@@ -1419,6 +1419,55 @@ def test_minmax_version_system_default
14191419 }
14201420 end
14211421
1422+ def test_respect_system_default_min
1423+ omit "LibreSSL does not support OPENSSL_CONF" if libressl?
1424+
1425+ Tempfile . create ( "openssl.cnf" ) { |f |
1426+ f . puts ( <<~EOF )
1427+ openssl_conf = default_conf
1428+ [default_conf]
1429+ ssl_conf = ssl_sect
1430+ [ssl_sect]
1431+ system_default = ssl_default_sect
1432+ [ssl_default_sect]
1433+ MinProtocol = TLSv1.3
1434+ EOF
1435+ f . close
1436+
1437+ ctx_proc = proc { |ctx |
1438+ ctx . min_version = ctx . max_version = OpenSSL ::SSL ::TLS1_2_VERSION
1439+ }
1440+ start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) do |port |
1441+ assert_separately ( [ { "OPENSSL_CONF" => f . path } , "-ropenssl" , "-" , port . to_s ] , <<~"end;" )
1442+ sock = TCPSocket.new("127.0.0.1", ARGV[0].to_i)
1443+ ctx = OpenSSL::SSL::SSLContext.new
1444+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
1445+ ssl.sync_close = true
1446+ assert_raise(OpenSSL::SSL::SSLError) do
1447+ ssl.connect
1448+ end
1449+ ssl.close
1450+ end;
1451+ end
1452+
1453+ ctx_proc = proc { |ctx |
1454+ ctx . min_version = ctx . max_version = OpenSSL ::SSL ::TLS1_3_VERSION
1455+ }
1456+ start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) do |port |
1457+ assert_separately ( [ { "OPENSSL_CONF" => f . path } , "-ropenssl" , "-" , port . to_s ] , <<~"end;" )
1458+ sock = TCPSocket.new("127.0.0.1", ARGV[0].to_i)
1459+ ctx = OpenSSL::SSL::SSLContext.new
1460+ ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
1461+ ssl.sync_close = true
1462+ ssl.connect
1463+ assert_equal("TLSv1.3", ssl.ssl_version)
1464+ ssl.puts("abc"); assert_equal("abc\n ", ssl.gets)
1465+ ssl.close
1466+ end;
1467+ end
1468+ }
1469+ end
1470+
14221471 def test_options_disable_versions
14231472 # It's recommended to use SSLContext#{min,max}_version= instead in real
14241473 # applications. The purpose of this test case is to check that SSL options
0 commit comments