3 files changed, 40 insertions, 25 deletions

diff --git a/test/openssl/ssl_server.rb b/test/openssl/ssl_server.rb
index 5e1303379f..6e620629c5 100644
--- a/test/openssl/ssl_server.rb
+++ b/test/openssl/ssl_server.rb
@@ -64,7 +64,7 @@ $stdout.puts Process.pid
 $stdout.puts port
 
 loop do
-  ssl = ssls.accept
+  ssl = ssls.accept rescue next
   Thread.start{
     q = Queue.new
     th = Thread.start{ ssl.write(q.shift) while true }
diff --git a/test/openssl/test_pair.rb b/test/openssl/test_pair.rb
index 2b48471d86..7273554362 100644
--- a/test/openssl/test_pair.rb
+++ b/test/openssl/test_pair.rb
@@ -16,31 +16,8 @@ module SSLPair
   def server
     host = "127.0.0.1"
     port = 0
-    key = OpenSSL::PKey::RSA.new(512)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 0
-    name = OpenSSL::X509::Name.new([["C","JP"],["O","TEST"],["CN","localhost"]])
-    cert.subject = name
-    cert.issuer = name
-    cert.not_before = Time.now
-    cert.not_after = Time.now + 3600
-    cert.public_key = key.public_key
-    ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
-    cert.extensions = [
-      ef.create_extension("basicConstraints","CA:FALSE"),
-      ef.create_extension("subjectKeyIdentifier","hash"),
-      ef.create_extension("extendedKeyUsage","serverAuth"),
-      ef.create_extension("keyUsage",
-                          "keyEncipherment,dataEncipherment,digitalSignature")
-    ]
-    ef.issuer_certificate = cert
-    cert.add_extension ef.create_extension("authorityKeyIdentifier",
-                                           "keyid:always,issuer:always")
-    cert.sign(key, OpenSSL::Digest::SHA1.new)
     ctx = OpenSSL::SSL::SSLContext.new()
-    ctx.key = key
-    ctx.cert = cert
+    ctx.ciphers = "ADH"
     tcps = TCPServer.new(host, port)
     ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
     return ssls
@@ -49,6 +26,7 @@ module SSLPair
   def client(port)
     host = "127.0.0.1"
     ctx = OpenSSL::SSL::SSLContext.new()
+    ctx.ciphers = "ADH"
     s = TCPSocket.new(host, port)
     ssl = OpenSSL::SSL::SSLSocket.new(s, ctx)
     ssl.connect
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index abc9859484..e80f32f234 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -151,6 +151,43 @@ class OpenSSL::TestSSL < Test::Unit::TestCase
     }
   end
 
+  def test_client_auth
+    vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    start_server(PORT, vflag, true){|s, p|
+      assert_raises(OpenSSL::SSL::SSLError){
+        sock = TCPSocket.new("127.0.0.1", p)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock)
+        ssl.connect
+      }
+
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", p)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+
+      called = nil
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.client_cert_cb = Proc.new{|ssl|
+        called = true
+        [@cli_cert, @cli_key]
+      }
+      sock = TCPSocket.new("127.0.0.1", p)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      assert(called)
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+    }
+  end
+
   def test_starttls
     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|s, p|
       sock = TCPSocket.new("127.0.0.1", p)