kotovalexarian-likes-github/puma--puma
1
0
Fork 0
mirror of https://github.com/puma/puma.git synced 2022-11-09 13:48:40 -05:00
Code Releases Activity
puma--puma/test/test_puma_server_ssl.rb

223 lines
6.1 KiB
Ruby
Raw Normal View History

Use Minitest instead of Test::Unit (#1152) * Bump minitest version. * Add basic test helper file. * Use minitest for web server tests. * Use Minitest for unix socket tests. * Use Minitest for ThreadPool tests. * Use Minitest for TCP-Rack tests * Use Minitest for TCPLogger tests. * Add missing helper to test helpers. * Use Minitest for Rack server tests. * Use Minitest for Rack handler tests. * Use Minitest for Puma::Server tests. * Use Minitest for Puma::Server with SSL tests. * Use Minitest for persisten connections tests. * Require puma in test_helper file. * Use minitest for Puma::NullIO tests. * Remove unnecessary requires on test files. * Use Minitest for MiniSSL tests. * Use Minitest for IOBuffer tests. * Require bundler/setup in Rakefile. * Use Minitest for HttpParser tests. * Use Minitest for Puma::Configuration tests. * Use Minitest for Puma::CLI tests. * Bump Minitest version for Ruby 2.1 Gemfile. * Use Minitest for integration tests. * Use Minitest for Puma::App::Status tests. * Remove test-unit from Gemfiles. * Add timeout helper to Minitest::Test. * Use Minitest for Puma::Binder tests. * Remove testhelp file. * Add missing require to Puma::Binder tests. * Prefer require instead of require_relative.
2016-11-22 10:05:49 -05:00
require "test_helper"
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
Use Minitest instead of Test::Unit (#1152) * Bump minitest version. * Add basic test helper file. * Use minitest for web server tests. * Use Minitest for unix socket tests. * Use Minitest for ThreadPool tests. * Use Minitest for TCP-Rack tests * Use Minitest for TCPLogger tests. * Add missing helper to test helpers. * Use Minitest for Rack server tests. * Use Minitest for Rack handler tests. * Use Minitest for Puma::Server tests. * Use Minitest for Puma::Server with SSL tests. * Use Minitest for persisten connections tests. * Require puma in test_helper file. * Use minitest for Puma::NullIO tests. * Remove unnecessary requires on test files. * Use Minitest for MiniSSL tests. * Use Minitest for IOBuffer tests. * Require bundler/setup in Rakefile. * Use Minitest for HttpParser tests. * Use Minitest for Puma::Configuration tests. * Use Minitest for Puma::CLI tests. * Bump Minitest version for Ruby 2.1 Gemfile. * Use Minitest for integration tests. * Use Minitest for Puma::App::Status tests. * Remove test-unit from Gemfiles. * Add timeout helper to Minitest::Test. * Use Minitest for Puma::Binder tests. * Remove testhelp file. * Add missing require to Puma::Binder tests. * Prefer require instead of require_relative.
2016-11-22 10:05:49 -05:00
require "puma/events"
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
class SSLEventsHelper < ::Puma::Events
attr_accessor :addr, :cert, :error
def ssl_error(server, peeraddr, peercert, error)
self.addr = peeraddr
self.cert = peercert
self.error = error
end
end
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
DISABLE_SSL = begin
Puma::MiniSSL.check
rescue
true
else
false
end
Use Minitest instead of Test::Unit (#1152) * Bump minitest version. * Add basic test helper file. * Use minitest for web server tests. * Use Minitest for unix socket tests. * Use Minitest for ThreadPool tests. * Use Minitest for TCP-Rack tests * Use Minitest for TCPLogger tests. * Add missing helper to test helpers. * Use Minitest for Rack server tests. * Use Minitest for Rack handler tests. * Use Minitest for Puma::Server tests. * Use Minitest for Puma::Server with SSL tests. * Use Minitest for persisten connections tests. * Require puma in test_helper file. * Use minitest for Puma::NullIO tests. * Remove unnecessary requires on test files. * Use Minitest for MiniSSL tests. * Use Minitest for IOBuffer tests. * Require bundler/setup in Rakefile. * Use Minitest for HttpParser tests. * Use Minitest for Puma::Configuration tests. * Use Minitest for Puma::CLI tests. * Bump Minitest version for Ruby 2.1 Gemfile. * Use Minitest for integration tests. * Use Minitest for Puma::App::Status tests. * Remove test-unit from Gemfiles. * Add timeout helper to Minitest::Test. * Use Minitest for Puma::Binder tests. * Remove testhelp file. * Add missing require to Puma::Binder tests. * Prefer require instead of require_relative.
