ruby-changes:72470
From: Jeremy <ko1@a...>
Date: Sat, 9 Jul 2022 00:31:54 +0900 (JST)
Subject: [ruby-changes:72470] 01025a0055 (master): [ruby/openssl] Skip optional wildcard SAN tests on LibreSSL 3.5.0+
https://git.ruby-lang.org/ruby.git/commit/?id=01025a0055 From 01025a0055bb5fe1a9a161e86cbd58c8fa2350ae Mon Sep 17 00:00:00 2001 From: Jeremy Evans <code@j...> Date: Tue, 4 Jan 2022 11:32:11 -0800 Subject: [ruby/openssl] Skip optional wildcard SAN tests on LibreSSL 3.5.0+ RFC 6066 states how some wildcard SAN entries MAY be handled, but it does not say they MUST be handled. LibreSSL 3.5.0 only handles suffix wildcard SANs, not prefix wildcard SANs, or interior wildcard SANs, so return early from the wildcard SAN tests on LibreSSL 3.5.0. Fixes #471 https://github.com/ruby/openssl/commit/717d7009d6 --- test/openssl/test_ssl.rb | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index a7607da073..39964bf493 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -676,10 +676,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L676 # buzz.example.net, respectively). ... assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com')) + + # LibreSSL 3.5.0+ doesn't support other wildcard certificates + # (it isn't required to, as RFC states MAY, not MUST) + return if libressl?(3, 5, 0) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com')) + # Section 6.4.3 of RFC6125 states that client should NOT match identifier # where wildcard is other than left-most label. # -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/