diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2022-01-05 12:36:30 +0900 |
---|---|---|
committer | GitHub <noreply@github.com> | 2022-01-05 12:36:30 +0900 |
commit | ee64d93cb20e7fca80eddbf711c56ae2fac9a825 (patch) | |
tree | 0dbb96590e70100e96851d1cf5fc0655deba1356 | |
parent | bff4080091f1e468418b0a8625174f234922210c (diff) | |
parent | 717d7009d6926b1f076f6ac0178b3861ae6e20da (diff) | |
download | ruby-openssl-ee64d93cb20e7fca80eddbf711c56ae2fac9a825.tar.gz |
Merge pull request #488 from jeremyevans/skip-san-wildcard-libressl
Skip optional wildcard SAN tests on LibreSSL 3.5.0+
-rw-r--r-- | test/openssl/test_ssl.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index a7607da0..39964bf4 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -676,10 +676,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase # buzz.example.net, respectively). ... assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com')) + + # LibreSSL 3.5.0+ doesn't support other wildcard certificates + # (it isn't required to, as RFC states MAY, not MUST) + return if libressl?(3, 5, 0) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com')) + # Section 6.4.3 of RFC6125 states that client should NOT match identifier # where wildcard is other than left-most label. # |