Test matrix update and additional test fixes for OpenSSL 1.1.1

.travis.yml

@@ -18,14 +18,17 @@ matrix:
   fast_finish: true
   include:
     - env: RUBY_VERSION=ruby-2.3 OPENSSL_VERSION=openssl-1.0.2
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.0.0
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.0.1
     - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.0.2
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=openssl-1.1.0
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.3
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.4
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.5
-    - env: RUBY_VERSION=ruby-2.4 OPENSSL_VERSION=libressl-2.6
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.0.0
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.0.1
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.0.2
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.1.0
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.1.1
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.3
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.4
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.5
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.6
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=libressl-2.7
     - language: ruby
       rvm: ruby-head
       before_install:
@@ -36,3 +39,4 @@ matrix:
   allow_failures:
     - language: ruby
       rvm: ruby-head
+    - env: RUBY_VERSION=ruby-2.5 OPENSSL_VERSION=openssl-1.1.1

Dockerfile

@@ -1 +1 @@
-FROM zzak/ruby-openssl-docker:2.0
+FROM zzak/ruby-openssl-docker:testing

test/test_ssl.rb

@@ -48,6 +48,8 @@ def test_ssl_with_server_cert
         assert_equal 2, ssl.peer_cert_chain.size
         assert_equal @svr_cert.to_der, ssl.peer_cert_chain[0].to_der
         assert_equal @ca_cert.to_der, ssl.peer_cert_chain[1].to_der
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       ensure
         ssl&.close
         sock&.close
@@ -77,6 +79,7 @@ def test_sync_close
         sock = TCPSocket.new("127.0.0.1", port)
         ssl = OpenSSL::SSL::SSLSocket.new(sock)
         ssl.connect
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         ssl.close
         assert_not_predicate sock, :closed?
       ensure
@@ -88,6 +91,7 @@ def test_sync_close
         ssl = OpenSSL::SSL::SSLSocket.new(sock)
         ssl.sync_close = true  # !!
         ssl.connect
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         ssl.close
         assert_predicate sock, :closed?
       ensure
@@ -179,7 +183,10 @@ def test_client_ca
         client_ca_from_server = sslconn.client_ca
         [@cli_cert, @cli_key]
       end
-      server_connect(port, ctx) { |ssl| assert_equal([@ca], client_ca_from_server) }
+      server_connect(port, ctx) { |ssl|
+        assert_equal([@ca], client_ca_from_server)
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+      }
     }
   end
 
@@ -276,21 +283,16 @@ def test_verify_result
     }
 
     start_server { |port|
-      sock = TCPSocket.new("127.0.0.1", port)
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
       ctx.verify_callback = Proc.new do |preverify_ok, store_ctx|
         store_ctx.error = OpenSSL::X509::V_OK
         true
       end
-      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-      ssl.sync_close = true
-      begin
-        ssl.connect
+      server_connect(port, ctx) { |ssl|
         assert_equal(OpenSSL::X509::V_OK, ssl.verify_result)
-      ensure
-        ssl.close
-      end
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+      }
     }
 
     start_server(ignore_listener_error: true) { |port|
@@ -377,6 +379,8 @@ def test_post_connection_check
 
