aboutsummaryrefslogtreecommitdiffstats
path: root/test/test_ssl.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fixed inconsistency directory structure with ruby/ruby repoHiroshi SHIBATA2020-02-171-1693/+0
|
* Revert add_certificate_chain_file changes (#320)Hiroshi SHIBATA2020-02-161-101/+2
| | | | | | | | | | | | | Revert SSLContext#add_certificate_chain_file changes * 0da0dfaf09f549b2b2cd984627b321b7908d1186. * 8d12f0f6ca944212cb8000e689469d7aaa8190d7. * 49f42ad5f82f8b61f51a16e3a6df1ab0d5307d5f. * 5ee295ab8e37c8ffc6eb8c1b7b79ec024f3253e4. * 8b4fa5e336c7544ea677ccee160ec6d221559e10. * 443d13e9b2c127230fde2733959eaa4d41eb355d. * 5d866038920edf2729865653d6dc9309589f089a. * f18559acf97a6f6aaf3d253417eb0100b262cbc6.
* Tests are failing sporadically on Darwin with EPIPE.Samuel Williams2020-02-061-2/+2
|
* Merge in changes to tests from upstream.Samuel Williams2020-02-061-0/+13
|
* Prefer `frozen_string_literal: true`.Samuel Williams2020-02-061-3/+3
|
* rm GC.disable && add {certs,pkey}.unlinkthekuwayama2020-01-251-2/+6
|
* modify ossl_sslctx_add_certificate_chain_file() to raise Error and to return ↵thekuwayama2020-01-251-1/+75
| | | | | | self add test_add_certificate_chain_file_multiple_certs
* modify test_add_certificate_chain_file to check ssl.peer_cert and ↵thekuwayama2020-01-251-2/+23
| | | | ssl.peer_cert_chain
* Remove out-of-scope test.Samuel Williams2019-12-291-12/+0
|
* Merge in changes to tests from ruby/test/openssl.Samuel Williams2019-12-291-2/+14
|
* update SSLSocket.open to match TCPSocket.open method signaturethekuwayama2019-10-311-2/+33
|
* add SSLSocket.openthekuwayama2019-10-311-11/+15
|
* add `SSLSocket.open` as alias of `SSLSocket.new`thekuwayama2019-10-311-0/+11
|
* OpenSSL::TestSSL#test_finished_messages - gracefully close clientMSP-Greg2019-10-271-2/+4
|
* add client_finished, client_peer_finishedthekuwayama2019-10-271-3/+7
| | | | clean `start_server` method `block` argument
* Add test verifying client/server finished_messagesMo Morsi2019-10-081-0/+17
|
* Add certificate chain file test.Samuel Williams2019-06-131-0/+5
|
* test/test_ssl.rb: Use TLS1.2Yusuke Endoh2019-06-051-0/+5
| | | | | | The test fails when using OpenSSL 1.1 that supports TLS1.3. To make it pass, this change restricts max_version to TLS1.2. We may need more work for TLS1.3.
* test/test_ssl.rb: Use larger keysYusuke Endoh2019-06-051-1/+1
| | | | OpenSSL 1.1.1 seems to require at least 2048 bits for CA's private keys.
