New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
context_builder.rb - require openssl if verify_mode != 'none' #3179
Conversation
This seems like a weird place to put the Why not require in #peercert? |
Don't have strong opinion, but I thought locating where it is happens on 'startup', rather than when the first request happens. Also, in peercert, it will run on every request? Note that with VERIFY_NONE, even if a client includes a cert, |
8d522c6
to
f712a2c
Compare
Actions is kind of wacked right now. I added comments to a few methods for this. |
Would be nice to commit the tests with this change |
f712a2c
to
da574b7
Compare
Ok, I added two test helper files from my test update.
The main idea is that there should be two helpers files, one based on the server related code in These two server files would share instance variable names with Re this PR, if one checks out the third commit which is before any library file changes, the following is shown in the test listing:
The new test ( |
da574b7
to
3c2f158
Compare
3c2f158
to
3cc96bf
Compare
I'd like to merge this, as this PR adds Once it's committed, I'll document the code in it, and it will show up in the Puma docs. I can start converting test files to use it, one PR at a time. Many files in the test suite either create an 'in process' server via The code for inproc servers is also scattered across several test files, and I'd like to consolidate that code into a file, maybe Thoughts? Off-topic There are many places in the test suite where |
Sounds good to me
|
test shows that OpenSSL needs to be required when server is using `verify_mode: 'force_peer'`
…Sv1.3 & TLSv1.2 Make sure 'localhost' is used for host
3cc96bf
to
ac0a683
Compare
) * integration.rb - cli_server: log IO.popen command * test/helpers - add test_puma.rb & test_puma/puma_socket.rb * test/test_integration_ssl.rb - add test_verify_client_cert_roundtrip test shows that OpenSSL needs to be required when server is using `verify_mode: 'force_peer'` * context_builder.rb - require openssl if verify_mode != 'none' * Update comments * test_integration_ssl.rb - test_verify_client_cert_roundtrip - both TLSv1.3 & TLSv1.2 Make sure 'localhost' is used for host
Description
Current code in
MiniSSL::Socket#peercert
contains the following line:puma/lib/puma/minissl.rb
Line 194 in 188f5da
The above statement only runs when
MiniSSL::Context#verify_mode
is not equal toMiniSSL::VERIFY_NONE
. So, we need to require openssl when needed.Note that
MiniSSL::Socket#peercert
was added in PR #709 'ssl: Add Client Side Certificate Auth'. The cert subject is used inLogWriter#ssl_error
, and the cert object is set toenv['puma.peercert']
. The app environment key doesn't seem to be 'publicly' listed.Current tests only check this with an in-process server, and since the client sockets are ssl,
openssl
is loaded for the clients.I added some additional spawned tests (Integration) that showed the problem, but that was using my updated test framework. We'll see...
Your checklist for this pull request
[ci skip]
to the title of the PR.#issue
" to the PR description or my commit messages.