summaryrefslogtreecommitdiff
path: root/test/net/http/test_https.rb
diff options
context:
space:
mode:
Diffstat (limited to 'test/net/http/test_https.rb')
-rw-r--r--test/net/http/test_https.rb211
1 files changed, 112 insertions, 99 deletions
diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
index 660104d048..f5b21b901f 100644
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@@ -1,14 +1,14 @@
# frozen_string_literal: false
require "test/unit"
+require_relative "utils"
begin
require 'net/https'
- require 'stringio'
- require 'timeout'
- require File.expand_path("utils", File.dirname(__FILE__))
rescue LoadError
# should skip this test
end
+return unless defined?(OpenSSL::SSL)
+
class TestNetHTTPS < Test::Unit::TestCase
include TestNetHTTPUtils
@@ -16,71 +16,52 @@ class TestNetHTTPS < Test::Unit::TestCase
File.read(File.expand_path("../fixtures/#{key}", __dir__))
end
+ HOST = 'localhost'
+ HOST_IP = '127.0.0.1'
CA_CERT = OpenSSL::X509::Certificate.new(read_fixture("cacert.pem"))
SERVER_KEY = OpenSSL::PKey.read(read_fixture("server.key"))
SERVER_CERT = OpenSSL::X509::Certificate.new(read_fixture("server.crt"))
- DHPARAMS = OpenSSL::PKey::DH.new(read_fixture("dhparams.pem"))
TEST_STORE = OpenSSL::X509::Store.new.tap {|s| s.add_cert(CA_CERT) }
CONFIG = {
- 'host' => '127.0.0.1',
+ 'host' => HOST,
'proxy_host' => nil,
'proxy_port' => nil,
'ssl_enable' => true,
'ssl_certificate' => SERVER_CERT,
'ssl_private_key' => SERVER_KEY,
- 'ssl_tmp_dh_callback' => proc { DHPARAMS },
}
def test_get
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE
- certs = []
- http.verify_callback = Proc.new do |preverify_ok, store_ctx|
- certs << store_ctx.current_cert
- preverify_ok
- end
http.request_get("/") {|res|
assert_equal($test_net_http_data, res.body)
+ assert_equal(SERVER_CERT.to_der, http.peer_cert.to_der)
}
- assert_equal(CA_CERT.to_der, certs[0].to_der)
- assert_equal(SERVER_CERT.to_der, certs[1].to_der)
- rescue SystemCallError
- skip $!
end
def test_get_SNI
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.ipaddr = config('host')
http.use_ssl = true
http.cert_store = TEST_STORE
- certs = []
- http.verify_callback = Proc.new do |preverify_ok, store_ctx|
- certs << store_ctx.current_cert
- preverify_ok
- end
http.request_get("/") {|res|
assert_equal($test_net_http_data, res.body)
+ assert_equal(SERVER_CERT.to_der, http.peer_cert.to_der)
}
- assert_equal(CA_CERT.to_der, certs[0].to_der)
- assert_equal(SERVER_CERT.to_der, certs[1].to_der)
end
def test_get_SNI_proxy
- TCPServer.open("127.0.0.1", 0) {|serv|
+ TCPServer.open(HOST_IP, 0) {|serv|
_, port, _, _ = serv.addr
client_thread = Thread.new {
- proxy = Net::HTTP.Proxy("127.0.0.1", port, 'user', 'password')
+ proxy = Net::HTTP.Proxy(HOST_IP, port, 'user', 'password')
http = proxy.new("foo.example.org", 8000)
http.ipaddr = "192.0.2.1"
http.use_ssl = true
http.cert_store = TEST_STORE
- certs = []
- http.verify_callback = Proc.new do |preverify_ok, store_ctx|
- certs << store_ctx.current_cert
- preverify_ok
- end
begin
http.start
rescue EOFError
@@ -108,78 +89,68 @@ class TestNetHTTPS < Test::Unit::TestCase
def test_get_SNI_failure
TestNetHTTPUtils.clean_http_proxy_env do
- http = Net::HTTP.new("invalid_servername", config("port"))
+ http = Net::HTTP.new("invalidservername", config("port"))
http.ipaddr = config('host')
http.use_ssl = true
http.cert_store = TEST_STORE
- certs = []
- http.verify_callback = Proc.new do |preverify_ok, store_ctx|
- certs << store_ctx.current_cert
- preverify_ok
- end
@log_tester = lambda {|_| }
assert_raise(OpenSSL::SSL::SSLError){ http.start }
end
end
def test_post
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE
data = config('ssl_private_key').to_der
http.request_post("/", data, {'content-type' => 'application/x-www-form-urlencoded'}) {|res|
assert_equal(data, res.body)
}
- rescue SystemCallError
- skip $!
end
def test_session_reuse
- # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
- # See https://github.com/openssl/openssl/pull/5967 for details.
- skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
-
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE
+ if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /LibreSSL (\d+\.\d+)/ && $1.to_f > 3.19
+ # LibreSSL 3.2 defaults to TLSv1.3 in server and client, which doesn't currently
+ # support session resuse. Limiting the version to the TLSv1.2 stack allows
+ # this test to continue to work on LibreSSL 3.2+. LibreSSL may eventually
+ # support session reuse, but there are no current plans to do so.
+ http.ssl_version = :TLSv1_2
+ end
+
http.start
+ session_reused = http.instance_variable_get(:@socket).io.session_reused?
+ assert_false session_reused unless session_reused.nil? # can not detect re-use under JRuby
http.get("/")
http.finish
http.start
- http.get("/")
-
- socket = http.instance_variable_get(:@socket).io
- assert_equal true, socket.session_reused?
-
+ session_reused = http.instance_variable_get(:@socket).io.session_reused?
+ assert_true session_reused unless session_reused.nil? # can not detect re-use under JRuby
+ assert_equal $test_net_http_data, http.get("/").body
http.finish
- rescue SystemCallError
- skip $!
end
def test_session_reuse_but_expire
- # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
- skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
-
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE
- http.ssl_timeout = -1
+ http.ssl_timeout = 1
http.start
http.get("/")
http.finish
-
+ sleep 1.25
http.start
http.get("/")
socket = http.instance_variable_get(:@socket).io
- assert_equal false, socket.session_reused?
+ assert_equal false, socket.session_reused?, "NOTE: OpenSSL library version is #{OpenSSL::OPENSSL_LIBRARY_VERSION}"
http.finish
- rescue SystemCallError
- skip $!
end
if ENV["RUBY_OPENSSL_TEST_ALL"]
@@ -194,32 +165,30 @@ class TestNetHTTPS < Test::Unit::TestCase
end
def test_verify_none
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.request_get("/") {|res|
assert_equal($test_net_http_data, res.body)
}
- rescue SystemCallError
- skip $!
end
- def test_skip_hostname_verfiction
+ def test_skip_hostname_verification
TestNetHTTPUtils.clean_http_proxy_env do
- http = Net::HTTP.new('invalid_servername', config('port'))
+ http = Net::HTTP.new('invalidservername', config('port'))
http.ipaddr = config('host')
http.use_ssl = true
http.cert_store = TEST_STORE
http.verify_hostname = false
assert_nothing_raised { http.start }
ensure
- http&.finish
+ http.finish if http&.started?
end
end
def test_fail_if_verify_hostname_is_true
TestNetHTTPUtils.clean_http_proxy_env do
- http = Net::HTTP.new('invalid_servername', config('port'))
+ http = Net::HTTP.new('invalidservername', config('port'))
http.ipaddr = config('host')
http.use_ssl = true
http.cert_store = TEST_STORE
@@ -230,47 +199,37 @@ class TestNetHTTPS < Test::Unit::TestCase
end
def test_certificate_verify_failure
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
ex = assert_raise(OpenSSL::SSL::SSLError){
- begin
- http.request_get("/") {|res| }
- rescue SystemCallError
- skip $!
