summaryrefslogtreecommitdiff
path: root/test/openssl/test_ssl.rb
diff options
context:
space:
mode:
authoremboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2012-05-26 00:56:33 +0000
committeremboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2012-05-26 00:56:33 +0000
commit50ba64ab87e1715cc0bf6d6c8bdfa330de4f6699 (patch)
tree5138e44a904d9f9b28eedc2c7e69243d4822ed80 /test/openssl/test_ssl.rb
parent6f5582a2ae543eb8000deba997348fda189c166a (diff)
* ext/openssl/ossl_ssl.c: Allow disabling client-side renegotiation.
* test/openssl/test_ssl.rb: Simple tests for this. Client-side renegotiation is still considered problematic, even when used in the context of secure renegotiation (RI, RFC 5746). The changes allow users to either completely disable client renegotiation on the server, or to specify a maximum number of handshakes allowed in total. The number of total handshakes is counted in a callback set as SSL_set_info_callback. If the maximum number of handshakes is exceeded an error will be raised We do not support renegotiation in the OpenSSL extension, therefore this feature can only be tested externally. The feature is opt-in, the default setting will be to allow unlimited client renegotiation, as was the case before. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/openssl/test_ssl.rb')
-rw-r--r--test/openssl/test_ssl.rb44
1 files changed, 42 insertions, 2 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index de4bd34c5f..97b2c22472 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -505,14 +505,54 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
end
+ def test_disable_client_renegotiation
+ ctx_proc = Proc.new { |ctx| ctx.disable_client_renegotiation }
+ start_server_version(:SSLv23, ctx_proc) { |server, port|
+ server_connect(port) { |ssl|
+ assert(ssl.ssl_version)
+ }
+ }
+ end
+
+ def test_allow_client_renegotiation_args
+ ctx = OpenSSL::SSL::SSLContext.new
+ assert_raise(ArgumentError) { ctx.allow_client_renegotiation(0) }
+ assert_raise(ArgumentError) { ctx.allow_client_renegotiation(-1) }
+ end
+
+ def test_allow_client_renegotiation_once
+ ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation(2) }
+ start_server_version(:SSLv23, ctx_proc) { |server, port|
+ server_connect(port) { |ssl|
+ assert(ssl.ssl_version)
+ }
+ }
+ end
+
+ def test_allow_arbitrary_client_renegotiation
+ ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation }
+ start_server_version(:SSLv23, ctx_proc) { |server, port|
+ server_connect(port) { |ssl|
+ assert(ssl.ssl_version)
+ }
+ }
+ end
+
private
- def start_server_version(version, ctx_proc=nil, &blk)
+ def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
ctx_wrap = Proc.new { |ctx|
ctx.ssl_version = version
ctx_proc.call(ctx) if ctx_proc
}
- start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_wrap, &blk)
+ start_server(
+ PORT,
+ OpenSSL::SSL::VERIFY_NONE,
+ true,
+ :ctx_proc => ctx_wrap,
+ :server_proc => server_proc,
+ &blk
+ )
end
def server_connect(port, ctx=nil)