ruby.git/test/openssl/test_x509store.rb, branch v4.0.4 The Ruby Programming Language [ruby/openssl] x509store: fix StoreContext#current_cert 2025-07-31T09:45:35+00:00 Kazuki Yamaguchi k@rhe.jp 2025-07-27T14:04:09+00:00 e8261963c79ba61453f7f0dae281c33a1287b351 Commit https://github.com/ruby/openssl/commit/ef277083ba76 overlooked a caller of ossl_x509_new() with NULL argument. OpenSSL::X509::StoreContext#current_cert may not have a certificate to return if StoreContext#verify has not been called. https://github.com/ruby/openssl/commit/4149b43890 
Commit https://github.com/ruby/openssl/commit/ef277083ba76 overlooked a caller of ossl_x509_new() with NULL
argument. OpenSSL::X509::StoreContext#current_cert may not have a
certificate to return if StoreContext#verify has not been called.

https://github.com/ruby/openssl/commit/4149b43890
[ruby/openssl] Require OpenSSL 1.1.0 or later 2025-01-20T17:12:57+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-14T12:49:12+00:00 441862dc9f11d83e9e35c3b965fe84e42e178a35 Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12. Most distributions that shipped with OpenSSL 1.0.2 have also reached EOL, or provide a newer version in the package repository: - RHEL 7 (EOL 2024-06) - Ubuntu 16.04 LTS (EOL 2021-04) - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via the openssl11{,-devel} package) https://github.com/ruby/openssl/commit/38ec6fd50e 
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.

Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:

 - RHEL 7 (EOL 2024-06)
 - Ubuntu 16.04 LTS (EOL 2021-04)
 - Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
   the openssl11{,-devel} package)

https://github.com/ruby/openssl/commit/38ec6fd50e
[ruby/openssl] Require LibreSSL 3.9 or later 2025-01-14T12:38:16+00:00 Kazuki Yamaguchi k@rhe.jp 2025-01-07T16:55:56+00:00 0fb64bda9bf16c36de3c4ca5f9d3aa8da5d39ee2 Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in 2024-10. https://github.com/ruby/openssl/commit/f33d611f9f 
Drop support for LibreSSL 3.1-3.8. LibreSSL 3.8 has reached its EOL in
2024-10.

https://github.com/ruby/openssl/commit/f33d611f9f
[ruby/openssl] test: adjust test cases for LibreSSL 3.2.4 2021-03-16T10:37:06+00:00 Kazuki Yamaguchi k@rhe.jp 2021-02-25T08:28:23+00:00 a3f97007bbd1012a4b7662b8166118b81b52527a LibreSSL 3.2.4 made the certificate verification logic back closer to pre-3.2.2 one, which is more compatible with OpenSSL. Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only (and ~3.3.1, however 3.3 does not have a stable release yet). Since both releases are security fix, it should be safe to remove those special treatment from our test suite. While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and TLS 1.3 variants for clarity. https://github.com/ruby/openssl/commit/a9954bac22 
LibreSSL 3.2.4 made the certificate verification logic back closer to
pre-3.2.2 one, which is more compatible with OpenSSL.

Part of the fixes added by commit a0e98d48c91f ("Enhance TLS 1.3 support
on LibreSSL 3.2/3.3", 2020-12-03) is required for 3.2.2 and 3.2.3 only
(and ~3.3.1, however 3.3 does not have a stable release yet). Since both
releases are security fix, it should be safe to remove those special
treatment from our test suite.

While we are at it, TestSSL#test_ecdh_curves is split into TLS 1.2 and
TLS 1.3 variants for clarity.

https://github.com/ruby/openssl/commit/a9954bac22
[ruby/openssl] Enhance TLS 1.3 support on LibreSSL 3.2/3.3 2021-03-16T10:37:06+00:00 Jeremy Evans code@jeremyevans.net 2020-12-03T17:12:12+00:00 e2ce3830447b95fbb7d9b8dff80b8c1716688da0 This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3 doesn't advertise this by default, even though it will use TLS 1.3 in both client and server modes. Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining TLS1_3_VERSION by itself fixes 1 test failure. A few tests now fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version, and this adjusts those tests. The client CA test doesn't work in LibreSSL 3.2+, so I've marked that as pending. For the hostname verification, LibreSSL 3.2.2+ has a new stricter hostname verifier that doesn't like subjectAltName such as c*.example.com and d.*.example.com, so adjust the related tests. With these changes, the tests pass on LibreSSL 3.2/3.3. https://github.com/ruby/openssl/commit/a0e98d48c9 
This defines TLS1_3_VERSION when using LibreSSL 3.2+.  LibreSSL 3.2/3.3
doesn't advertise this by default, even though it will use TLS 1.3
in both client and server modes.

Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining
TLS1_3_VERSION by itself fixes 1 test failure.  A few tests now
fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version,
and this adjusts those tests.  The client CA test doesn't work in
LibreSSL 3.2+, so I've marked that as pending.

For the hostname verification, LibreSSL 3.2.2+ has a new stricter
hostname verifier that doesn't like subjectAltName such as
c*.example.com and d.*.example.com, so adjust the related tests.

With these changes, the tests pass on LibreSSL 3.2/3.3.

https://github.com/ruby/openssl/commit/a0e98d48c9
[ruby/openssl] test/openssl/test_x509store: tidy up tests for X509::Store#add_cert 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-11T15:00:40+00:00 0b1bb1bc32906a07ed0c3cdf3e64bc10663b011d Rename the test case to test_add_cert_duplicate to clarify what it is actually testing. https://github.com/ruby/openssl/commit/4cc3c4110f 
Rename the test case to test_add_cert_duplicate to clarify what it is
actually testing.

https://github.com/ruby/openssl/commit/4cc3c4110f
[ruby/openssl] test/openssl/test_x509store: break up test_verify 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-11T09:52:37+00:00 d4ad1e71ca6c1b58e5ea1b518e406a0251ca812f The test case is huge and too complex. Break it up into separate test cases for better documentation. https://github.com/ruby/openssl/commit/61012df03b 
The test case is huge and too complex. Break it up into separate test
cases for better documentation.

https://github.com/ruby/openssl/commit/61012df03b
[ruby/openssl] x509store: emit warning if arguments are given to X509::Store.new 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-08T10:28:11+00:00 08c99a4208af1a50e0ee2446ad4bb235edea00e5 Anything passed to OpenSSL::X509::Store.new was always ignored. Let's emit an explicit warning to not confuse users. https://github.com/ruby/openssl/commit/d173700eeb 
Anything passed to OpenSSL::X509::Store.new was always ignored. Let's
emit an explicit warning to not confuse users.

https://github.com/ruby/openssl/commit/d173700eeb
[ruby/openssl] x509store: let X509::Store#add_file raise TypeError if nil is given 2021-03-16T10:16:11+00:00 Kazuki Yamaguchi k@rhe.jp 2020-08-08T10:03:46+00:00 88b8b3ac15223d65cf4b40cfc7d193b54b6e2f09 Undo special treatment of nil and simply pass the value to StringValueCStr(). nil was never a valid argument for the method; OpenSSL::X509::StoreError with an unhelpful error message "system lib" was raised in that case. https://github.com/ruby/openssl/commit/fb2fcbb137 
Undo special treatment of nil and simply pass the value to
StringValueCStr().

nil was never a valid argument for the method; OpenSSL::X509::StoreError
with an unhelpful error message "system lib" was raised in that case.

https://github.com/ruby/openssl/commit/fb2fcbb137
Revert the related commits about `Tempfile.open` change. 2020-09-09T12:10:48+00:00 Hiroshi SHIBATA hsbt@ruby-lang.org 2020-09-09T11:52:48+00:00 b194973dcd5eda6c9e256029ea39dc532ae18962 Start with https://github.com/ruby/ruby/commit/fa21985a7a2f8f52a8bd82bd12a724e9dca74934 to https://github.com/ruby/ruby/commit/d7492a0be885ea9f2b9f71e3e95582f9a859c439 
  Start with https://github.com/ruby/ruby/commit/fa21985a7a2f8f52a8bd82bd12a724e9dca74934
  to https://github.com/ruby/ruby/commit/d7492a0be885ea9f2b9f71e3e95582f9a859c439