ruby-changes:48521
From: rhe <ko1@a...>
Date: Sat, 4 Nov 2017 15:56:21 +0900 (JST)
Subject: [ruby-changes:48521] rhe:r60636 (trunk): openssl: pull test case from upstream commit 62af0446569a
rhe 2017-11-04 15:56:16 +0900 (Sat, 04 Nov 2017) New Revision: 60636 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=60636 Log: openssl: pull test case from upstream commit 62af0446569a The test case added by r60310 ("fix OpenSSL::SSL::SSLContext#min_version doesn't work", 2017-10-21) does not pass with OpenSSL >= 1.1.0 or LibreSSL >= 2.6.0. Check that the default 'min_version' value is properly enforced by actually attempting a handshake rather than by inspecting the SSL option flags. [ruby-core:83479] [Bug #14039] Modified files: trunk/test/openssl/test_ssl.rb Index: test/openssl/test_ssl.rb =================================================================== --- test/openssl/test_ssl.rb (revision 60635) +++ test/openssl/test_ssl.rb (revision 60636) @@ -811,31 +811,22 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L811 supported end - def test_min_version + def test_set_params_min_version supported = check_supported_protocol_versions + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) - ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params - orig_options = ctx.options - - ctx.set_params(min_version: 999) - assert_not_equal(ctx.options, orig_options) - - ctx.min_version = :TLSv1_2 - assert_not_equal(0, ctx.options & OpenSSL::SSL::OP_NO_TLSv1) - assert_not_equal(0, ctx.options & OpenSSL::SSL::OP_NO_TLSv1_1) - end - - def test_max_version - supported = check_supported_protocol_versions - - ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params - orig_options = ctx.options - - ctx.max_version = :TLSv1 - assert_not_equal(0, ctx.options & OpenSSL::SSL::OP_NO_TLSv1_1) - assert_not_equal(0, ctx.options & OpenSSL::SSL::OP_NO_TLSv1_2) + if supported.include?(OpenSSL::SSL::SSL3_VERSION) + # SSLContext#set_params properly disables SSL 3.0 by default + ctx_proc = proc { |ctx| + ctx.min_version = ctx.max_version = OpenSSL::SSL::SSL3_VERSION + } + start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params(cert_store: store, verify_hostname: false) + assert_handshake_error { server_connect(port, ctx) { } } + } + end end def test_minmax_version -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/