     start_server { |port|
       server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+
         assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
         assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
         assert(ssl.post_connection_check("localhost"))
@@ -398,6 +402,8 @@ def test_post_connection_check
     @svr_cert = issue_cert(@svr, @svr_key, 4, exts, @ca_cert, @ca_key)
     start_server { |port|
       server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+
         assert(ssl.post_connection_check("localhost.localdomain"))
         assert(ssl.post_connection_check("127.0.0.1"))
         assert_raise(sslerr){ssl.post_connection_check("localhost")}
@@ -418,6 +424,8 @@ def test_post_connection_check
     @svr_cert = issue_cert(@svr, @svr_key, 5, exts, @ca_cert, @ca_key)
     start_server { |port|
       server_connect(port) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
+
         assert(ssl.post_connection_check("localhost.localdomain"))
         assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
         assert_raise(sslerr){ssl.post_connection_check("localhost")}
@@ -644,6 +652,8 @@ def test_tlsext_hostname
         ssl.connect
         assert_equal @cli_cert.serial, ssl.peer_cert.serial
         assert_predicate fooctx, :frozen?
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       ensure
         ssl&.close
         sock.close
@@ -655,6 +665,8 @@ def test_tlsext_hostname
         ssl.hostname = "bar.example.com"
         ssl.connect
         assert_equal @svr_cert.serial, ssl.peer_cert.serial
+
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       ensure
         ssl&.close
         sock.close
@@ -727,7 +739,8 @@ def test_verify_hostname_on_connect
           ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
           ssl.hostname = name
           if expected_ok
-            assert_nothing_raised { ssl.connect }
+            ssl.connect
+            ssl.puts "abc"; assert_equal "abc\n", ssl.gets
           else
             assert_handshake_error { ssl.connect }
           end
@@ -856,6 +869,7 @@ def test_renegotiation_cb
     start_server_version(:SSLv23, ctx_proc) { |port|
       server_connect(port) { |ssl|
         assert_equal(1, num_handshakes)
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       }
     }
   end
@@ -874,6 +888,7 @@ def test_alpn_protocol_selection_ary
       ctx.alpn_protocols = advertised
       server_connect(port, ctx) { |ssl|
         assert_equal(advertised.first, ssl.alpn_protocol)
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       }
     }
   end
@@ -996,14 +1011,11 @@ def test_npn_selected_protocol_too_long
   end
 
   def test_close_after_socket_close
-    server_proc = proc { |ctx, ssl|
-      # Do nothing
-    }
-    start_server(server_proc: server_proc) { |port|
+    start_server { |port|
       sock = TCPSocket.new("127.0.0.1", port)
       ssl = OpenSSL::SSL::SSLSocket.new(sock)
-      ssl.sync_close = true
       ssl.connect
+      ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       sock.close
       assert_nothing_raised do
         ssl.close
@@ -1068,6 +1080,7 @@ def test_get_ephemeral_key
         ctx.ciphers = "DEFAULT:!kRSA:!kEDH"
         server_connect(port, ctx) { |ssl|
           assert_instance_of OpenSSL::PKey::EC, ssl.tmp_key
+          ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         }
       end
     end
@@ -1158,6 +1171,7 @@ def test_ecdh_curves
             assert_equal "secp384r1", ssl.tmp_key.group.curve_name
           end
         end
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
       }
 
       if openssl?(1, 0, 2) || libressl?(2, 5, 1)
@@ -1173,6 +1187,7 @@ def test_ecdh_curves
 
         server_connect(port, ctx) { |ssl|
           assert_equal "secp521r1", ssl.tmp_key.group.curve_name
+          ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         }
       end
     end

test/test_ssl_session.rb

@@ -113,6 +113,7 @@ def test_resumption
     non_resumable = nil
     start_server { |port|
       server_connect_with_session(port, nil, nil) { |ssl|
+        ssl.puts "abc"; assert_equal "abc\n", ssl.gets
         non_resumable = ssl.session
       }
     }

tool/ruby-openssl-docker/Dockerfile

@@ -1,4 +1,4 @@
-FROM ubuntu:16.04
+FROM ubuntu:18.04
 
 RUN apt-get update && apt-get install -y --no-install-recommends \
   autoconf \
@@ -29,21 +29,29 @@ RUN curl -s https://www.openssl.org/source/openssl-1.0.1u.tar.gz | tar -C /build
       shared linux-x86_64 && \
     make && make install_sw
 
-RUN curl -s https://www.openssl.org/source/openssl-1.0.2l.tar.gz | tar -C /build/openssl -xzf - && \
-    cd /build/openssl/openssl-1.0.2l && \
+RUN curl -s https://www.openssl.org/source/openssl-1.0.2o.tar.gz | tar -C /build/openssl -xzf - && \
+    cd /build/openssl/openssl-1.0.2o && \
     ./Configure \
       --openssldir=/opt/openssl/openssl-1.0.2 \
       shared linux-x86_64 && \
     make && make install_sw
 
