* ext/openssl/ossl_ssl.c: Allow disabling client-side renegotiation.

* test/openssl/test_ssl.rb: Simple tests for this.

  Client-side renegotiation is still considered problematic, even
  when used in the context of secure renegotiation (RI, RFC 5746).
  The changes allow users to either completely disable client
  renegotiation on the server, or to specify a maximum number of
  handshakes allowed in total. The number of total handshakes is
  counted in a callback set as SSL_set_info_callback. If the
  maximum number of handshakes is exceeded an error will be raised
  We do not support renegotiation in the OpenSSL extension, therefore
  this feature can only be tested externally.
  The feature is opt-in, the default setting will be to allow
  unlimited client renegotiation, as was the case before.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

1 files changed, 42 insertions, 2 deletions

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index de4bd34c5f..97b2c22472 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -505,14 +505,54 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
 
 end
 
+  def test_disable_client_renegotiation
+    ctx_proc = Proc.new { |ctx| ctx.disable_client_renegotiation }
+    start_server_version(:SSLv23, ctx_proc) { |server, port|
+      server_connect(port) { |ssl|
+        assert(ssl.ssl_version)
+      }
+    }
+  end
+
+  def test_allow_client_renegotiation_args
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_raise(ArgumentError) { ctx.allow_client_renegotiation(0) }
+    assert_raise(ArgumentError) { ctx.allow_client_renegotiation(-1) }
+  end
+
+  def test_allow_client_renegotiation_once
+    ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation(2) }
+    start_server_version(:SSLv23, ctx_proc) { |server, port|
+      server_connect(port) { |ssl|
+        assert(ssl.ssl_version)
+      }
+    }
+  end
+
+  def test_allow_arbitrary_client_renegotiation
+    ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation }
+    start_server_version(:SSLv23, ctx_proc) { |server, port|
+      server_connect(port) { |ssl|
+        assert(ssl.ssl_version)
+      }
+    }
+  end
+
   private
 
-  def start_server_version(version, ctx_proc=nil, &blk)
+  def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
     ctx_wrap = Proc.new { |ctx|
       ctx.ssl_version = version
       ctx_proc.call(ctx) if ctx_proc
     }
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_wrap, &blk)
+    start_server(
+      PORT, 
+      OpenSSL::SSL::VERIFY_NONE, 
+      true, 
+      :ctx_proc => ctx_wrap, 
+      :server_proc => server_proc, 
+      &blk
+    )
   end
 
   def server_connect(port, ctx=nil)