ssl: remove cert_store from start_server test helper

OpenSSL::SSL::SSLContext#cert_store= uses SSL_CTX_set_cert_store(). The
store is used for verifying peer certificates and for building
certificate chains to be sent to the peer if there is no chain
explicitly provided by SSLContext#extra_chain_cert=.

Do not specify it in the common test helper start_server, as most
callers do not require either function. Instead, update individual test
cases that use client certificates to explicitly specify it in ctx_proc.
A more direct test case is added to verify the latter function.

Author: rhenium

test/openssl/test_ssl.rb

@@ -230,6 +230,34 @@ def test_add_certificate_multiple_certs
     end
   end
 
+  def test_extra_chain_cert_auto_chain
+    start_server { |port|
+      server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+        assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
+        assert_equal [@svr_cert], ssl.peer_cert_chain
+      }
+    }
+
+    # AWS-LC enables SSL_MODE_NO_AUTO_CHAIN by default
+    unless aws_lc?
+      ctx_proc = -> ctx {
+        # Sanity check: start_server won't set extra_chain_cert
+        assert_nil ctx.extra_chain_cert
+        ctx.cert_store = OpenSSL::X509::Store.new.tap { |store|
+          store.add_cert(@ca_cert)
+        }
+      }
+      start_server(ctx_proc: ctx_proc) { |port|
+        server_connect(port) { |ssl|
+          ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+          assert_equal @svr_cert.to_der, ssl.peer_cert.to_der
+          assert_equal [@svr_cert, @ca_cert], ssl.peer_cert_chain
+        }
+      }
+    end
+  end
+
   def test_sysread_and_syswrite
     start_server { |port|
       server_connect(port) { |ssl|
@@ -396,11 +424,15 @@ def test_verify_mode_client_cert_required
 
   def test_client_auth_success
     vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
-    start_server(verify_mode: vflag,
-      ctx_proc: proc { |ctx|
-        # LibreSSL doesn't support client_cert_cb in TLS 1.3
-        ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
-    }) { |port|
+    ctx_proc = proc { |ctx|
+      store = OpenSSL::X509::Store.new
+      store.add_cert(@ca_cert)
+      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+      ctx.cert_store = store
+      # LibreSSL doesn't support client_cert_cb in TLS 1.3
+      ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl?
+    }
+    start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |port|
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.key = @cli_key
       ctx.cert = @cli_cert
@@ -445,6 +477,10 @@ def test_client_ca
     pend "LibreSSL doesn't support certificate_authorities" if libressl?
 
     ctx_proc = Proc.new do |ctx|
+      store = OpenSSL::X509::Store.new
+      store.add_cert(@ca_cert)
+      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+      ctx.cert_store = store
       ctx.client_ca = [@ca_cert]
     end
 
@@ -510,7 +546,7 @@ def test_verify_result
       ssl.sync_close = true
       begin
         assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
-        assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
+        assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
       ensure
         ssl.close
       end
@@ -1162,9 +1198,7 @@ def test_connect_certificate_verify_failed_exception_message
     start_server(ignore_listener_error: true) { |port|
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.set_params
-      # OpenSSL <= 1.1.0: "self signed certificate in certificate chain"
-      # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain"
-      assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) {
+      assert_raise_with_message(OpenSSL::SSL::SSLError, /unable to get local issuer certificate/) {
         server_connect(port, ctx)
       }
     }

test/openssl/utils.rb

@@ -201,11 +201,7 @@ def start_server(verify_mode: OpenSSL::SSL::VERIFY_NONE,
                    accept_proc: proc{},
                    ignore_listener_error: false, &block)
     IO.pipe {|stop_pipe_r, stop_pipe_w|
-      store = OpenSSL::X509::Store.new
-      store.add_cert(@ca_cert)
-      store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
       ctx = OpenSSL::SSL::SSLContext.new
-      ctx.cert_store = store
       ctx.cert = @svr_cert
       ctx.key = @svr_key
       ctx.verify_mode = verify_mode