2016-11-22 10:05:49 -05:00
class TestPumaServerSSL < Minitest::Test
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
def setup
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@port = 3212
@host = "127.0.0.1"
@app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx = Puma::MiniSSL::Context.new
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
if defined?(JRUBY_VERSION)
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx.keystore = File.expand_path "../../examples/puma/keystore.jks", __FILE__
@ctx.keystore_pass = 'blahblah'
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
else
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx.key = File.expand_path "../../examples/puma/puma_keypair.pem", __FILE__
@ctx.cert = File.expand_path "../../examples/puma/cert_puma.pem", __FILE__
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
end
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@ctx.verify_mode = Puma::MiniSSL::VERIFY_NONE
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
@events = SSLEventsHelper.new STDOUT, STDERR
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@server = Puma::Server.new @app, @events
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
@server.add_ssl_listener @host, @port, @ctx
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@server.run
@http = Net::HTTP.new @host, @port
@http.use_ssl = true
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
def teardown
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
@server.stop(true)
end
def test_url_scheme_for_https
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
body = nil
@http.start do
req = Net::HTTP::Get.new "/", {}
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal "https", body
end
def test_very_large_return
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
giant = "x" * 2056610
@server.app = proc do
[200, {}, [giant]]
end
body = nil
@http.start do
req = Net::HTTP::Get.new "/"
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal giant.bytesize, body.bytesize
end
def test_form_submit
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
return if DISABLE_SSL
Add SSL support for JRuby - Implement MiniSSL for JRuby - Modify `Binder` and `MiniSSL::Context` to to accommodate the fact that Java SSL demands a java keystore rather than a key/cert pair - Change the MiniSSL native extension interface to take a `MiniSSL::Context` rather than a key/cert pair so that each extension can grab keys off the context as appropriate
2014-05-05 17:30:15 -04:00
body = nil
@http.start do
req = Net::HTTP::Post.new '/'
req.set_form_data('a' => '1', 'b' => '2')
@http.request(req) do |rep|
body = rep.body
end
end
assert_equal "https", body
end
Remove support for 1.8.7 and 1.9.2.
2016-09-01 17:57:38 -04:00
def test_ssl_v3_rejection
return if DISABLE_SSL
@http.ssl_version='SSLv3'
assert_raises(OpenSSL::SSL::SSLError) do
@http.start do
Net::HTTP::Get.new '/'
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
Remove support for 1.8.7 and 1.9.2.
2016-09-01 17:57:38 -04:00
unless defined?(JRUBY_VERSION)
assert_match("wrong version number", @events.error.message) if @events.error
end
Fix hang on bad SSL handshake Both the C and JRuby SSL implementations would hang on a bad handshake because they were not producing the EOF expected in that case. Update their error handling to behave correctly here (note: `test_ssl_v3_rejection` covers this).
2015-05-01 19:39:22 -04:00
end
JRuby SSL POODLE update Default SSLv3 to disabled in response to the POODLE vulnerability.
2014-10-15 21:39:35 -04:00
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
# client-side TLS authentication tests
Use Minitest instead of Test::Unit (#1152) * Bump minitest version. * Add basic test helper file. * Use minitest for web server tests. * Use Minitest for unix socket tests. * Use Minitest for ThreadPool tests. * Use Minitest for TCP-Rack tests * Use Minitest for TCPLogger tests. * Add missing helper to test helpers. * Use Minitest for Rack server tests. * Use Minitest for Rack handler tests. * Use Minitest for Puma::Server tests. * Use Minitest for Puma::Server with SSL tests. * Use Minitest for persisten connections tests. * Require puma in test_helper file. * Use minitest for Puma::NullIO tests. * Remove unnecessary requires on test files. * Use Minitest for MiniSSL tests. * Use Minitest for IOBuffer tests. * Require bundler/setup in Rakefile. * Use Minitest for HttpParser tests. * Use Minitest for Puma::Configuration tests. * Use Minitest for Puma::CLI tests. * Bump Minitest version for Ruby 2.1 Gemfile. * Use Minitest for integration tests. * Use Minitest for Puma::App::Status tests. * Remove test-unit from Gemfiles. * Add timeout helper to Minitest::Test. * Use Minitest for Puma::Binder tests. * Remove testhelp file. * Add missing require to Puma::Binder tests. * Prefer require instead of require_relative.
