mirror of
https://github.com/puma/puma.git
synced 2022-11-09 13:48:40 -05:00
[jruby] enable TLSv1.3 support (#2886)
* [jruby] enable TLSv1.3 support * JRuby - TestPumaServerSSLClient - add IOError for macOS
This commit is contained in:
parent
3c089fcaba
commit
acfc0859c4
3 changed files with 29 additions and 10 deletions
|
@ -226,13 +226,13 @@ public class MiniSSL extends RubyObject { // MiniSSL::Engine
|
|||
|
||||
String[] protocols;
|
||||
if (miniSSLContext.callMethod(context, "no_tlsv1").isTrue()) {
|
||||
protocols = new String[] { "TLSv1.1", "TLSv1.2" };
|
||||
protocols = new String[] { "TLSv1.1", "TLSv1.2", "TLSv1.3" };
|
||||
} else {
|
||||
protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
|
||||
protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" };
|
||||
}
|
||||
|
||||
if (miniSSLContext.callMethod(context, "no_tlsv1_1").isTrue()) {
|
||||
protocols = new String[] { "TLSv1.2" };
|
||||
protocols = new String[] { "TLSv1.2", "TLSv1.3" };
|
||||
}
|
||||
|
||||
engine.setEnabledProtocols(protocols);
|
||||
|
|
|
@ -13,9 +13,9 @@ module Puma
|
|||
# Define constant at runtime, as it's easy to determine at built time,
|
||||
# but Puma could (it shouldn't) be loaded with an older OpenSSL version
|
||||
# @version 5.0.0
|
||||
HAS_TLS1_3 = !IS_JRUBY &&
|
||||
(OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
|
||||
(OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1
|
||||
HAS_TLS1_3 = IS_JRUBY ||
|
||||
((OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
|
||||
(OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1)
|
||||
|
||||
class Socket
|
||||
def initialize(socket, engine)
|
||||
|
@ -50,7 +50,7 @@ module Puma
|
|||
# is made with TLSv1.3 as an available protocol
|
||||
# @version 5.0.0
|
||||
def bad_tlsv1_3?
|
||||
HAS_TLS1_3 && @engine.ssl_vers_st == ['TLSv1.3', 'SSLERR']
|
||||
HAS_TLS1_3 && ssl_version_state == ['TLSv1.3', 'SSLERR']
|
||||
end
|
||||
private :bad_tlsv1_3?
|
||||
|
||||
|
|
|
@ -193,6 +193,25 @@ class TestPumaServerSSL < Minitest::Test
|
|||
end
|
||||
end
|
||||
|
||||
def test_tls_v1_3
|
||||
skip("TLSv1.3 protocol can not be set") unless OpenSSL::SSL::SSLContext.instance_methods(false).include?(:min_version=)
|
||||
|
||||
start_server
|
||||
|
||||
@http.min_version = :TLS1_3
|
||||
|
||||
body = nil
|
||||
@http.start do
|
||||
req = Net::HTTP::Get.new '/'
|
||||
@http.request(req) do |rep|
|
||||
assert_equal 'OK', rep.message
|
||||
body = rep.body
|
||||
end
|
||||
end
|
||||
|
||||
assert_equal "https", body
|
||||
end
|
||||
|
||||
def test_http_rejection
|
||||
body_http = nil
|
||||
body_https = nil
|
||||
|
@ -316,8 +335,8 @@ class TestPumaServerSSLClient < Minitest::Test
|
|||
req = Net::HTTP::Get.new "/", {}
|
||||
http.request(req)
|
||||
end
|
||||
rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET => e
|
||||
# Errno::ECONNRESET TruffleRuby
|
||||
rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET, IOError => e
|
||||
# Errno::ECONNRESET TruffleRuby, IOError macOS JRuby
|
||||
client_error = e
|
||||
# closes socket if open, may not close on error
|
||||
http.send :do_finish
|
||||
|
@ -335,7 +354,7 @@ class TestPumaServerSSLClient < Minitest::Test
|
|||
end
|
||||
|
||||
def test_verify_fail_if_no_client_cert
|
||||
error = Puma.jruby? ? /Empty server certificate chain/ : 'peer did not return a certificate'
|
||||
error = Puma.jruby? ? /Empty client certificate chain/ : 'peer did not return a certificate'
|
||||
assert_ssl_client_error_match(error) do |http|
|
||||
# nothing
|
||||
end
|
||||
|
|
Loading…
Add table
Reference in a new issue