diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2021-03-18 20:04:59 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2021-10-16 18:19:52 +0900 |
| commit | 6105ef7629c297c94f9e85f26adf7c0426089ca5 (patch) | |
| tree | f7673285256b524380e42581c2daa78334d5c020 /test/openssl | |
| parent | 49217086adf262f63078c65e693796dc892c5216 (diff) | |
[ruby/openssl] ssl: add SSLContext#tmp_dh=
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which
sets the DH parameters used for ephemeral DH key exchange.
SSLContext#tmp_dh_callback= already exists for this purpose, as a
wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered
obsolete and the OpenSSL API is deprecated for future removal. There is
no practical use case where an application needs to use different DH
parameters nowadays. This was originally introduced to support export
grade ciphers.
RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=.
Note that current versions of OpenSSL support automatic ECDHE curve
selection which is enabled by default. SSLContext#tmp_dh= should only be
necessary if you must allow ancient clients which don't support ECDHE.
https://github.com/ruby/openssl/commit/aa43da4f04
Diffstat (limited to 'test/openssl')
| -rw-r--r-- | test/openssl/test_ssl.rb | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 5dccac5fac..0337205c45 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -1583,13 +1583,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end - def test_dh_callback - pend "TLS 1.2 is not supported" unless tls12_supported? - + def test_tmp_dh_callback dh = Fixtures.pkey("dh-1") called = false ctx_proc = -> ctx { - ctx.ssl_version = :TLSv1_2 + ctx.max_version = :TLS1_2 ctx.ciphers = "DH:!NULL" ctx.tmp_dh_callback = ->(*args) { called = true @@ -1605,10 +1603,8 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_connect_works_when_setting_dh_callback_to_nil - pend "TLS 1.2 is not supported" unless tls12_supported? - ctx_proc = -> ctx { - ctx.ssl_version = :TLSv1_2 + ctx.max_version = :TLS1_2 ctx.ciphers = "DH:!NULL" # use DH ctx.tmp_dh_callback = nil } @@ -1621,6 +1617,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_tmp_dh + dh = Fixtures.pkey("dh-1") + ctx_proc = -> ctx { + ctx.max_version = :TLS1_2 + ctx.ciphers = "DH:!NULL" # use DH + ctx.tmp_dh = dh + } + start_server(ctx_proc: ctx_proc) do |port| + server_connect(port) { |ssl| + assert_equal dh.to_der, ssl.tmp_key.to_der + } + end + end + def test_ecdh_curves_tls12 pend "EC is disabled" unless defined?(OpenSSL::PKey::EC) |