* Merge pull request #217 from rhenium/ky/test-fixtures-updateYusuke Endoh2019-06-051-5/+6
|\ | | | | test: use larger keys for SSL tests
| * test: use larger keys for SSL testsky/test-fixtures-updateKazuki Yamaguchi2018-08-161-5/+6
| | | | | | | | | | | | | | | | | | | | | | Some systems enforce a system-wide policy to restrict key sizes used in SSL/TLS. Use larger ones if possible so that the test suite runs successfully. New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added to the tree, and SSL tests now use them instead of the fixed-size keys. Reference: https://github.com/ruby/openssl/issues/215
* | Add `SSLSocket#fileno` and `SSLServer#fileno`. Fixes #198.Samuel Williams2019-03-311-0/+14
| |
* | Merge branch 'maint'Kazuki Yamaguchi2018-08-081-16/+42
|\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint: x509name: fix handling of X509_NAME_{oneline,print_ex}() return value x509name: refactor OpenSSL::X509::Name#to_s test/test_x509name: change script encoding to ASCII-8BIT reduce LibreSSL warnings openssl_missing.h: constified openssl: search winsock search winsock libraries explicitly no ID cache in Init functions test/test_ssl: fix test failure with TLS 1.3 tool/ruby-openssl-docker: update to latest versions pkey: resume key generation after interrupt
| * | Merge branch 'maint-2.0' into maintKazuki Yamaguchi2018-08-081-16/+42
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The fix made in 6fcc6c0efc42 ("test/test_ssl: fix test failure with TLS 1.3", 2018-08-06) is applied to the new test cases. * maint-2.0: reduce LibreSSL warnings openssl_missing.h: constified openssl: search winsock search winsock libraries explicitly no ID cache in Init functions test/test_ssl: fix test failure with TLS 1.3 tool/ruby-openssl-docker: update to latest versions pkey: resume key generation after interrupt
| | * test/test_ssl: fix test failure with TLS 1.3ky/openssl-1.1.1-part2Kazuki Yamaguchi2018-08-061-15/+30
| | | | | | | | | | | | | | | | | | SSL_connect() on the client side may return before SSL_accept() on server side returns. This will fix test failures with OpenSSL's current master.
* | | Correctly verify abbreviated IPv6 SANsBrian Cunnie2018-02-061-1/+5
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | IPv6 SAN-verification accommodates ["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2). It also accommodates non-compressed addresses. Previously the verification of IPv6 addresses would fail unless the address syntax matched a specific format (no zero-compression, no leading zeroes). As an example, the IPv6 loopback address, if represented as `::1`, would not verify. Nor would it verify if represented as `0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations are valid, RFC-compliant representations. The library would only accept a very specific representation (i.e. `0:0:0:0:0:0:0:1`). This commit addresses that shortcoming, and ensures that any valid IPv6 representation will correctly verify.
* | Merge branch 'ky/fix-ssl-test-internal-encoding'Kazuki Yamaguchi2017-12-141-4/+6
|\ \ | | | | | | | | | | | | * ky/fix-ssl-test-internal-encoding: Fix test-all tests to avoid creating report_on_exception warnings
| * | Fix test-all tests to avoid creating report_on_exception warningsky/fix-ssl-test-internal-encodingeregon2017-12-141-4/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * The warnings are shown by Thread.report_on_exception defaulting to true. [Feature #14143] [ruby-core:83979] * Improves tests by narrowing down the scope where an exception is expected. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61188 b2dd03c8-39d4-4d8f-98ff-823fe69b080e [ky: this effectively reverts commit 01445af367ec ("test/test_ssl: prevent changing default internal encoding", 2017-11-26). This is OK since EnvUtil.with_default_internal has been made thread-safe.] Sync-with-trunk: r61188
* | | Merge branch 'ky/fix-ssl-test-internal-encoding'Kazuki Yamaguchi2017-11-261-9/+6
|\| | | | | | | | | | | | | | * ky/fix-ssl-test-internal-encoding: test/test_ssl: prevent changing default internal encoding
| * | test/test_ssl: prevent changing default internal encodingKazuki Yamaguchi2017-11-261-9/+6
| | | | | | | | | | | | | | | | | | | | | In Ruby tree (not in this tree), assert_raise_with_message uses EnvUtil.with_default_internal which cannot be called simultaneously. The patch was suggested by Yusuke Endoh (mame).
* | | Merge branch 'ky/ssl-add-certificate'Kazuki Yamaguchi2017-11-221-5/+99
|\ \ \ | |/ / |/| | | | | | | | | | | | | | | | | | | | | | | Merge GitHub Pull Request #167. * ky/ssl-add-certificate: test/test_ssl: fix test_security_level ssl: add SSLContext#add_certificate test/utils: remove a pointless .public_key call in issue_cert test/envutil: port assert_warning from Ruby trunk
| * | test/test_ssl: fix test_security_levelky/ssl-add-certificateKazuki Yamaguchi2017-11-221-5/+18
| | | | | | | | | | | | | | | | | | Fix test_security_level using SSLContext#add_certificate. It immediately sets the certificate to the SSL_CTX, so it is affected by the security level setting.
