diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2020-07-18 17:09:37 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2020-07-18 17:29:21 +0900 |
commit | 1ccdc05662a7817e8fe7a73ed589a8b092b527ac (patch) | |
tree | 874ca9d30b80cc791c7bce8814e20f7790e08699 /test | |
parent | 785b5569fc5630e7bdfdd071c23dfea52db421b7 (diff) | |
download | ruby-openssl-1ccdc05662a7817e8fe7a73ed589a8b092b527ac.tar.gz |
test/openssl/test_ssl: revise verify_mode test cases
Add explicit test cases for the behaviors with different verify_mode.
If we made a bug in verify_mode, we would notice it by failures of other
test cases, but there were no dedicated test cases for verify_mode.
Diffstat (limited to 'test')
-rw-r--r-- | test/openssl/test_ssl.rb | 46 |
1 files changed, 45 insertions, 1 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 1d3cdf90..4015b050 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -246,7 +246,51 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end - def test_client_auth_failure + def test_verify_mode_server_cert + start_server(ignore_listener_error: true) { |port| + populated_store = OpenSSL::X509::Store.new + populated_store.add_cert(@ca_cert) + empty_store = OpenSSL::X509::Store.new + + # Valid certificate, SSL_VERIFY_PEER + assert_nothing_raised { + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.cert_store = populated_store + server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } + } + + # Invalid certificate, SSL_VERIFY_NONE + assert_nothing_raised { + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE + ctx.cert_store = empty_store + server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } + } + + # Invalid certificate, SSL_VERIFY_PEER + assert_handshake_error { + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.cert_store = empty_store + server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } + } + } + end + + def test_verify_mode_client_cert_required + # Optional, client certificate not supplied + vflag = OpenSSL::SSL::VERIFY_PEER + accept_proc = -> ssl { + assert_equal nil, ssl.peer_cert + } + start_server(verify_mode: vflag, accept_proc: accept_proc) { |port| + assert_nothing_raised { + server_connect(port) { |ssl| ssl.puts("abc"); ssl.gets } + } + } + + # Required, client certificate not supplied vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT start_server(verify_mode: vflag, ignore_listener_error: true) { |port| assert_handshake_error { |