- end
+ http.request_get("/") {|res| }
}
assert_match(/certificate verify failed/, ex.message)
- unless /mswin|mingw/ =~ RUBY_PLATFORM
- # on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by
- # WEBrick
- @log_tester = lambda {|log|
- assert_equal(1, log.length)
- assert_match(/ERROR OpenSSL::SSL::SSLError:/, log[0])
- }
- end
end
- def test_identity_verify_failure
- # the certificate's subject has CN=localhost
- http = Net::HTTP.new("127.0.0.1", config("port"))
+ def test_verify_callback
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE
- @log_tester = lambda {|_| }
- ex = assert_raise(OpenSSL::SSL::SSLError){
- http.request_get("/") {|res| }
+ certs = []
+ http.verify_callback = Proc.new {|preverify_ok, store_ctx|
+ certs << store_ctx.current_cert
+ preverify_ok
}
- re_msg = /certificate verify failed|hostname \"127.0.0.1\" does not match/
- assert_match(re_msg, ex.message)
+ http.request_get("/") {|res|
+ assert_equal($test_net_http_data, res.body)
+ }
+ assert_equal(SERVER_CERT.to_der, certs.last.to_der)
end
def test_timeout_during_SSL_handshake
bug4246 = "expected the SSL connection to have timed out but have not. [ruby-core:34203]"
# listen for connections... but deliberately do not complete SSL handshake
- TCPServer.open('localhost', 0) {|server|
+ TCPServer.open(HOST, 0) {|server|
port = server.addr[1]
- conn = Net::HTTP.new('localhost', port)
+ conn = Net::HTTP.new(HOST, port)
conn.use_ssl = true
conn.read_timeout = 0.01
conn.open_timeout = 0.01
@@ -285,7 +244,7 @@ class TestNetHTTPS < Test::Unit::TestCase
end
def test_min_version
- http = Net::HTTP.new("localhost", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.min_version = :TLS1
http.cert_store = TEST_STORE
@@ -295,18 +254,72 @@ class TestNetHTTPS < Test::Unit::TestCase
end
def test_max_version
- http = Net::HTTP.new("127.0.0.1", config("port"))
+ http = Net::HTTP.new(HOST, config("port"))
http.use_ssl = true
http.max_version = :SSL2
- http.verify_callback = Proc.new do |preverify_ok, store_ctx|
- true
- end
+ http.cert_store = TEST_STORE
@log_tester = lambda {|_| }
ex = assert_raise(OpenSSL::SSL::SSLError){
http.request_get("/") {|res| }
}
- re_msg = /\ASSL_connect returned=1 errno=0 |SSL_CTX_set_max_proto_version/
+ re_msg = /\ASSL_connect returned=1 errno=0 |SSL_CTX_set_max_proto_version|No appropriate protocol/
assert_match(re_msg, ex.message)
end
-end if defined?(OpenSSL::SSL)
+ def test_ractor
+ assert_ractor(<<~RUBY, require: 'net/https')
+ expected = #{$test_net_http_data.dump}.b
+ ret = Ractor.new {
+ host = #{HOST.dump}
+ port = #{config('port')}
+ ca_cert_pem = #{CA_CERT.to_pem.dump}
+ cert_store = OpenSSL::X509::Store.new.tap { |s|
+ s.add_cert(OpenSSL::X509::Certificate.new(ca_cert_pem))
+ }
+ Net::HTTP.start(host, port, use_ssl: true, cert_store: cert_store) { |http|
+ res = http.get('/')
+ res.body
+ }
+ }.value
+ assert_equal expected, ret
+ RUBY
+ end if defined?(Ractor) && Ractor.method_defined?(:value)
+end
+
+class TestNetHTTPSIdentityVerifyFailure < Test::Unit::TestCase
+ include TestNetHTTPUtils
+
+ def self.read_fixture(key)
+ File.read(File.expand_path("../fixtures/#{key}", __dir__))
+ end
+
+ HOST = 'localhost'
+ HOST_IP = '127.0.0.1'
+ CA_CERT = OpenSSL::X509::Certificate.new(read_fixture("cacert.pem"))
+ SERVER_KEY = OpenSSL::PKey.read(read_fixture("server.key"))
+ SERVER_CERT = OpenSSL::X509::Certificate.new(read_fixture("server.crt"))
+ TEST_STORE = OpenSSL::X509::Store.new.tap {|s| s.add_cert(CA_CERT) }
+
+ CONFIG = {
+ 'host' => HOST_IP,
+ 'proxy_host' => nil,
+ 'proxy_port' => nil,
+ 'ssl_enable' => true,
+ 'ssl_certificate' => SERVER_CERT,
+ 'ssl_private_key' => SERVER_KEY,
+ }
+
+ def test_identity_verify_failure
+ # the certificate's subject has CN=localhost
+ http = Net::HTTP.new(HOST_IP, config("port"))
+ http.use_ssl = true
+ http.cert_store = TEST_STORE
+ @log_tester = lambda {|_| }
+ ex = assert_raise(OpenSSL::SSL::SSLError){
+ http.request_get("/") {|res| }
+ sleep 0.5
+ }
+ re_msg = /certificate verify failed|hostname \"#{HOST_IP}\" does not match/
+ assert_match(re_msg, ex.message)
+ end
+end
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-19 07:21:23 +0000