| * | ssl: add SSLContext#add_certificateKazuki Yamaguchi2017-11-221-0/+81
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Add a new method to add a certificate, a corresponding private key, and extra CA certificates at once. This has two advantages over the existing {cert,key,extra_cert_chain} attributes: 1. We can notice the problem with the certificate and/or the private key. Since the existing attributes are simple instance variables, they aren't set to the SSL_CTX until #setup which usually happens on the first connection. 2. For the same reason, existing attributes allowed only one certificate for a context, even though OpenSSL itself is capable of handling multiple certificates and selecting the most appropriate one according to the cipher suite selected. The documentation for the existing attributes are updated to recommend using #add_certificate.
* | | TLS Fallback Signaling Cipher Suite Valueaeris2017-11-031-0/+53
| | | | | | | | | | | | | | | | | | | | | Support for fallback SCSV [RFC 7507](https://tools.ietf.org/html/rfc7507). Expected behaviour is to refuse connection if the client signals a protocol with the fallback flag but the server supports a better one (downgrade attack detection).
* | | Merge branch 'ky/ssl-version-min-max'Kazuki Yamaguchi2017-10-221-0/+18
|\ \ \ | |/ / |/| | | | | | | | | | | * ky/ssl-version-min-max: ssl: fix conflict of options in SSLContext#set_params Use caller with length to reduce unused strings
| * | ssl: fix conflict of options in SSLContext#set_paramsky/ssl-version-min-maxKazuki Yamaguchi2017-10-221-0/+18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Make SSLContext#set_params call #options= first. SSLContext#set_params by default disables SSL 2.0 and SSL 3.0 by calling SSLContext#min_version=. After that, it sets the SSL option flags by calling SSLContext#options=. This is problematic when built with OpenSSL before 1.1.0 because SSLContext#min_version= achieves its goal using the SSL_OP_NO_{SSL,TLS}* options. Since the subsequent SSLContext#options= call replaces the flags rather than OR together, this results in effectively disabling min_version setting in SSLContext::DEFAULT_PARAMS. The issue was first fixed in Ruby trunk tree, as part of r60310 ("fix OpenSSL::SSL::SSLContext#min_version doesn't work", 2017-10-21).
* | | Merge branch 'maint'Kazuki Yamaguchi2017-09-241-0/+8
|\ \ \ | |/ / |/| / | |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | * maint: Ruby/OpenSSL 2.0.6 test/test_engine: check if RC4 is supported test/test_engine: suppress stderr ossl.c: make legacy locking callbacks reentrant ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks ssl: prevent SSLSocket#sysread* from leaking uninitialized data test/test_pair: replace sleep with IO.select tool/ruby-openssl-docker: update test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1 test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1 test/test_pair: disable compression test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel ruby.h: unnormalized Fixnum value test/test_pair: fix test_write_nonblock{,_no_exceptions}
| * test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1Kazuki Yamaguchi2017-09-091-0/+5
| | | | | | | | | | | | Similar to the previous one, LibreSSL 2.6.1 has relevant functions such as SSL_CTX_set_next_proto_select_cb(), but they are broken and do nothing.
| * test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1Kazuki Yamaguchi2017-09-091-0/+2
| | | | | | | | | | LibreSSL 2.6.1 has SSL_CTX_set_tmp_ecdh_callback() function, but it does not work.
| * test/test_ssl: suppress warning in test_alpn_protocol_selection_cancelKazuki Yamaguchi2017-09-081-0/+1
| | | | | | | | Suppress "using default DH parameters" message.
* | ssl: rework SSLContext#ssl_version=Kazuki Yamaguchi2017-09-031-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Reimplement SSLContext#ssl_version= as a wrapper around SSLContext#min_version= and #max_version=. SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which replaces the SSL method used for the connections created from the SSL context. This is mainly used for forcing a specific SSL/TLS protocol version. As of OpenSSL 1.1.0, however, use of the version-specific SSL methods such as TLSv1_method() is deprecated. Follow the current recommendation -- to use the generic SSL method always and to control the supported version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we have already started doing a similar thing when the extension is compiled with OpenSSL 1.1.0. OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of SSL methods, is not useful anymore. It is now deprecate_constant-ed.
