ruby-changes:61243
From: Kazuki <ko1@a...>
Date: Wed, 13 May 2020 15:48:26 +0900 (JST)
Subject: [ruby-changes:61243] cc26638cae (master): [ruby/openssl] ssl: temporarily remove SSLContext#add_certificate_chain_file
https://git.ruby-lang.org/ruby.git/commit/?id=cc26638cae From cc26638cae385a497a3e6b6ad667292819cda938 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Wed, 13 May 2020 14:33:06 +0900 Subject: [ruby/openssl] ssl: temporarily remove SSLContext#add_certificate_chain_file Let's revert the changes for now, as it cannot be included in the 2.2.0 release. My comment on #257: > A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It > has a pending change and I don't want to include it in an incomplete > state. > > The initial implementation in commit 46e4bdba40c5 was not really > useful. The issue is described in #305. #309 extended it > to take the corresponding private key together. However, the new > implementation was incompatible on Windows and was reverted by #320 to > the initial one. > > (The prerequisite to implement it in) an alternative way is #288, and > it's still cooking. This effectively reverts the following commits: - dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09) - 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13) https://github.com/ruby/openssl/commit/ea925619a9 diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 337ce5d..fe2e85b 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1329,21 +1329,6 @@ ossl_sslctx_add_certificate(int argc, VALUE *argv, VALUE self) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L1329 return self; } -static VALUE -ossl_sslctx_add_certificate_chain_file(VALUE self, VALUE path) -{ - SSL_CTX *ctx; - int ret; - - GetSSLCTX(self, ctx); - StringValueCStr(path); - ret = SSL_CTX_use_certificate_chain_file(ctx, RSTRING_PTR(path)); - if (ret != 1) - ossl_raise(eSSLError, "SSL_CTX_use_certificate_chain_file"); - - return Qtrue; -} - /* * call-seq: * ctx.session_add(session) -> true | false @@ -2795,7 +2780,6 @@ Init_ossl_ssl(void) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L2780 rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0); #endif rb_define_method(cSSLContext, "add_certificate", ossl_sslctx_add_certificate, -1); - rb_define_method(cSSLContext, "add_certificate_chain_file", ossl_sslctx_add_certificate_chain_file, 1); rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0); rb_define_alias(cSSLContext, "freeze", "setup"); diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 4598927..6095d54 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -189,34 +189,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L189 end end - def test_add_certificate_chain_file - # Create chain certificates file - certs = Tempfile.open { |f| f << @svr_cert.to_pem << @ca_cert.to_pem; f } - pkey = Tempfile.open { |f| f << @svr_key.to_pem; f } - - ctx_proc = -> ctx { - # FIXME: This is a temporary test case written just to match the current - # state. ctx.add_certificate_chain_file should take two arguments. - ctx.add_certificate_chain_file(certs.path) - # # Unset values set by start_server - # ctx.cert = ctx.key = ctx.extra_chain_cert = nil - # assert_nothing_raised { ctx.add_certificate_chain_file(certs.path, pkey.path) } - } - - start_server(ctx_proc: ctx_proc) { |port| - server_connect(port) { |ssl| - assert_equal @svr_cert.subject, ssl.peer_cert.subject - assert_equal [@svr_cert.subject, @ca_cert.subject], - ssl.peer_cert_chain.map(&:subject) - - ssl.puts "abc"; assert_equal "abc\n", ssl.gets - } - } - ensure - certs&.unlink - pkey&.unlink - end - def test_sysread_and_syswrite start_server { |port| server_connect(port) { |ssl| -- cgit v0.10.2 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/