test: use larger keys for SSL tests

[rhenium]

Call IO.select with a timeout value and limit the number of retries to
prevent stacking forever.

Reference: #214

---

Some systems enforce a system-wide policy to restrict key sizes used in
SSL/TLS. Use larger ones if possible so that the test suite runs
successfully.

New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added
to the tree, and SSL tests now use them instead of the fixed-size keys.

Reference: #215

---

I'll need squash this in when I merge to maint (v2.1.x): rhenium@e469d2c

Cc: @voxik

[voxik]

I have tried to apply these patches to Ruby 2.5.1 and run just openssl test suite and I still observe the following issues:

  1) Failure:
OpenSSL::TestSSL#test_fallback_scsv [/builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl.rb:1372]:
Expected Exception(OpenSSL::SSL::SSLError) was raised, but the message doesn't match.
Expected /inappropriate fallback/ to match "SSL_accept returned=1 errno=0 state=error: unsupported protocol".

  2) Error:
OpenSSL::TestSSL#test_add_certificate_multiple_certs:
OpenSSL::SSL::SSLError: SSL_CTX_set0_chain: ca key too small
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl.rb:118:in `add_certificate'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl.rb:118:in `block (2 levels) in test_add_certificate_multiple_certs'
    /builddir/build/BUILD/ruby-2.5.1/test/lib/envutil.rb:199:in `suppress_warning'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl.rb:117:in `block in test_add_certificate_multiple_certs'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:203:in `block in start_server'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:193:in `pipe'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/utils.rb:193:in `start_server'
    /builddir/build/BUILD/ruby-2.5.1/test/openssl/test_ssl.rb:121:in `test_add_certificate_multiple_certs'

There are quite some other issues in the whole Ruby test suite, but this is probably out of the scope of this ticket ...

[voxik]

Ping. I would appreciate if this is ready for Ruby 2.6. Thx.

[mame]

The following additional patch will fix the two remaining failures that @voxik said.

@rhenium, can you review my patch and merge this PR with it into master branch? This issue actually occurs on Debian 10 (testing).
If you have no time, I'll gladly volunteer to merge it. I already have a permission to commit this repository (because I'm an admin of github/ruby organization).

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 79e07030ed..dad9a43779 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -81,7 +81,7 @@ def test_add_certificate_multiple_certs
     add0_chain_supported = openssl?(1, 0, 2)
 
     if add0_chain_supported
-      ca2_key = Fixtures.pkey("rsa1024")
+      ca2_key = Fixtures.pkey("rsa2048")
       ca2_exts = [
         ["basicConstraints", "CA:TRUE", true],
         ["keyUsage", "cRLSign, keyCertSign", true],
@@ -1361,7 +1361,12 @@ def test_fallback_scsv
     # Server support better, so refuse the connection
     sock1, sock2 = socketpair
     begin
+      # This test is for the downgrade protection mechanism of TLS1.2.
+      # This is why ctx1 bounds max_version == TLS1.2.
+      # Otherwise, this test fails when using openssl 1.1.1 (or later) that supports TLS1.3.
+      # TODO: We may need another test for TLS1.3 because it seems to have a different mechanism.
       ctx1 = OpenSSL::SSL::SSLContext.new
+      ctx1.max_version = OpenSSL::SSL::TLS1_2_VERSION
       s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
 
       ctx2 = OpenSSL::SSL::SSLContext.new

[mame]

@rhenium I guess you are busy. I'd like to merge this PR to master in the next week, unless you make an objection. (Sorry if I seem impatient.)