diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2020-03-09 18:26:19 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2020-03-10 17:41:01 +0900 |
| commit | e4a26cd4f8e74e5d29de10a3a0ce5829829301b0 (patch) | |
| tree | 3e2ca67325456a954d6f0f898594453b13119a0d /test | |
| parent | 61cfd6da84e9cbf02c2e3ff5fae476fec92a1cec (diff) | |
openssl: sync with upstream repository
Import current master (2c43241dc0ed) of ruby/openssl.git.
Below are the commits that were made since the last batch at commit
b99775b163ce (ruby/openssl.git commit f49e7110ca1e). Note that some of
them have been applied already.
----------------------------------------------------------------
Benoit Daloze (1):
Remove redundant and ignored workflow file
DBL-Lee (1):
add support for SHA512_256/SHA512_224
Hiroshi SHIBATA (2):
Guard for OpenSSL::PKey::EC::Group::Error with unsupported platforms
Fixed inconsistency directory structure with ruby/ruby repo
Jeremy Evans (2):
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
Remove taint support
Kazuki Yamaguchi (26):
config: support .include directive
random: make OpenSSL::Random.pseudo_bytes alias of .random_bytes
extconf.rb: get rid of -Werror=deprecated-declarations
test/openssl/test_ssl: skip test_fallback_scsv if necessary
ts: simplify OpenSSL::Timestamp::Request#algorithm
History.md: add missing references to GitHub issues
config: deprecate OpenSSL::Config#add_value and #[]=
test/openssl/test_ssl: remove sleep from test_finished_messages
test/openssl/test_ssl: fix random failure in SSLSocket.open test
test/openssl/test_ssl: avoid explicitly-sized private keys
test/openssl/test_ssl: remove commented-out test case
test/openssl/test_ssl: allow kRSA tests to fail
ssl: avoid declarations after statements
engine: revert OpenSSL::Engine.load changes for cloudhsm
engine: remove really outdated static engines
engine: do not check for ENGINE_load_builtin_engines()
engine: fix guards for 'dynamic' and 'cryptodev' engines
lib/openssl.rb: require openssl/version.rb
x509: add error code and verify flags constants
ssl: set verify error code in the case of verify_hostname failure
.github/workflows: merge CI jobs into a single workflow
.github/workflows: test against different OpenSSL versions
.travis.yml: fully migrate to GitHub Actions
ssl: suppress test failure with SSLContext#add_certificate_chain_file
ssl: remove test case test_puts_meta from test_pair
Revert "Use version.rb in gemspec"
MSP-Greg (2):
.travis.yml - remove 2.3/1.0.2, 2.5/1.1.1, head/1.0.2
Use version.rb in gemspec
Samuel Williams (1):
Restore compatibility with older versions of Ruby.
Yusuke Endoh (1):
Make OpenSSL::OSSL#test_memcmp_timing robust
Diffstat (limited to 'test')
| -rw-r--r-- | test/openssl/fixtures/chain/dh512.pem | 4 | ||||
| -rw-r--r-- | test/openssl/fixtures/chain/server.crt | 13 | ||||
| -rw-r--r-- | test/openssl/fixtures/chain/server.csr | 11 | ||||
| -rw-r--r-- | test/openssl/fixtures/chain/server.key | 15 | ||||
| -rw-r--r-- | test/openssl/test_config.rb | 160 | ||||
| -rw-r--r-- | test/openssl/test_digest.rb | 12 | ||||
| -rw-r--r-- | test/openssl/test_pair.rb | 14 | ||||
| -rw-r--r-- | test/openssl/test_ssl.rb | 106 |
8 files changed, 210 insertions, 125 deletions
