ruby-changes:52036
From: rhe <ko1@a...>
Date: Thu, 9 Aug 2018 19:00:25 +0900 (JST)
Subject: [ruby-changes:52036] rhe:r64252 (trunk): net/http, net/ftp: skip SSL/TLS session resumption tests
rhe 2018-08-09 19:00:19 +0900 (Thu, 09 Aug 2018) New Revision: 64252 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=64252 Log: net/http, net/ftp: skip SSL/TLS session resumption tests Due to a bug in OpenSSL 1.1.0h[1] (it's only in this specific version; it was introduced just before the release and is already fixed in their stable branch), the callback set by SSLContext#session_new_cb= does not get called for clients, making net/http and net/ftp not attempt session resumption. Let's disable the affected test cases for now. Another option would be to fallback to using SSLSocket#session as we did before r64234. But since only a single version is affected and hopefully a new stable version containing the fix will be released in near future, I chose not to add such workaround code to lib/. [1] https://github.com/openssl/openssl/pull/5967 Modified files: trunk/test/net/ftp/test_ftp.rb trunk/test/net/http/test_https.rb Index: test/net/ftp/test_ftp.rb =================================================================== --- test/net/ftp/test_ftp.rb (revision 64251) +++ test/net/ftp/test_ftp.rb (revision 64252) @@ -1755,6 +1755,7 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/net/ftp/test_ftp.rb#L1755 server = TCPServer.new(SERVER_ADDR, 0) port = server.addr[1] commands = [] + session_reused_for_data_connection = nil binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 @thread = Thread.start do sock = server.accept @@ -1793,6 +1794,7 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/net/ftp/test_ftp.rb#L1794 conn = OpenSSL::SSL::SSLSocket.new(conn, ctx) conn.sync_close = true conn.accept + session_reused_for_data_connection = conn.session_reused? binary_data.scan(/.{1,1024}/nm) do |s| conn.print(s) end @@ -1823,6 +1825,11 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/net/ftp/test_ftp.rb#L1825 assert_match(/\A(PORT|EPRT) /, commands.shift) assert_equal("RETR foo\r\n", commands.shift) assert_equal(nil, commands.shift) + # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. + # See https://github.com/openssl/openssl/pull/5967 for details. + if OpenSSL::OPENSSL_LIBRARY_VERSION !~ /OpenSSL 1.1.0h/ + assert_equal(true, session_reused_for_data_connection) + end ensure ftp.close end @@ -1832,6 +1839,7 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/net/ftp/test_ftp.rb#L1839 server = TCPServer.new(SERVER_ADDR, 0) port = server.addr[1] commands = [] + session_reused_for_data_connection = nil binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3 @thread = Thread.start do sock = server.accept @@ -1869,6 +1877,7 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/net/ftp/test_ftp.rb#L1877 conn = OpenSSL::SSL::SSLSocket.new(conn, ctx) conn.sync_close = true conn.accept + session_reused_for_data_connection = conn.session_reused? binary_data.scan(/.{1,1024}/nm) do |s| conn.print(s) end @@ -1900,6 +1909,10 @@ EOF https://github.com/ruby/ruby/blob/trunk/test/net/ftp/test_ftp.rb#L1909 assert_match(/\A(PASV|EPSV)\r\n/, commands.shift) assert_equal("RETR foo\r\n", commands.shift) assert_equal(nil, commands.shift) + # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. + if OpenSSL::OPENSSL_LIBRARY_VERSION !~ /OpenSSL 1.1.0h/ + assert_equal(true, session_reused_for_data_connection) + end ensure ftp.close end Index: test/net/http/test_https.rb =================================================================== --- test/net/http/test_https.rb (revision 64251) +++ test/net/http/test_https.rb (revision 64252) @@ -63,6 +63,10 @@ class TestNetHTTPS < Test::Unit::TestCas https://github.com/ruby/ruby/blob/trunk/test/net/http/test_https.rb#L63 end def test_session_reuse + # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. + # See https://github.com/openssl/openssl/pull/5967 for details. + skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/ + http = Net::HTTP.new("localhost", config("port")) http.use_ssl = true http.cert_store = TEST_STORE @@ -83,6 +87,9 @@ class TestNetHTTPS < Test::Unit::TestCas https://github.com/ruby/ruby/blob/trunk/test/net/http/test_https.rb#L87 end def test_session_reuse_but_expire + # FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h. + skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/ + http = Net::HTTP.new("localhost", config("port")) http.use_ssl = true http.cert_store = TEST_STORE -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/