2 files changed, 16 insertions, 0 deletions

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index bae3dcfc2f..aa61e385d5 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -284,6 +284,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     }
   end
 
+  def test_post_connect_check_with_anon_ciphers
+    sslerr = OpenSSL::SSL::SSLError
+
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.ciphers = "aNULL"
+      server_connect(port, ctx) { |ssl|
+        msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
+          "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
+        assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
+      }
+    }
+  end
+
   def test_post_connection_check
     sslerr = OpenSSL::SSL::SSLError
 
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index ba9714b3fc..da281610b6 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -259,6 +259,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
 
     def start_server(port0, verify_mode, start_immediately, args = {}, &block)
       ctx_proc = args[:ctx_proc]
+      use_anon_cipher = args.fetch(:use_anon_cipher, false)
       server_proc = args[:server_proc]
       server_proc ||= method(:readwrite_loop)
 
@@ -266,6 +267,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
       store.add_cert(@ca_cert)
       store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
       ctx = OpenSSL::SSL::SSLContext.new
+      ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
       ctx.cert_store = store
       #ctx.extra_chain_cert = [ ca_cert ]
       ctx.cert = @svr_cert