diff --git a/test/openssl/fixtures/chain/dh512.pem b/test/openssl/fixtures/chain/dh512.pem deleted file mode 100644 index fec138c7a9..0000000000 --- a/test/openssl/fixtures/chain/dh512.pem +++ /dev/null @@ -1,4 +0,0 @@ ------BEGIN DH PARAMETERS----- -MEYCQQCjDVzTg9C4u43MV0TKDGsBuYdChrPMczr4IYjy+jHQvXm2DDadNNWBIDau -4zNtwfLCg2gMwOc7t18m4Ten/NOLAgEC ------END DH PARAMETERS----- diff --git a/test/openssl/fixtures/chain/server.crt b/test/openssl/fixtures/chain/server.crt deleted file mode 100644 index d6b814f450..0000000000 --- a/test/openssl/fixtures/chain/server.crt +++ /dev/null @@ -1,13 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICATCCAWoCCQDbxIRGgXeWaDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJO -WjETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMB4XDTE5MDYxMzA1MDU0MloXDTI5MDYxMDA1MDU0MlowRTELMAkG -A1UEBhMCTloxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0 -IFdpZGdpdHMgUHR5IEx0ZDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA29Vu -Y6m8pRrsXxUhlK2BX48CDChr8D53SqZozcQI26BCm+05TBnQxKAHOknR3y/ige2U -2zftSwbSoK/zKUC8o5pKVL+l36anDEnZ6RWc9Z9CvmaCFjlcP4nXZO+yD1Is/jCy -KqGGC8lQ920VXOCFflJj6AWg88+4C3GLjxJe6bMCAwEAATANBgkqhkiG9w0BAQsF -AAOBgQCDaqKGBkYxNxnv37vEKp7zi/cov8LvEsZaAD1pcSU+ysBiBes/B7a/Qjcj -PTZsH/hedn9mVynLkjc7LrztUWngTeW9gk5EB9YSwJdPhwLntV1TdaBlf/tu0n/c -s7QxaZhFMUyo1Eof28zXVHhs1OEhlSjwJ8lxuC3vBE4F1BjSNQ== ------END CERTIFICATE----- diff --git a/test/openssl/fixtures/chain/server.csr b/test/openssl/fixtures/chain/server.csr deleted file mode 100644 index 51b38e33f2..0000000000 --- a/test/openssl/fixtures/chain/server.csr +++ /dev/null @@ -1,11 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIIBhDCB7gIBADBFMQswCQYDVQQGEwJOWjETMBEGA1UECAwKU29tZS1TdGF0ZTEh -MB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIGfMA0GCSqGSIb3DQEB -AQUAA4GNADCBiQKBgQDb1W5jqbylGuxfFSGUrYFfjwIMKGvwPndKpmjNxAjboEKb -7TlMGdDEoAc6SdHfL+KB7ZTbN+1LBtKgr/MpQLyjmkpUv6XfpqcMSdnpFZz1n0K+ -ZoIWOVw/iddk77IPUiz+MLIqoYYLyVD3bRVc4IV+UmPoBaDzz7gLcYuPEl7pswID -AQABoAAwDQYJKoZIhvcNAQELBQADgYEAONaTWYVfyMmd8irCtognRoM4tFF4xvDg -PTcnHjVb/6oPPMU+mtQVD9qNf8SOdhNuYVTZ61mDLQGeq45CLM5qWjZkqFPHnngf -ajfZRE7Y3vA8ZaWFvsTJYcU+R3/FRS0XnFYj99+q9Yi3JExSY+arElyAW3tFYlcs -RWOCk1pT2Yc= ------END CERTIFICATE REQUEST----- diff --git a/test/openssl/fixtures/chain/server.key b/test/openssl/fixtures/chain/server.key deleted file mode 100644 index 9590235db8..0000000000 --- a/test/openssl/fixtures/chain/server.key +++ /dev/null @@ -1,15 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIICXAIBAAKBgQDb1W5jqbylGuxfFSGUrYFfjwIMKGvwPndKpmjNxAjboEKb7TlM -GdDEoAc6SdHfL+KB7ZTbN+1LBtKgr/MpQLyjmkpUv6XfpqcMSdnpFZz1n0K+ZoIW -OVw/iddk77IPUiz+MLIqoYYLyVD3bRVc4IV+UmPoBaDzz7gLcYuPEl7pswIDAQAB -AoGAGO+q5+83ENtu+JIjDwRnanmEV/C13biYO4WI2d5kytTw+VL9bt52yfcFGt2I -yvJZlTdn7T340svhVIzg3ksTmp1xQk3zh6zR00zQy45kYwY8uyd8Xfh2IsnpByoc -h2jWVX6LSqi1Iy3RxanHmMYPSMy15otsjwlwnnTAHLnnvzECQQDvw3TL90DucQSD -S0h6DWAGakaiOMhY/PpFbTsjzw+uG+Up65tpz4QqPbsXfoReeK0CQIuyE/LlYoJl -VOlIsL6HAkEA6rh4zsWi6KVTGa7qd5x70TEgxeMMAW1qUbak1THxeZTFYnyvucBz -i+VQvHEVnCadhVpHIwbBNUeOyS5DXjj6dQJAA0Caf/3Noq5jykgmJomx6MReSusM -RLDB0FlH+Rdg9hKozCXHCOtoto350LrFnuZyKlqnynWc0OHCNQ+uzm6fVwJAbtyW -YsNCQLPlXhoZsEj+yj10B0NH5lyxfMrRa8jdDtnPqMbPkOJvMMIssfSPimNKvzN2 -qfqEww97R1ZMh3JOCQJBAIIwGHBN5rDGIb4CgR+PLsh8bve1X+gO8UnOYJXa/Uzx -gAXE0uzHNH6rNSG0V/IQnFYlSHpNJGgcdSl+MZNLldQ= ------END RSA PRIVATE KEY----- diff --git a/test/openssl/test_config.rb b/test/openssl/test_config.rb index dba66b0802..f65392c18d 100644 --- a/test/openssl/test_config.rb +++ b/test/openssl/test_config.rb @@ -120,6 +120,49 @@ __EOC__ assert_equal("error in line 7: missing close square bracket", excn.message) end + def test_s_parse_include + in_tmpdir("ossl-config-include-test") do |dir| + Dir.mkdir("child") + File.write("child/a.conf", <<~__EOC__) + [default] + file-a = a.conf + [sec-a] + a = 123 + __EOC__ + File.write("child/b.cnf", <<~__EOC__) + [default] + file-b = b.cnf + [sec-b] + b = 123 + __EOC__ + File.write("include-child.conf", <<~__EOC__) + key_outside_section = value_a + .include child + __EOC__ + + include_file = <<~__EOC__ + [default] + file-main = unnamed + [sec-main] + main = 123 + .include = include-child.conf + __EOC__ + + # Include a file by relative path + c1 = OpenSSL::Config.parse(include_file) + assert_equal(["default", "sec-a", "sec-b", "sec-main"], c1.sections.sort) + assert_equal(["file-main", "file-a", "file-b"], c1["default"].keys) + assert_equal({"a" => "123"}, c1["sec-a"]) + assert_equal({"b" => "123"}, c1["sec-b"]) + assert_equal({"main" => "123", "key_outside_section" => "value_a"}, c1["sec-main"]) + + # Relative paths are from the working directory + assert_raise(OpenSSL::ConfigError) do + Dir.chdir("child") { OpenSSL::Config.parse(include_file) } + end + end + end + def test_s_load # alias of new c = OpenSSL::Config.load @@ -211,45 +254,54 @@ __EOC__ def test_sections assert_equal(['CA_default', 'ca', 'default'], @it.sections.sort) - @it['new_section'] = {'foo' => 'bar'} - assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort) - @it['new_section'] = {} - assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort) + # OpenSSL::Config#[]= is deprecated + EnvUtil.suppress_warning do + @it['new_section'] = {'foo' => 'bar'} + assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort) + @it['new_section'] = {} + assert_equal(['CA_default', 'ca', 'default', 'new_section'], @it.sections.sort) + end end def test_add_value - c = OpenSSL::Config.new - assert_equal("", c.to_s) - # add key - c.add_value('default', 'foo', 'bar') - assert_equal("[ default ]\nfoo=bar\n\n", c.to_s) - # add another key - c.add_value('default', 'baz', 'qux') - assert_equal('bar', c['default']['foo']) - assert_equal('qux', c['default']['baz']) - # update the value - c.add_value('default', 'baz', 'quxxx') - assert_equal('bar', c['default']['foo']) - assert_equal('quxxx', c['default']['baz']) - # add section and key - c.add_value('section', 'foo', 'bar') - assert_equal('bar', c['default']['foo']) - assert_equal('quxxx', c['default']['baz']) - assert_equal('bar', c['section']['foo']) + # OpenSSL::Config#add_value is deprecated + EnvUtil.suppress_warning do + c = OpenSSL::Config.new + assert_equal("", c.to_s) + # add key + c.add_value('default', 'foo', 'bar') + assert_equal("[ default ]\nfoo=bar\n\n", c.to_s) + # add another key + c.add_value('default', 'baz', 'qux') + assert_equal('bar', c['default']['foo']) + assert_equal('qux', c['default']['baz']) + # update the value + c.add_value('default', 'baz', 