Miscellaneous OpenSSL-related improvements #25
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Check OpenSSL::VERSION constant to see if openssl library is available or not. Due to how autoload works, "defined?(OpenSSL)" does not always work as expected: it reports as "constant" even if openssl library actually fails to load. net-smtp eagerly loads openssl, but another library can register autoload and it will still be a problem. Test cases are adjusted to skip relevant tests when openssl library is not available.
Set up an actual TLS server and connect to it. This ensures that certificate verification is actually enabled on the SSLContext and performed on connection. The test cases in test_ssl_socket.rb are merged into test_sslcontext.rb for simplicity.
Currently net-smtp requires Ruby 2.5. This means that we can assume ruby-openssl library is version 2.1 or later. SNI support (SSLSocket#hostname=) is available in all OpenSSL versions supported by this ruby-openssl version. Also, a recent change started using SSLContext#set_params, which enables the automatic hostname verification during handshake. This makes the SSLSocket#post_connection_check call redundant. [rhe: Added explanation about the change.]
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This replaces #23 - updated the test cases to actually confirm that the hostname verification is performed.
This also fixes test failures on an environment without the openssl library.
Improve behavior on environment without openssl library
Check OpenSSL::VERSION constant to see if openssl library is available
or not.
Due to how autoload works, "defined?(OpenSSL)" does not always work
as expected: it reports as "constant" even if openssl library actually
fails to load. net-smtp eagerly loads openssl, but another library can
register autoload and it will still be a problem.
Test cases are adjusted to skip relevant tests when openssl library is
not available.
Use real TLS connections for testing TLS/STARTTLS feature
Set up an actual TLS server and connect to it. This ensures that
certificate verification is actually enabled on the SSLContext and
performed on connection.
The test cases in test_ssl_socket.rb are merged into test_sslcontext.rb
for simplicity.
OpenSSL::SSL::SSLSocket#hostname= is always available
Currently net-smtp requires Ruby 2.5. This means that we can assume
ruby-openssl library is version 2.1 or later.
SNI support (SSLSocket#hostname=) is available in all OpenSSL versions
supported by this ruby-openssl version.
Also, a recent change started using SSLContext#set_params, which enables
the automatic hostname verification during handshake. This makes the
SSLSocket#post_connection_check call redundant.
[rhe: Added explanation about the change.]