diff options
| author | emboss <emboss@ruby-lang.org> | 2012-05-26 00:56:33 +0000 |
|---|---|---|
| committer | emboss <emboss@ruby-lang.org> | 2012-05-26 00:56:33 +0000 |
| commit | 114b1a08847d39c4a7341e8fa5fbf51d0921d4c5 (patch) | |
| tree | 1dee767691889dfea3d3f23be69a8e0e6211d6eb /test | |
| parent | 51b074abca77a00d00f8e5aa560e7e5f365140a6 (diff) | |
| download | ruby-openssl-history-114b1a08847d39c4a7341e8fa5fbf51d0921d4c5.tar.gz | |
* ext/openssl/ossl_ssl.c: Allow disabling client-side renegotiation.
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
| -rw-r--r-- | test/test_ssl.rb | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index de4bd34..97b2c22 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -505,14 +505,54 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2 end + def test_disable_client_renegotiation + ctx_proc = Proc.new { |ctx| ctx.disable_client_renegotiation } + start_server_version(:SSLv23, ctx_proc) { |server, port| + server_connect(port) { |ssl| + assert(ssl.ssl_version) + } + } + end + + def test_allow_client_renegotiation_args + ctx = OpenSSL::SSL::SSLContext.new + assert_raise(ArgumentError) { ctx.allow_client_renegotiation(0) } + assert_raise(ArgumentError) { ctx.allow_client_renegotiation(-1) } + end + + def test_allow_client_renegotiation_once + ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation(2) } + start_server_version(:SSLv23, ctx_proc) { |server, port| + server_connect(port) { |ssl| + assert(ssl.ssl_version) + } + } + end + + def test_allow_arbitrary_client_renegotiation + ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation } + start_server_version(:SSLv23, ctx_proc) { |server, port| + server_connect(port) { |ssl| + assert(ssl.ssl_version) + } + } + end + private - def start_server_version(version, ctx_proc=nil, &blk) + def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk) ctx_wrap = Proc.new { |ctx| ctx.ssl_version = version ctx_proc.call(ctx) if ctx_proc } - start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_wrap, &blk) + start_server( + PORT, + OpenSSL::SSL::VERIFY_NONE, + true, + :ctx_proc => ctx_wrap, + :server_proc => server_proc, + &blk + ) end def server_connect(port, ctx=nil) |