ruby-changes:69355
From: Kazuki <ko1@a...>
Date: Sat, 23 Oct 2021 13:40:20 +0900 (JST)
Subject: [ruby-changes:69355] 0e805e73ce (master): [ruby/openssl] test/openssl/test_ssl: assume TLS 1.2 support
https://git.ruby-lang.org/ruby.git/commit/?id=0e805e73ce From 0e805e73cedbce3748c979049c17c74f3f0eca43 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Mon, 27 Sep 2021 15:32:39 +0900 Subject: [ruby/openssl] test/openssl/test_ssl: assume TLS 1.2 support Current versions of OpenSSL and LibreSSL all support TLS 1.2, so there is no need for checking the availability. https://github.com/ruby/openssl/commit/a175a41529 --- test/openssl/test_ssl.rb | 66 ++++++++++++++++------------------------ test/openssl/test_ssl_session.rb | 8 ----- test/openssl/utils.rb | 7 ----- 3 files changed, 26 insertions(+), 55 deletions(-) diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 2a52f2724b..e81745321b 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -125,7 +125,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L125 def test_add_certificate_multiple_certs pend "EC is not supported" unless defined?(OpenSSL::PKey::EC) - pend "TLS 1.2 is not supported" unless tls12_supported? ca2_key = Fixtures.pkey("rsa-3") ca2_exts = [ @@ -554,8 +553,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L553 end def test_post_connect_check_with_anon_ciphers - pend "TLS 1.2 is not supported" unless tls12_supported? - ctx_proc = -> ctx { ctx.ssl_version = :TLSv1_2 ctx.ciphers = "aNULL" @@ -1355,7 +1352,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1352 end def test_npn_protocol_selection_ary - pend "TLS 1.2 is not supported" unless tls12_supported? pend "NPN is not supported" unless \ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) @@ -1376,7 +1372,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1372 end def test_npn_protocol_selection_enum - pend "TLS 1.2 is not supported" unless tls12_supported? pend "NPN is not supported" unless \ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) @@ -1401,7 +1396,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1396 end def test_npn_protocol_selection_cancel - pend "TLS 1.2 is not supported" unless tls12_supported? pend "NPN is not supported" unless \ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) @@ -1415,7 +1409,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1409 end def test_npn_advertised_protocol_too_long - pend "TLS 1.2 is not supported" unless tls12_supported? pend "NPN is not supported" unless \ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) @@ -1429,7 +1422,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1422 end def test_npn_selected_protocol_too_long - pend "TLS 1.2 is not supported" unless tls12_supported? pend "NPN is not supported" unless \ OpenSSL::SSL::SSLContext.method_defined?(:npn_select_cb) pend "LibreSSL 2.6 has broken NPN functions" if libressl?(2, 6, 1) @@ -1470,40 +1462,36 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1462 end def test_get_ephemeral_key - if tls12_supported? - # kRSA - ctx_proc1 = proc { |ctx| - ctx.ssl_version = :TLSv1_2 - ctx.ciphers = "kRSA" - } - start_server(ctx_proc: ctx_proc1, ignore_listener_error: true) do |port| - ctx = OpenSSL::SSL::SSLContext.new - ctx.ssl_version = :TLSv1_2 - ctx.ciphers = "kRSA" - begin - server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key } - rescue OpenSSL::SSL::SSLError - # kRSA seems disabled - raise unless $!.message =~ /no cipher/ - end + # kRSA + ctx_proc1 = proc { |ctx| + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "kRSA" + } + start_server(ctx_proc: ctx_proc1, ignore_listener_error: true) do |port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "kRSA" + begin + server_connect(port, ctx) { |ssl| assert_nil ssl.tmp_key } + rescue OpenSSL::SSL::SSLError + # kRSA seems disabled + raise unless $!.message =~ /no cipher/ end end - if defined?(OpenSSL::PKey::DH) && tls12_supported? - # DHE - # TODO: How to test this with TLS 1.3? - ctx_proc2 = proc { |ctx| - ctx.ssl_version = :TLSv1_2 - ctx.ciphers = "EDH" + # DHE + # TODO: How to test this with TLS 1.3? + ctx_proc2 = proc { |ctx| + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "EDH" + } + start_server(ctx_proc: ctx_proc2) do |port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ssl_version = :TLSv1_2 + ctx.ciphers = "EDH" + server_connect(port, ctx) { |ssl| + assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key } - start_server(ctx_proc: ctx_proc2) do |port| - ctx = OpenSSL::SSL::SSLContext.new - ctx.ssl_version = :TLSv1_2 - ctx.ciphers = "EDH" - server_connect(port, ctx) { |ssl| - assert_instance_of OpenSSL::PKey::DH, ssl.tmp_key - } - end end if defined?(OpenSSL::PKey::EC) @@ -1633,8 +1621,6 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L1621 end def test_ecdh_curves_tls12 - pend "EC is disabled" unless defined?(OpenSSL::PKey::EC) - ctx_proc = -> ctx { # Enable both ECDHE (~ TLS 1.2) cipher suites and TLS 1.3 ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION diff --git a/test/openssl/test_ssl_session.rb b/test/openssl/test_ssl_session.rb index a98efdae2a..b72b10d3b5 100644 --- a/test/openssl/test_ssl_session.rb +++ b/test/openssl/test_ssl_session.rb @@ -5,8 +5,6 @@ if defined?(OpenSSL) https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl_session.rb#L5 class OpenSSL::TestSSLSession < OpenSSL::SSLTestCase def test_session - pend "TLS 1.2 is not supported" unless tls12_supported? - ctx_proc = proc { |ctx| ctx.ssl_version = :TLSv1_2 } start_server(ctx_proc: ctx_proc) do |port| server_connect_with_session(port, nil, nil) { |ssl| @@ -144,8 +142,6 @@ __EOS__ https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl_session.rb#L142 end def test_server_session_cache - pend "TLS 1.2 is not supported" unless tls12_supported? - ctx_proc = Proc.new do |ctx| ctx.ssl_version = :TLSv1_2 ctx.options |= OpenSSL::SSL::OP_NO_TICKET @@ -224,8 +220,6 @@ __EOS__ https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl_session.rb#L220 TEST_SESSION_REMOVE_CB = ENV["OSSL_TEST_ALL"] == "1" def test_ctx_client_session_cb - pend "TLS 1.2 is not supported" unless tls12_supported? - ctx_proc = proc { |ctx| ctx.ssl_version = :TLSv1_2 } start_server(ctx_proc: ctx_proc) do |port| called = {} @@ -257,8 +251,6 @@ __EOS__ https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl_session.rb#L251 end def test_ctx_server_session_cb - pend "TLS 1.2 is not supported" unless tls12_supported? - connections = nil called = {} cctx = OpenSSL::SSL::SSLContext.new diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index ba2338ec12..efa831afac 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -189,13 +189,6 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/utils.rb#L189 @server = nil end - def tls12_supported? - ctx = OpenSSL::SSL::SSLContext.new - ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION - true - rescue - end - def tls13_supported? return false unless defined?(OpenSSL::SSL::TLS1_3_VERSION) ctx = OpenSSL::SSL::SSLContext.new -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/