diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-06-27 21:41:05 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-23 23:28:40 +0900 |
commit | 028e495734e9e6aa5dba1a2e130b08f66cf31a21 (patch) | |
tree | 263cfa336fc4efb66dd74e1b14594ba8ebbf91d7 /test/test_ssl.rb | |
parent | 6c387d4cf1e9cc1a304cb71260079ba9a8db022d (diff) | |
download | ruby-openssl-028e495734e9e6aa5dba1a2e130b08f66cf31a21.tar.gz |
ssl: add verify_hostname option to SSLContexttopic/ssl-verify-hostname
If a client sets this to true and enables SNI with SSLSocket#hostname=,
the hostname verification on the server certificate is performed
automatically during the handshake using
OpenSSL::SSL.verify_certificate_identity().
Currently an user who wants to do the hostname verification needs to
call SSLSocket#post_connection_check explicitly after the TLS connection
is established.
This commit also enables the option in SSLContext::DEFAULT_PARAMS.
Applications using SSLContext#set_params may be affected by this.
[GH ruby/openssl#8]
Diffstat (limited to 'test/test_ssl.rb')
-rw-r--r-- | test/test_ssl.rb | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 9b8baf6f..7d27ff63 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -889,6 +889,53 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_verify_hostname_on_connect + ctx_proc = proc { |ctx| + now = Time.now + exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \ + "DNS:c*.example.com,DNS:d.*.example.com"], + ] + ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, + @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + ctx.key = @svr_key + } + + start_server(OpenSSL::SSL::VERIFY_NONE, true, ctx_proc: ctx_proc, + ignore_listener_error: true) do |svr, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_hostname = true + ctx.cert_store = OpenSSL::X509::Store.new + ctx.cert_store.add_cert(@ca_cert) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + + [ + ["a.example.com", true], + ["A.Example.Com", true], + ["x.example.com", false], + ["b.example.com", false], + ["x.b.example.com", true], + ["cx.example.com", true], + ["d.x.example.com", false], + ].each do |name, expected_ok| + begin + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = name + if expected_ok + assert_nothing_raised { ssl.connect } + else + assert_raise(OpenSSL::SSL::SSLError) { ssl.connect } + end + ensure + ssl.close if ssl + sock.close if sock + end + end + end + end + def test_multibyte_read_write #German a umlaut auml = [%w{ C3 A4 }.join('')].pack('H*') |