ruby-changes:65518
From: Kazuki <ko1@a...>
Date: Tue, 16 Mar 2021 20:39:23 +0900 (JST)
Subject: [ruby-changes:65518] 3b43e3fa10 (master): [ruby/openssl] test/openssl/test_ssl: revise verify_mode test cases
https://git.ruby-lang.org/ruby.git/commit/?id=3b43e3fa10 From 3b43e3fa10b160fd86a51b6e09ab157ca7be723a Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Sat, 18 Jul 2020 17:09:37 +0900 Subject: [ruby/openssl] test/openssl/test_ssl: revise verify_mode test cases Add explicit test cases for the behaviors with different verify_mode. If we made a bug in verify_mode, we would notice it by failures of other test cases, but there were no dedicated test cases for verify_mode. https://github.com/ruby/openssl/commit/1ccdc05662 --- test/openssl/test_ssl.rb | 46 +++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 45 insertions(+), 1 deletion(-) diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 1d3cdf9..4015b05 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -246,7 +246,51 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L246 end end - def test_client_auth_failure + def test_verify_mode_server_cert + start_server(ignore_listener_error: true) { |port| + populated_store = OpenSSL::X509::Store.new + populated_store.add_cert(@ca_cert) + empty_store = OpenSSL::X509::Store.new + + # Valid certificate, SSL_VERIFY_PEER + assert_nothing_raised { + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.cert_store = populated_store + server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } + } + + # Invalid certificate, SSL_VERIFY_NONE + assert_nothing_raised { + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE + ctx.cert_store = empty_store + server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } + } + + # Invalid certificate, SSL_VERIFY_PEER + assert_handshake_error { + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.cert_store = empty_store + server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } + } + } + end + + def test_verify_mode_client_cert_required + # Optional, client certificate not supplied + vflag = OpenSSL::SSL::VERIFY_PEER + accept_proc = -> ssl { + assert_equal nil, ssl.peer_cert + } + start_server(verify_mode: vflag, accept_proc: accept_proc) { |port| + assert_nothing_raised { + server_connect(port) { |ssl| ssl.puts("abc"); ssl.gets } + } + } + + # Required, client certificate not supplied vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT start_server(verify_mode: vflag, ignore_listener_error: true) { |port| assert_handshake_error { -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/