'quxxx') + assert_equal('bar', c['default']['foo']) + assert_equal('quxxx', c['default']['baz']) + # add section and key + c.add_value('section', 'foo', 'bar') + assert_equal('bar', c['default']['foo']) + assert_equal('quxxx', c['default']['baz']) + assert_equal('bar', c['section']['foo']) + end end def test_aset - @it['foo'] = {'bar' => 'baz'} - assert_equal({'bar' => 'baz'}, @it['foo']) - @it['foo'] = {'bar' => 'qux', 'baz' => 'quxx'} - assert_equal({'bar' => 'qux', 'baz' => 'quxx'}, @it['foo']) - - # OpenSSL::Config is add only for now. - @it['foo'] = {'foo' => 'foo'} - assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo']) - # you cannot override or remove any section and key. - @it['foo'] = {} - assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo']) + # OpenSSL::Config#[]= is deprecated + EnvUtil.suppress_warning do + @it['foo'] = {'bar' => 'baz'} + assert_equal({'bar' => 'baz'}, @it['foo']) + @it['foo'] = {'bar' => 'qux', 'baz' => 'quxx'} + assert_equal({'bar' => 'qux', 'baz' => 'quxx'}, @it['foo']) + + # OpenSSL::Config is add only for now. + @it['foo'] = {'foo' => 'foo'} + assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo']) + # you cannot override or remove any section and key. + @it['foo'] = {} + assert_equal({'foo' => 'foo', 'bar' => 'qux', 'baz' => 'quxx'}, @it['foo']) + end end def test_each @@ -272,32 +324,50 @@ __EOC__ end def test_freeze - c = OpenSSL::Config.new - c['foo'] = [['key', 'value']] - c.freeze + @it.freeze - bug = '[ruby-core:18377]' - # RuntimeError for 1.9, TypeError for 1.8 - e = assert_raise(TypeError, bug) do - c['foo'] = [['key', 'wrong']] + # Modifying OpenSSL::Config produces a warning + EnvUtil.suppress_warning do + bug = '[ruby-core:18377]' + # RuntimeError for 1.9, TypeError for 1.8 + e = assert_raise(TypeError, bug) do + @it['foo'] = [['key', 'wrong']] + end + assert_match(/can't modify/, e.message, bug) end - assert_match(/can't modify/, e.message, bug) end def test_dup assert(!@it.sections.empty?) c = @it.dup assert_equal(@it.sections.sort, c.sections.sort) - @it['newsection'] = {'a' => 'b'} - assert_not_equal(@it.sections.sort, c.sections.sort) + # OpenSSL::Config#[]= is deprecated + EnvUtil.suppress_warning do + @it['newsection'] = {'a' => 'b'} + assert_not_equal(@it.sections.sort, c.sections.sort) + end end def test_clone assert(!@it.sections.empty?) c = @it.clone assert_equal(@it.sections.sort, c.sections.sort) - @it['newsection'] = {'a' => 'b'} - assert_not_equal(@it.sections.sort, c.sections.sort) + # OpenSSL::Config#[]= is deprecated + EnvUtil.suppress_warning do + @it['newsection'] = {'a' => 'b'} + assert_not_equal(@it.sections.sort, c.sections.sort) + end + end + + private + + def in_tmpdir(*args) + Dir.mktmpdir(*args) do |dir| + dir = File.realpath(dir) + Dir.chdir(dir) do + yield dir + end + end end end diff --git a/test/openssl/test_digest.rb b/test/openssl/test_digest.rb index e47fc0a356..0bf66b826a 100644 --- a/test/openssl/test_digest.rb +++ b/test/openssl/test_digest.rb @@ -98,6 +98,18 @@ class OpenSSL::TestDigest < OpenSSL::TestCase assert_equal(sha512_a, encode16(OpenSSL::Digest::SHA512.digest("a"))) end + def test_sha512_truncate + pend "SHA512_224 is not implemented" unless OpenSSL::Digest.const_defined?