Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Miscellaneous OpenSSL-related improvements #25

Merged
merged 4 commits into from
May 15, 2021

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Apr 23, 2021

This replaces #23 - updated the test cases to actually confirm that the hostname verification is performed.

This also fixes test failures on an environment without the openssl library.


Improve behavior on environment without openssl library

Check OpenSSL::VERSION constant to see if openssl library is available
or not.

Due to how autoload works, "defined?(OpenSSL)" does not always work
as expected: it reports as "constant" even if openssl library actually
fails to load. net-smtp eagerly loads openssl, but another library can
register autoload and it will still be a problem.

Test cases are adjusted to skip relevant tests when openssl library is
not available.


Use real TLS connections for testing TLS/STARTTLS feature

Set up an actual TLS server and connect to it. This ensures that
certificate verification is actually enabled on the SSLContext and
performed on connection.

The test cases in test_ssl_socket.rb are merged into test_sslcontext.rb
for simplicity.


OpenSSL::SSL::SSLSocket#hostname= is always available

Currently net-smtp requires Ruby 2.5. This means that we can assume
ruby-openssl library is version 2.1 or later.

SNI support (SSLSocket#hostname=) is available in all OpenSSL versions
supported by this ruby-openssl version.

Also, a recent change started using SSLContext#set_params, which enables
the automatic hostname verification during handshake. This makes the
SSLSocket#post_connection_check call redundant.

[rhe: Added explanation about the change.]

tmtm and others added 4 commits April 23, 2021 15:45
Check OpenSSL::VERSION constant to see if openssl library is available
or not.

Due to how autoload works, "defined?(OpenSSL)" does not always work
as expected: it reports as "constant" even if openssl library actually
fails to load. net-smtp eagerly loads openssl, but another library can
register autoload and it will still be a problem.

Test cases are adjusted to skip relevant tests when openssl library is
not available.
Set up an actual TLS server and connect to it. This ensures that
certificate verification is actually enabled on the SSLContext and
performed on connection.

The test cases in test_ssl_socket.rb are merged into test_sslcontext.rb
for simplicity.
Currently net-smtp requires Ruby 2.5. This means that we can assume
ruby-openssl library is version 2.1 or later.

SNI support (SSLSocket#hostname=) is available in all OpenSSL versions
supported by this ruby-openssl version.

Also, a recent change started using SSLContext#set_params, which enables
the automatic hostname verification during handshake. This makes the
SSLSocket#post_connection_check call redundant.

[rhe: Added explanation about the change.]
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

Successfully merging this pull request may close these issues.

2 participants