diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-28 22:15:26 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-28 22:15:26 +0900 |
commit | bf120798efa43c9db6c68e75037fc0a0c4735703 (patch) | |
tree | d14e13da8bfae8bf7ae0249565c28175ad775abc /test | |
parent | 1c244fa916f274b715594492a85fcfa57c987c2e (diff) | |
parent | 028e495734e9e6aa5dba1a2e130b08f66cf31a21 (diff) | |
download | ruby-openssl-bf120798efa43c9db6c68e75037fc0a0c4735703.tar.gz |
Merge branch 'topic/ssl-verify-hostname'
* topic/ssl-verify-hostname:
ssl: add verify_hostname option to SSLContext
test/test_ssl: avoid SSLContext#set_params where not required
Refactor common verify callback code
Diffstat (limited to 'test')
-rw-r--r-- | test/test_ssl.rb | 82 |
1 files changed, 63 insertions, 19 deletions
diff --git a/test/test_ssl.rb b/test/test_ssl.rb index ad3d5af1..385eaee0 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -341,7 +341,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -355,12 +355,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params( - :verify_callback => Proc.new do |preverify_ok, store_ctx| - store_ctx.error = OpenSSL::X509::V_OK - true - end - ) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_OK + true + end ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -374,12 +373,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params( - :verify_callback => Proc.new do |preverify_ok, store_ctx| - store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION - false - end - ) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION + false + end ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -395,12 +393,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(OpenSSL::SSL::VERIFY_NONE, true, :ignore_listener_error => true){|server, port| sock = TCPSocket.new("127.0.0.1", port) ctx = OpenSSL::SSL::SSLContext.new - ctx.set_params( - :verify_callback => Proc.new do |preverify_ok, store_ctx| - store_ctx.error = OpenSSL::X509::V_OK - raise RuntimeError - end - ) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + ctx.verify_callback = Proc.new do |preverify_ok, store_ctx| + store_ctx.error = OpenSSL::X509::V_OK + raise RuntimeError + end ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) ssl.sync_close = true begin @@ -915,6 +912,53 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_verify_hostname_on_connect + ctx_proc = proc { |ctx| + now = Time.now + exts = [ + ["keyUsage", "keyEncipherment,digitalSignature", true], + ["subjectAltName", "DNS:a.example.com,DNS:*.b.example.com," \ + "DNS:c*.example.com,DNS:d.*.example.com"], + ] + ctx.cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts, + @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new) + ctx.key = @svr_key + } + + start_server(OpenSSL::SSL::VERIFY_NONE, true, ctx_proc: ctx_proc, + ignore_listener_error: true) do |svr, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.verify_hostname = true + ctx.cert_store = OpenSSL::X509::Store.new + ctx.cert_store.add_cert(@ca_cert) + ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER + + [ + ["a.example.com", true], + ["A.Example.Com", true], + ["x.example.com", false], + ["b.example.com", false], + ["x.b.example.com", true], + ["cx.example.com", true], + ["d.x.example.com", false], + ].each do |name, expected_ok| + begin + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) + ssl.hostname = name + if expected_ok + assert_nothing_raised { ssl.connect } + else + assert_raise(OpenSSL::SSL::SSLError) { ssl.connect } + end + ensure + ssl.close if ssl + sock.close if sock + end + end + end + end + def test_multibyte_read_write #German a umlaut auml = [%w{ C3 A4 }.join('')].pack('H*') |