1
0
Fork 0
mirror of https://github.com/puma/puma.git synced 2022-11-09 13:48:40 -05:00

[jruby] enable TLSv1.3 support (#2886)

* [jruby] enable TLSv1.3 support

* JRuby - TestPumaServerSSLClient - add IOError for macOS
This commit is contained in:
Karol Bucek 2022-05-31 01:36:37 +02:00 committed by GitHub
parent 3c089fcaba
commit acfc0859c4
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 29 additions and 10 deletions

View file

@ -226,13 +226,13 @@ public class MiniSSL extends RubyObject { // MiniSSL::Engine
String[] protocols;
if (miniSSLContext.callMethod(context, "no_tlsv1").isTrue()) {
protocols = new String[] { "TLSv1.1", "TLSv1.2" };
protocols = new String[] { "TLSv1.1", "TLSv1.2", "TLSv1.3" };
} else {
protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2", "TLSv1.3" };
}
if (miniSSLContext.callMethod(context, "no_tlsv1_1").isTrue()) {
protocols = new String[] { "TLSv1.2" };
protocols = new String[] { "TLSv1.2", "TLSv1.3" };
}
engine.setEnabledProtocols(protocols);

View file

@ -13,9 +13,9 @@ module Puma
# Define constant at runtime, as it's easy to determine at built time,
# but Puma could (it shouldn't) be loaded with an older OpenSSL version
# @version 5.0.0
HAS_TLS1_3 = !IS_JRUBY &&
(OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
(OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1
HAS_TLS1_3 = IS_JRUBY ||
((OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
(OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1)
class Socket
def initialize(socket, engine)
@ -50,7 +50,7 @@ module Puma
# is made with TLSv1.3 as an available protocol
# @version 5.0.0
def bad_tlsv1_3?
HAS_TLS1_3 && @engine.ssl_vers_st == ['TLSv1.3', 'SSLERR']
HAS_TLS1_3 && ssl_version_state == ['TLSv1.3', 'SSLERR']
end
private :bad_tlsv1_3?

View file

@ -193,6 +193,25 @@ class TestPumaServerSSL < Minitest::Test
end
end
def test_tls_v1_3
skip("TLSv1.3 protocol can not be set") unless OpenSSL::SSL::SSLContext.instance_methods(false).include?(:min_version=)
start_server
@http.min_version = :TLS1_3
body = nil
@http.start do
req = Net::HTTP::Get.new '/'
@http.request(req) do |rep|
assert_equal 'OK', rep.message
body = rep.body
end
end
assert_equal "https", body
end
def test_http_rejection
body_http = nil
body_https = nil
@ -316,8 +335,8 @@ class TestPumaServerSSLClient < Minitest::Test
req = Net::HTTP::Get.new "/", {}
http.request(req)
end
rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET => e
# Errno::ECONNRESET TruffleRuby
rescue OpenSSL::SSL::SSLError, EOFError, Errno::ECONNRESET, IOError => e
# Errno::ECONNRESET TruffleRuby, IOError macOS JRuby
client_error = e
# closes socket if open, may not close on error
http.send :do_finish
@ -335,7 +354,7 @@ class TestPumaServerSSLClient < Minitest::Test
end
def test_verify_fail_if_no_client_cert
error = Puma.jruby? ? /Empty server certificate chain/ : 'peer did not return a certificate'
error = Puma.jruby? ? /Empty client certificate chain/ : 'peer did not return a certificate'
assert_ssl_client_error_match(error) do |http|
# nothing
end