kotovalexarian-likes-github/puma--puma
1
0
Fork 0
mirror of https://github.com/puma/puma.git synced 2022-11-09 13:48:40 -05:00
Code Releases Activity
puma--puma/test/test_puma_server_ssl.rb

231 lines
6.3 KiB
Ruby
Raw Normal View History

Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
require "rbconfig"
require 'test/unit'
require 'socket'
require 'openssl'
require 'puma/minissl'
require 'puma/server'
require 'net/https'
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
class SSLEventsHelper < ::Puma::Events
attr_accessor :addr, :cert, :error
def ssl_error(server, peeraddr, peercert, error)
self.addr = peeraddr
self.cert = peercert
self.error = error
end
end
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
DISABLE_SSL = begin
Puma::MiniSSL.check
rescue
true
else
false
end
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
class TestPumaServerSSL < Test::Unit::TestCase
def setup
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@port = 3212
@host = "127.0.0.1"
@app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx = Puma::MiniSSL::Context.new
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
if defined?(JRUBY_VERSION)
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx.keystore = File.expand_path "../../examples/puma/keystore.jks", __FILE__
@ctx.keystore_pass = 'blahblah'
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
else
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx.key = File.expand_path "../../examples/puma/puma_keypair.pem", __FILE__
@ctx.cert = File.expand_path "../../examples/puma/cert_puma.pem", __FILE__
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
end
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx.verify_mode = Puma::MiniSSL::VERIFY_NONE
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
@events = SSLEventsHelper.new STDOUT, STDERR
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@server = Puma::Server.new @app, @events
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@server.add_ssl_listener @host, @port, @ctx
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@server.run
@http = Net::HTTP.new @host, @port
@http.use_ssl = true
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
def teardown
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@server.stop(true)
end
def test_url_scheme_for_https
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
body = nil
@http.start do
req = Net::HTTP::Get.new "/", {}
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal "https", body
end
def test_very_large_return
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
giant = "x" * 2056610
@server.app = proc do
[200, {}, [giant]]
end
body = nil
@http.start do
req = Net::HTTP::Get.new "/"
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal giant.bytesize, body.bytesize
end
def test_form_submit
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
body = nil
@http.start do
req = Net::HTTP::Post.new '/'
req.set_form_data('a' => '1', 'b' => '2')
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal "https", body
end
Wrap SSLv3 spec in version guard.
2015-07-31 15:51:07 -04:00
unless RUBY_VERSION =~ /^1.8/
def test_ssl_v3_rejection
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Wrap SSLv3 spec in version guard.
2015-07-31 15:51:07 -04:00
@http.ssl_version='SSLv3'
assert_raises(OpenSSL::SSL::SSLError) do
@http.start do
Net::HTTP::Get.new '/'
end
end
unless defined?(JRUBY_VERSION)
assert_match("wrong version number", @events.error.message) if @events.error
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
Fix hang on bad SSL handshake Both the C and JRuby SSL implementations would hang on a bad handshake because they were not producing the EOF expected in that case. Update their error handling to behave correctly here (note: `test_ssl_v3_rejection` covers this).
2015-05-01 19:39:22 -04:00
end
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
# client-side TLS authentication tests
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
class TestPumaServerSSLClient < Test::Unit::TestCase
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def assert_ssl_client_error_match(error, subject=nil, &blk)
@port = 3212
@host = "127.0.0.1"
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
@app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
@ctx = Puma::MiniSSL::Context.new
if defined?(JRUBY_VERSION)
@ctx.keystore = File.expand_path "../../examples/puma/client-certs/keystore.jks", __FILE__
@ctx.keystore_pass = 'blahblah'
else
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
@ctx.key = File.expand_path "../../examples/puma/client-certs/server.key", __FILE__
@ctx.cert = File.expand_path "../../examples/puma/client-certs/server.crt", __FILE__
@ctx.ca = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
@ctx.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
events = SSLEventsHelper.new STDOUT, STDERR
@server = Puma::Server.new @app, events
@server.add_ssl_listener @host, @port, @ctx
@server.run
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
@http = Net::HTTP.new @host, @port
@http.use_ssl = true
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
blk.call(@http)
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
client_error = false
begin
@http.start do
req = Net::HTTP::Get.new "/", {}
@http.request(req)
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
rescue OpenSSL::SSL::SSLError
client_error = true
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
sleep 0.1
assert_equal !!error, client_error
# The JRuby MiniSSL implementation lacks error capturing currently, so we can't inspect the
# messages here
unless defined?(JRUBY_VERSION)
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
assert_match error, events.error.message if error
assert_equal @host, events.addr if error
assert_equal subject, events.cert.subject.to_s if subject
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
ensure
@server.stop(true)
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_fail_if_no_client_cert
return if DISABLE_SSL
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
assert_ssl_client_error_match 'peer did not return a certificate' do |http|
# nothing
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_fail_if_client_unknown_ca
return if DISABLE_SSL
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
assert_ssl_client_error_match('self signed certificate in certificate chain', '/DC=net/DC=puma/CN=ca-unknown') do |http|
key = File.expand_path "../../examples/puma/client-certs/client_unknown.key", __FILE__
crt = File.expand_path "../../examples/puma/client-certs/client_unknown.crt", __FILE__
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = File.expand_path "../../examples/puma/client-certs/unknown_ca.crt", __FILE__
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_fail_if_client_expired_cert
return if DISABLE_SSL
assert_ssl_client_error_match('certificate has expired', '/DC=net/DC=puma/CN=client-expired') do |http|
key = File.expand_path "../../examples/puma/client-certs/client_expired.key", __FILE__
crt = File.expand_path "../../examples/puma/client-certs/client_expired.crt", __FILE__
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_client_cert
return if DISABLE_SSL
assert_ssl_client_error_match(nil) do |http|
key = File.expand_path "../../examples/puma/client-certs/client.key", __FILE__
crt = File.expand_path "../../examples/puma/client-certs/client.crt", __FILE__
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
end
end
Copy permalink