21985a7a2f8f52a8bd82bd12a724e9dca74934 to https://github.com/ruby/ruby/commit/d7492a0be885ea9f2b9f71e3e95582f9a859c439 
  Start with https://github.com/ruby/ruby/commit/fa21985a7a2f8f52a8bd82bd12a724e9dca74934
  to https://github.com/ruby/ruby/commit/d7492a0be885ea9f2b9f71e3e95582f9a859c439
Fix usages of Tempfile.open(&block) that expected the file to still be there after the block 2020-08-29T10:30:24+00:00 Benoit Daloze eregontp@gmail.com 2020-08-29T10:23:31+00:00 3beecafc2cae86290a191c1e841be13f5b08795d 






Test out fix for OpenSSL test flakiness
2020-08-11T16:01:51+00:00

Alan Wu
XrXr@users.noreply.github.com

2020-08-11T07:13:53+00:00

7930a352a57c42205eaf064c4ae70c16c5f6ed99

`OpenSSL::TestX509Store#test_verify` has been failing intermittently on
CI about once a day:
  - http://ci.rvm.jp/results/trunk-random2@phosphorus-docker/3121244
  - http://ci.rvm.jp/results/trunk-random1@phosphorus-docker/3117661
  - http://ci.rvm.jp/results/trunk-random1@phosphorus-docker/3111684

According to the test:
 > OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME),
 > and there may be difference.

This difference is could be the cause for the flaky failures. Let's see
if giving the certificate more room solves the problem.

In any case, I will revert this in a week. I think changes to these
should go to https://github.com/ruby/openssl/?





`OpenSSL::TestX509Store#test_verify` has been failing intermittently on
CI about once a day:
  - http://ci.rvm.jp/results/trunk-random2@phosphorus-docker/3121244
  - http://ci.rvm.jp/results/trunk-random1@phosphorus-docker/3117661
  - http://ci.rvm.jp/results/trunk-random1@phosphorus-docker/3111684

According to the test:
 > OpenSSL uses time(2) while Time.now uses clock_gettime(CLOCK_REALTIME),
 > and there may be difference.

This difference is could be the cause for the flaky failures. Let's see
if giving the certificate more room solves the problem.

In any case, I will revert this in a week. I think changes to these
should go to https://github.com/ruby/openssl/?







Add more debug info to test_verify
2020-08-06T15:16:06+00:00

Kazuhiro NISHIYAMA
zn@mbf.nifty.com

2020-08-06T15:16:06+00:00

fcdda2f8a1b8556bc2ad44e75434f8b6b19f1746

http://ci.rvm.jp/results/trunk-random1@phosphorus-docker/3111684





http://ci.rvm.jp/results/trunk-random1@phosphorus-docker/3111684