2016-11-22 10:05:49 -05:00
class TestPumaServerSSLClient < Minitest::Test
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def assert_ssl_client_error_match(error, subject=nil, &blk)
@port = 3212
@host = "127.0.0.1"
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
@app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
@ctx = Puma::MiniSSL::Context.new
if defined?(JRUBY_VERSION)
@ctx.keystore = File.expand_path "../../examples/puma/client-certs/keystore.jks", __FILE__
@ctx.keystore_pass = 'blahblah'
else
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
@ctx.key = File.expand_path "../../examples/puma/client-certs/server.key", __FILE__
@ctx.cert = File.expand_path "../../examples/puma/client-certs/server.crt", __FILE__
@ctx.ca = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
@ctx.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
events = SSLEventsHelper.new STDOUT, STDERR
@server = Puma::Server.new @app, events
@server.add_ssl_listener @host, @port, @ctx
@server.run
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
@http = Net::HTTP.new @host, @port
@http.use_ssl = true
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
blk.call(@http)
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
client_error = false
begin
@http.start do
req = Net::HTTP::Get.new "/", {}
@http.request(req)
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
rescue OpenSSL::SSL::SSLError
client_error = true
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
sleep 0.1
assert_equal !!error, client_error
# The JRuby MiniSSL implementation lacks error capturing currently, so we can't inspect the
# messages here
unless defined?(JRUBY_VERSION)
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
assert_match error, events.error.message if error
assert_equal @host, events.addr if error
assert_equal subject, events.cert.subject.to_s if subject
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
ensure
@server.stop(true)
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_fail_if_no_client_cert
return if DISABLE_SSL
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
assert_ssl_client_error_match 'peer did not return a certificate' do |http|
# nothing
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_fail_if_client_unknown_ca
return if DISABLE_SSL
Disable SSL tests when SSL isn't used
2015-11-06 14:00:58 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
assert_ssl_client_error_match('self signed certificate in certificate chain', '/DC=net/DC=puma/CN=ca-unknown') do |http|
key = File.expand_path "../../examples/puma/client-certs/client_unknown.key", __FILE__
crt = File.expand_path "../../examples/puma/client-certs/client_unknown.crt", __FILE__
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = File.expand_path "../../examples/puma/client-certs/unknown_ca.crt", __FILE__
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_fail_if_client_expired_cert
return if DISABLE_SSL
assert_ssl_client_error_match('certificate has expired', '/DC=net/DC=puma/CN=client-expired') do |http|
key = File.expand_path "../../examples/puma/client-certs/client_expired.key", __FILE__
crt = File.expand_path "../../examples/puma/client-certs/client_expired.crt", __FILE__
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
end
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
support TLS client auth (verify_mode) in jruby Adds support for `verify_mode` to configure client authentication when running under JRuby. Things to note: - Assumes the CA used to verify client certs is in the same java keystore file that is used when setting up the HTTPS TLS listener. We could split this out, but not sure if it's necessary. - Friendly/helpful error messages explaining why the verification failed are not present in the same way they are in the CRuby/OpenSSL code path. I'm not sure how to make them available. - I did not include any code to create the `keystore.jks` file in the `examples/puma/client-certs` directory because I didn't see any existing code to create the `examples/puma/keystore.jks` file. The commands to create this keystore would be: ``` cd examples/puma/client-certs openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12 keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah ```
2015-11-28 21:17:01 -05:00
def test_verify_client_cert
return if DISABLE_SSL
assert_ssl_client_error_match(nil) do |http|
key = File.expand_path "../../examples/puma/client-certs/client.key", __FILE__
crt = File.expand_path "../../examples/puma/client-certs/client.crt", __FILE__
http.key = OpenSSL::PKey::RSA.new File.read(key)
http.cert = OpenSSL::X509::Certificate.new File.read(crt)
http.ca_file = File.expand_path "../../examples/puma/client-certs/ca.crt", __FILE__
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
ssl: Add Client Side Certificate Auth Add Client Side Certificate Auth feature and handling to puma's MiniSSL. Also exposes SSL errors to puma/apps. compatibility notes: MRI only shell example: puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&ca=path_to_ca&verify_mode=force_peer' code example: (examples/client_side_ssl) app = proc {|env| p env['puma.peercert']; [200, {}, ["hey"]] } events = SSLEvents.new($stdout, $stderr) server = Puma::Server.new(app, events) admin_context = Puma::MiniSSL::Context.new admin_context.key = KEY_PATH admin_context.cert = CERT_PATH admin_context.ca = CA_CERT_PATH admin_context.verify_mode = Puma::MiniSSL::VERIFY_PEER | Puma::MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT server.add_ssl_listener("0.0.0.0", ADMIN_PORT, admin_context) server.min_threads = MIN_THREADS server.max_threads = MAX_THREADS server.persistent_timeout = IDLE_TIMEOUT server.run.join additional credits: Andy Alness <andy.alness@gmail.com>
2015-01-13 23:11:26 -05:00
end
end
end
Copy permalink