kotovalexarian-likes-github/ruby--ruby
1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00
Code Releases Activity

[ruby/openssl] Skip optional wildcard SAN tests on LibreSSL 3.5.0+

Browse source 
RFC 6066 states how some wildcard SAN entries MAY be handled, but
it does not say they MUST be handled.  LibreSSL 3.5.0 only handles
suffix wildcard SANs, not prefix wildcard SANs, or interior
wildcard SANs, so return early from the wildcard SAN tests on
LibreSSL 3.5.0.

Fixes #471

717d7009d6
This commit is contained in:
Jeremy Evans 2022-01-04 11:32:11 -08:00 committed by Nobuyoshi Nakada
parent 58e7205c82
commit 01025a0055
1 changed files with 6 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

6
test/openssl/test_ssl.rb
View file

@ -676,10 +676,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# buzz.example.net, respectively). ...
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com'))
# LibreSSL 3.5.0+ doesn't support other wildcard certificates
# (it isn't required to, as RFC states MAY, not MUST)
return if libressl?(3, 5, 0)
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com'))
assert_equal(true, OpenSSL::SSL.verify_certificate_identity(
create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com'))
# Section 6.4.3 of RFC6125 states that client should NOT match identifier
# where wildcard is other than left-most label.
#