-
Notifications
You must be signed in to change notification settings - Fork 162
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
test: use larger keys for SSL tests #217
Conversation
Call IO.select with a timeout value and limit the number of retries to prevent stacking forever. Reference: ruby#214
Some systems enforce a system-wide policy to restrict key sizes used in SSL/TLS. Use larger ones if possible so that the test suite runs successfully. New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added to the tree, and SSL tests now use them instead of the fixed-size keys. Reference: ruby#215
I have tried to apply these patches to Ruby 2.5.1 and run just openssl test suite and I still observe the following issues:
There are quite some other issues in the whole Ruby test suite, but this is probably out of the scope of this ticket ... |
Ping. I would appreciate if this is ready for Ruby 2.6. Thx. |
The following additional patch will fix the two remaining failures that @voxik said. @rhenium, can you review my patch and merge this PR with it into master branch? This issue actually occurs on Debian 10 (testing). diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 79e07030ed..dad9a43779 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -81,7 +81,7 @@ def test_add_certificate_multiple_certs
add0_chain_supported = openssl?(1, 0, 2)
if add0_chain_supported
- ca2_key = Fixtures.pkey("rsa1024")
+ ca2_key = Fixtures.pkey("rsa2048")
ca2_exts = [
["basicConstraints", "CA:TRUE", true],
["keyUsage", "cRLSign, keyCertSign", true],
@@ -1361,7 +1361,12 @@ def test_fallback_scsv
# Server support better, so refuse the connection
sock1, sock2 = socketpair
begin
+ # This test is for the downgrade protection mechanism of TLS1.2.
+ # This is why ctx1 bounds max_version == TLS1.2.
+ # Otherwise, this test fails when using openssl 1.1.1 (or later) that supports TLS1.3.
+ # TODO: We may need another test for TLS1.3 because it seems to have a different mechanism.
ctx1 = OpenSSL::SSL::SSLContext.new
+ ctx1.max_version = OpenSSL::SSL::TLS1_2_VERSION
s1 = OpenSSL::SSL::SSLSocket.new(sock1, ctx1)
ctx2 = OpenSSL::SSL::SSLContext.new |
@rhenium I guess you are busy. I'd like to merge this PR to master in the next week, unless you make an objection. (Sorry if I seem impatient.) |
Additional fixes to #217 to support OpenSSL 1.1.1.
OpenSSL 1.1.1 rejects some shorter keys, which caused some failures of `make test-all TESTS=openssl`. https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian/ruby-master/log/20190606T003005Z.fail.html.gz This change merges 6bbc31ddd1 and 63fb3a36d1 in https://github.com/ruby/openssl. Reference: ruby/openssl#217
test/openssl: Support OpenSSL 1.1.1 OpenSSL 1.1.1 rejects some shorter keys, which caused some failures of `make test-all TESTS=openssl`. https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian/ruby-master/log/20190606T003005Z.fail.html.gz This change merges 6bbc31ddd1 and 63fb3a36d1 in https://github.com/ruby/openssl. Reference: ruby/openssl#217 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67735 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
test/openssl: Support OpenSSL 1.1.1 OpenSSL 1.1.1 rejects some shorter keys, which caused some failures of `make test-all TESTS=openssl`. https://rubyci.org/logs/rubyci.s3.amazonaws.com/debian/ruby-master/log/20190606T003005Z.fail.html.gz This change merges 6bbc31ddd1 and 63fb3a36d1 in https://github.com/ruby/openssl. Reference: ruby/openssl#217 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_6@67735 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Call IO.select with a timeout value and limit the number of retries to
prevent stacking forever.
Reference: #214
Some systems enforce a system-wide policy to restrict key sizes used in
SSL/TLS. Use larger ones if possible so that the test suite runs
successfully.
New PEM files test/fixtures/pkey/{dh-1,rsa-1,rsa-2,rsa-3}.pem are added
to the tree, and SSL tests now use them instead of the fixed-size keys.
Reference: #215
I'll need squash this in when I merge to maint (v2.1.x): rhenium@e469d2c
Cc: @voxik