(:SHA512_224) + sha512_224_a = "d5cdb9ccc769a5121d4175f2bfdd13d6310e0d3d361ea75d82108327" + sha512_256_a = "455e518824bc0601f9fb858ff5c37d417d67c2f8e0df2babe4808858aea830f8" + + assert_equal(sha512_224_a, OpenSSL::Digest::SHA512_224.hexdigest("a")) + assert_equal(sha512_256_a, OpenSSL::Digest::SHA512_256.hexdigest("a")) + + assert_equal(sha512_224_a, encode16(OpenSSL::Digest::SHA512_224.digest("a"))) + assert_equal(sha512_256_a, encode16(OpenSSL::Digest::SHA512_256.digest("a"))) + end + def test_sha3 pend "SHA3 is not implemented" unless OpenSSL::Digest.const_defined?(:SHA3_224) s224 = '6b4e03423667dbb73b6e15454f0eb1abd4597f9a1b078e3f5b5a6bc7' diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb index a77abfd923..8316ec2a9c 100644 --- a/test/openssl/test_pair.rb +++ b/test/openssl/test_pair.rb @@ -156,20 +156,6 @@ module OpenSSL::TestPairM } end - def test_puts_meta - ssl_pair {|s1, s2| - begin - old = $/ - EnvUtil.suppress_warning {$/ = '*'} - s1.puts 'a' - ensure - EnvUtil.suppress_warning {$/ = old} - end - s1.close - assert_equal("a\n", s2.read) - } - end - def test_puts_empty ssl_pair {|s1, s2| s1.puts diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index cce1a4472e..ce899ba085 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -89,13 +89,17 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_socket_open_with_local_address_port_context start_server { |port| begin + # Guess a free port number + random_port = rand(49152..65535) ctx = OpenSSL::SSL::SSLContext.new - ssl = OpenSSL::SSL::SSLSocket.open("127.0.0.1", port, "127.0.0.1", 8000, context: ctx) + ssl = OpenSSL::SSL::SSLSocket.open("127.0.0.1", port, "127.0.0.1", random_port, context: ctx) ssl.sync_close = true ssl.connect - assert_equal ssl.context, ctx + assert_equal ctx, ssl.context + assert_equal random_port, ssl.io.local_address.ip_port ssl.puts "abc"; assert_equal "abc\n", ssl.gets + rescue Errno::EADDRINUSE ensure ssl&.close end @@ -127,7 +131,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase add0_chain_supported = openssl?(1, 0, 2) if add0_chain_supported - ca2_key = Fixtures.pkey("rsa2048") + ca2_key = Fixtures.pkey("rsa-3") ca2_exts = [ ["basicConstraints", "CA:TRUE", true], ["keyUsage", "cRLSign, keyCertSign", true], @@ -186,9 +190,31 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end def test_add_certificate_chain_file - pend "The current server.crt seems too short for OpenSSL 1.1.1d or later" if OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10101040 - ctx = OpenSSL::SSL::SSLContext.new - assert ctx.add_certificate_chain_file(Fixtures.file_path("chain", "server.crt")) + # Create chain certificates file + certs = Tempfile.open { |f| f << @svr_cert.to_pem << @ca_cert.to_pem; f } + pkey = Tempfile.open { |f| f << @svr_key.to_pem; f } + + ctx_proc = -> ctx { + # FIXME: This is a temporary test case written just to match the current + # state. ctx.add_certificate_chain_file should take two arguments. + ctx.add_certificate_chain_file(certs.path) + # # Unset values set by start_server + # ctx.cert = ctx.key = ctx.extra_chain_cert = nil + # assert_nothing_raised { ctx.add_certificate_chain_file(certs.path, pkey.path) } + } + + start_server(ctx_proc: ctx_proc) { |port| + server_connect(port) { |ssl| + assert_equal @svr_cert.subject, ssl.peer_cert.subject + assert_equal [@svr_cert.subject, @ca_cert.subject], + ssl.peer_cert_chain.map(&:subject) + + ssl.puts "abc"; assert_equal "abc\n", ssl.gets + } + } + ensure + certs&.unlink + pkey&.unlink end def test_sysread_and_syswrite @@ -207,19 +233,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end - # TODO fix this test - # def test_sysread_nonblock_and_syswrite_nonblock_keywords - # start_server do |port| - # server_connect(port) do |ssl| - # assert_warning("") do - # ssl.send(:syswrite_nonblock, "12", exception: false) - # ssl.send(:sysread_nonblock, 1, exception: false) rescue nil - # ssl.send(:sysread_nonblock, 1, String.new, exception: false) rescue nil - # end - # end - # end - # end - def test_sync_close start_server do |port| begin @@ -497,12 +510,14 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ctx = OpenSSL::SSL::SSLContext.new ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE server_connect(port, ctx) { |ssl| + ssl.puts "abc"; ssl.gets + client_finished = ssl.finished_message client_peer_finished = ssl.peer_finished_message - sleep 0.05 - ssl.send :stop } } + assert_not_nil(server_finished) + assert_not_nil(client_finished) assert_equal(server_finished, client_peer_finished) assert_equal(server_peer_finished, client_finished) end @@ -924,6 +939,46 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_verify_hostname_failure_error_code + ctx_proc = proc { |ctx| + exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ["subjectAltName", "DNS:a.example.com"], + ] + ctx.cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key) + ctx.key = @svr_key + } + + start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port| + verify_callback_ok = verify_callback_err = nil + + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_hostname = true + ctx.cert_store = OpenSSL::X509::Store.new + ctx.cert_store.add_cert(@ca_cert) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = -> (preverify_ok, store_ctx) { + verify_callback_ok = preverify_ok + verify_callback_err = store_ctx.error + preverify_ok + } + + begin + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = "b.example.com" + assert_handshake_error { ssl.connect } + assert_equal false, verify_callback_ok + code_expected = openssl?(1, 0, 2) || defined?(OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH) ? + OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH : + OpenSSL::X509::V_ERR_CERT_REJECTED + assert_equal code_expected, verify_callback_err + ensure + sock&.close + end + end + end + def test_connect_certificate_verify_failed_exception_message start_server(ignore_listener_error: true) { |port| ctx = OpenSSL::SSL::SSLContext.new @@ -1377,11 +1432,16 @@ end ctx.ssl_version = :TLSv1_2 ctx.ciphers = "kRSA" } - start_server(ctx_proc: ctx_proc1) do |port| + start_server(ctx_proc: ctx_proc1, ignore_listener_error: true) do |port| ctx = OpenSSL::SSL::SSLContext.new ctx.ssl_version = :TLSv1_2 ctx.ciphers = "kRSA" - server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key } + begin + server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key } + rescue OpenSSL::SSL::SSLError + # kRSA seems disabled + raise unless $!.message =~ /no cipher/ + end end end |