| Age | Commit message (Collapse) | Author |
|---|
|
RFC 6066, section 3, explicitly disallows the use of an IP address
as an SNI server name. So check if the connection is being made
to an IP address using the resolv regexps, and do not set an SNI
hostname in that case.
Recent changes to LibreSSL make it more strictly follow RFC 6066,
resulting an s.hostname= raising an error if passed an IP address.
When such verions of LibreSSL are used, this change not only fixes
the net/http tests, it also fixes tests for webrick and open-uri,
which both make SSL connections to 127.0.0.1 using net/http in
their tests.
Avoid warning in the openssl extension by unsetting
@ssl_context.verify_hostname if connecting to an IP address.
Make changes so that the post_connection_check still happens
when connecting to an IP address, which is necessary to keep
checking that the certificate returned includes the IP address,
which one of the tests depends on.
Revert the previous change that modified the regexp used for
checking the error message.
https://github.com/ruby/net-http/commit/fa68e64bee
|
|
Use `include?` instead.
https://github.com/ruby/net-http/commit/05022744a9
|
|
https://github.com/ruby/net-http/commit/843d4548de
|
|
Server Name Indication does not allow IP addresses (RFC 6066, section 3:
`Literal IPv4 and IPv6 addresses are not permitted in "HostName".`).
Recent versions of LibreSSL enforce this restriction, which raises
when setting the hostname to an IP address (s.hostname=), before
attempting to setup the SSL connection.
Since the certificate used in the test is already for localhost,
we cannot connect to localhost. However, as all the test does is
check for a specific exception, just modify the regexp used so it
handles both cases.
https://github.com/ruby/net-http/commit/6ab399db45
|
|
Notes:
Merged: https://github.com/ruby/ruby/pull/4424
|
|
|
|
The expected certs must be `[CA_CERT, SERVER_CERT]` before 1.1.1g and
`[SERVER_CERT]` after 1.1.1h.
|
|
... depending upon the environment.
|
|
On some environments that uses OpenSSL 1.1.1h, the two tests now fail.
http://rubyci.s3.amazonaws.com/android29-x86_64/ruby-master/log/20200924T062352Z.fail.html.gz
https://github.com/ruby/ruby/runs/1159288773?check_suite_focus=true
```
1) Failure:
TestNetHTTPS#test_get [/data/data/com.termux/files/home/cb/tmp/build/20200924T062352Z/ruby/test/net/http/test_https.rb:47]:
<"0\x82\x03\xED0\x82\x02\xD5\xA0\x03..."> expected but was
<"0\x82\x03\xE30\x82\x02\xCB\xA0\x03...">.
```
Not sure why, but verify_callback now seems to receive only SERVER_CERT
but not CA_CERT.
It would be good to investigate the issue furthermore, but tentatively,
I want to stop the failures.
|
|
https://github.com/ruby/net-http/commit/5ae9620fbc
|
|
invalid_servername is not a valid name in an SSL request due to
the use of the underscore, and LibreSSL 3.2.0 will raise an
exception for this. These tests are not testing the allowed
characters in the server name, but how net/http handles cases where
the server name provided does not match the IP address you are
trying to connect to, so I think it's better to just modify the
tests to use a correct format.
While here, fix a typo in a test name, and use better code in the
ensure block so the same test doesn't issue both a failure and an
error.
https://github.com/ruby/net-http/commit/0e8dc91120
|
|
|
|
test/net/http/test_https.rb: rename fixture methods to read_fixture
because it conflicts with test-unit gem.
|
|
According to https://github.com/ruby/openssl/pull/60,
> Currently an user who wants to do the hostname verification needs to
call SSLSocket#post_connection_check explicitly after the TLS connection
is established.
if an user who wants to skip the hostname verification,
SSLSocket#post_connection_check doesn't need to be called
https://bugs.ruby-lang.org/issues/16555
|
|
54072e329cab7207fba133caba4fc12b45add8f9
|
|
Because the test fails under HTTP proxy settings.
https://rubyci.org/logs/rubyci.s3.amazonaws.com/solaris10-gcc/ruby-master/log/20191210T000004Z.fail.html.gz
```
1) Failure:
TestNetHTTPS#test_get_SNI_failure [/export/home/users/chkbuild/cb-gcc/tmp/build/20191210T000004Z/ruby/test/net/http/test_https.rb:81]:
[OpenSSL::SSL::SSLError] exception expected, not #<Net::HTTPServerException: 403 "Forbidden">.