-RUN curl -s https://www.openssl.org/source/openssl-1.1.0f.tar.gz | tar -C /build/openssl -xzf - && \
-    cd /build/openssl/openssl-1.1.0f && \
+RUN curl -s https://www.openssl.org/source/openssl-1.1.0h.tar.gz | tar -C /build/openssl -xzf - && \
+    cd /build/openssl/openssl-1.1.0h && \
     ./Configure \
       --prefix=/opt/openssl/openssl-1.1.0 \
       enable-crypto-mdebug enable-crypto-mdebug-backtrace \
       linux-x86_64 && \
     make && make install_sw
 
+RUN curl -s https://www.openssl.org/source/openssl-1.1.1-pre8.tar.gz | tar -C /build/openssl -xzf - && \
+    cd /build/openssl/openssl-1.1.1-pre8 && \
+    ./Configure \
+      --prefix=/opt/openssl/openssl-1.1.1 \
+      enable-crypto-mdebug enable-crypto-mdebug-backtrace \
+      linux-x86_64 && \
+    make && make install_sw
+
 # Supported libressl versions: 2.3-
 RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.3.10.tar.gz | tar -C /build/openssl -xzf - && \
     cd /build/openssl/libressl-2.3.10 && \
@@ -63,30 +71,44 @@ RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.5.5.tar.gz |
       --prefix=/opt/openssl/libressl-2.5 && \
     make && make install
 
-RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.1.tar.gz | tar -C /build/openssl -xzf - && \
-    cd /build/openssl/libressl-2.6.1 && \
+RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.6.5.tar.gz | tar -C /build/openssl -xzf - && \
+    cd /build/openssl/libressl-2.6.5 && \
     ./configure \
       --prefix=/opt/openssl/libressl-2.6 && \
     make && make install
 
+RUN curl -s http://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.4.tar.gz | tar -C /build/openssl -xzf - && \
+    cd /build/openssl/libressl-2.7.4 && \
+    ./configure \
+      --prefix=/opt/openssl/libressl-2.7 && \
+    make && make install
+
 # Supported Ruby versions: 2.3-
 RUN mkdir -p /build/ruby
-RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.5.tar.gz | tar -C /build/ruby -xzf - && \
-    cd /build/ruby/ruby-2.3.5 && \
+RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.3/ruby-2.3.7.tar.gz | tar -C /build/ruby -xzf - && \
+    cd /build/ruby/ruby-2.3.7 && \
     autoconf && ./configure \
       --without-openssl \
       --prefix=/opt/ruby/ruby-2.3 \
       --disable-install-doc && \
     make && make install
 
-RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.2.tar.gz | tar -C /build/ruby -xzf - && \
-    cd /build/ruby/ruby-2.4.2 && \
+RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.4/ruby-2.4.4.tar.gz | tar -C /build/ruby -xzf - && \
+    cd /build/ruby/ruby-2.4.4 && \
     autoconf && ./configure \
       --without-openssl \
       --prefix=/opt/ruby/ruby-2.4 \
       --disable-install-doc && \
     make && make install
 
+RUN curl -s https://cache.ruby-lang.org/pub/ruby/2.5/ruby-2.5.1.tar.gz | tar -C /build/ruby -xzf - && \
+    cd /build/ruby/ruby-2.5.1 && \
+    autoconf && ./configure \
+      --without-openssl \
+      --prefix=/opt/ruby/ruby-2.5 \
+      --disable-install-doc && \
+    make && make install
+
 ONBUILD ADD . /home/openssl/code
 ONBUILD WORKDIR /home/openssl/code
 

tool/ruby-openssl-docker/init.sh

@@ -2,7 +2,7 @@
 
 if [[ "$RUBY_VERSION" = "" ]]
 then
-  RUBY_VERSION=ruby-2.4
+  RUBY_VERSION=ruby-2.5
 fi
 
 if [[ "$OPENSSL_VERSION" = "" ]]