* | ssl: add SSLContext#min_version= and #max_version=Kazuki Yamaguchi2017-09-031-76/+175
| | | | | | | | | | | | | | | | | | | | | | | | | | Add methods that set the minimum and maximum supported protocol versions for the SSL context. If the OpenSSL library supports, use SSL_CTX_set_{min,max}_proto_version() that do the exact thing. Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags. The new methods are meant to replace the deprecated #ssl_version= that cannot support multiple protocol versions. SSLContext::DEFAULT_PARAMS is also updated to use the new SSLContext#min_version=.
* | Merge branch 'maint'Kazuki Yamaguchi2017-08-261-237/+194
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This also restores 'if defined?(OpenSSL)-end' wrapping the test code. They have been removed erroneously by commit 4eb4b3297a92 ("Remove support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30). * maint: test/test_ssl: explicitly accept TLS 1.1 in corresponding test ssl: remove useless call to rb_thread_wait_fd() test/test_pair, test/test_ssl: fix for TLS 1.3 test/test_ssl_session: rearrange tests test/test_ssl: move test_multibyte_read_write to test_pair test/test_ssl: remove test_invalid_shutdown_by_gc test/utils: do not use DSA certificates in SSL tests test/utils: add OpenSSL::TestUtils.openssl? and .libressl? test/utils: improve error handling in start_server test/utils: let server_loop close socket test/utils: do not set ecdh_curves in start_server test/utils: have start_server yield only the port number test/utils: add SSLTestCase#tls12_supported? test/utils: remove OpenSSL::TestUtils.silent test: fix formatting Rakefile: let sync:to_ruby know about test/openssl/fixtures cipher: update the documentation for Cipher#auth_tag= Backport "Merge branch 'topic/test-memory-leak'" to maint ssl: do not call session_remove_cb during GC
| * test/test_ssl: explicitly accept TLS 1.1 in corresponding testAntonio Terceiro2017-08-261-1/+2
| | | | | | | | | | | | OpenSSL in Debian sid has recently disabled TLS < 1.2 by default, so in order to test that TLS 1.1 works, we need to explicitly make our test client accept it.
| * test/test_pair, test/test_ssl: fix for TLS 1.3ky/maint-fix-test-with-tls13Kazuki Yamaguchi2017-08-241-118/+91
| | | | | | | | Fix test cases failing with TLS 1.3-enabled OpenSSL master.
| * test/test_ssl: move test_multibyte_read_write to test_pairKazuki Yamaguchi2017-08-241-24/+0
| |
| * test/test_ssl: remove test_invalid_shutdown_by_gcKazuki Yamaguchi2017-08-241-14/+0
| | | | | | | | | | | | | | | | | | The very patch that added this test case made the dfree function not send close_notify alert when an SSLSocket is being GCed. Anyway, the new OSSL_GC_STRESS option added by 6ee4b285036e ("test: run test cases under GC.stress if OSSL_GC_STRESS is specified", 2016-12-04) will cover this kind of issues.
| * test/utils: add OpenSSL::TestUtils.openssl? and .libressl?Kazuki Yamaguchi2017-08-241-4/+3
| | | | | | | | | | | | Add methods that check whether the running OpenSSL is an OpenSSL or a LibreSSL, and optionally check whether the version is newer or equal to the given version number.
| * test/utils: let server_loop close socketKazuki Yamaguchi2017-08-241-14/+8
| | | | | | | | | | Close the socket by server_loop rather than by server_proc. This reduces code duplication.
| * test/utils: do not set ecdh_curves in start_serverKazuki Yamaguchi2017-08-241-23/+47
| | | | | | | | | | | | | | | | | | An assumption in OpenSSL::TestSSL#test_get_ephemeral_key is that the ephemeral key type is always EVP_PKEY_EC when negotiated with an ECDHE cipher suite. This is not true if X25519 is chosen. The test is passing because we happen to fix the group to P-256 in start_server, but let's make it explicit.
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-23 21:44:56 +0000