```
The new SNI feature introduced at 54072e329c may need to be improved for
HTTP proxy environment.
|
|
to replace the address for TCP/IP connection [Feature #5180]
There're 3 layers of hostname:
* host address for TCP/IP
* TLS server name
* HTTP Host header value
To test DNS round robin or check server certificate from server local,
people sometimes want to connect server with given IP address but keep
TLS server name and HTTP Host header value.
closes [Feature #15215]
closes https://github.com/ruby/ruby/pull/1893
closes https://github.com/ruby/ruby/pull/1977
|
|
Due to a bug in OpenSSL 1.1.0h[1] (it's only in this specific version;
it was introduced just before the release and is already fixed in their
stable branch), the callback set by SSLContext#session_new_cb= does not
get called for clients, making net/http and net/ftp not attempt session
resumption.
Let's disable the affected test cases for now. Another option would be
to fallback to using SSLSocket#session as we did before r64234. But
since only a single version is affected and hopefully a new stable
version containing the fix will be released in near future, I chose not
to add such workaround code to lib/.
[1] https://github.com/openssl/openssl/pull/5967
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64252 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
When TLS 1.3 is in use, the session ticket may not have been sent yet
even though a handshake has finished. Also, the ticket could change if
multiple session ticket messages are sent by the server. Use
SSLContext#session_new_cb instead of calling SSLSocket#session
immediately after a handshake. This way also works with earlier protocol
versions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64234 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
And adapt a net/http test to their old behavior. [ruby-core:83491]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60906 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
https://github.com/ruby/ruby/commit/d02211c9da608742b09aec768db79442007eabc0#commitcomment-25119729
From: MSP-Greg <MSP-Greg@users.noreply.github.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60380 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60316 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This reverts commit r60314.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60315 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60313 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Set SSL minimum/maximum version.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60311 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Make test code independent of test/openssl/utils.rb. The development of
openssl library has moved to a separate repository and
OpenSSL::TestUtils may be modified at any time.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56934 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
When you change this to true, you may need to add more tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/net/http/test_https.rb (TestNetHTTPS): also depends on
test/openssl/utils.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48824 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
(TestNetHTTPS#test_certificate_verify_failure): on Windows,
Errno::ECONNRESET will be raised when the verify is failure at the
client side, and it'll be eaten by WEBrick.
* test/open-uri/test_ssl.rb (TestOpenURISSL#test_validation_failure):
ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48751 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48581 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/net/http: Ditto.
* test/open-uri: Ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48341 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48332 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47071 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46261 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
avoid reusing an allocated port.
* test/net/http/test_http.rb: Don't specify port here.
* test/net/http/test_https.rb: Ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@43721 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36877 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
is not (always) 127.0.0.1. Don't expect that.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36543 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
single instance to speed up connection. [Feature #5341]
* NEWS: ditto
* test/net/http/test_https.rb: Tests for #5341
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36528 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35495 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* lib/net/pop.rb: Modernize Timeout usage. Patch by Eric Wong.
Use Net::OpenTimeout instead of Timeout::Error. [Bug #5765]
* lib/net/http.rb: ditto
* lib/net/smtp.rb: ditto
* lib/net/telnet.rb: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34843 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Introduce OpenTimeout subclass of Timeout::Error. [Bug #6001]
* test/net/http/test_http.rb: Reduce timeout to 0.01s for faster test
* test/net/http/test_https.rb: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
(TestNetHTTP_version_1_1_methods#test_timeout_during_HTTP_session):
If you connect to localhost, you should listen localhost.
* test/net/http/test_https.rb (TestNetHTTPS#test_timeout_during_SSL_handshake):
ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30915 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSL handshake too. [ruby-core:34203]
Patch by Marc Slemko.
* test/net/http/test_http.rb (TestNetHTTP_v1_2#test_timeout_during_HTTP_session):
test for [ruby-core:34203]
* test/net/http/test_https.rb (TestNetHTTPS#test_timeout_during_SSL_handshake):
ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30520 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
guaranteed to be resolved as 127.0.0.1. But a SSL
certificate needs a socket to listen on a specific address
where a CN resolves to. On situations where localhost is
not 127.0.0.1, these tests are not possible.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29350 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
the SSL hostname check error message of openssl.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29202 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@14551 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/lib/net/ssl.rb (OpenSSL::SSL::SSLContext#set_params):
new method to set suitable SSL parameters.
* lib/net/pop.rb, lib/net/http.rb, lib/net/imap.rb,
test/openssl/test_ssl.rb: follow above change.
* test/net/http/test_https.rb: refine error case.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@14479 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLContext.build instead of SSLContext.new (default
verify mode is now OpenSSL::SSL::VERIFY_PEER).
* lib/net/https.rb: SSL parameters are defined by attr_accessor.
* test/net/http/test_https.rb: add test for HTTPS features.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@14371 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
