1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

net/http, net/ftp: skip SSL/TLS session resumption tests

Due to a bug in OpenSSL 1.1.0h[1] (it's only in this specific version;
it was introduced just before the release and is already fixed in their
stable branch), the callback set by SSLContext#session_new_cb= does not
get called for clients, making net/http and net/ftp not attempt session
resumption.

Let's disable the affected test cases for now. Another option would be
to fallback to using SSLSocket#session as we did before r64234. But
since only a single version is affected and hopefully a new stable
version containing the fix will be released in near future, I chose not
to add such workaround code to lib/.

[1] https://github.com/openssl/openssl/pull/5967

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64252 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
rhe 2018-08-09 10:00:19 +00:00
parent 0ecd348cb5
commit 33dd5d6970
2 changed files with 20 additions and 0 deletions

View file

@ -1755,6 +1755,7 @@ EOF
server = TCPServer.new(SERVER_ADDR, 0)
port = server.addr[1]
commands = []
session_reused_for_data_connection = nil
binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
@thread = Thread.start do
sock = server.accept
@ -1793,6 +1794,7 @@ EOF
conn = OpenSSL::SSL::SSLSocket.new(conn, ctx)
conn.sync_close = true
conn.accept
session_reused_for_data_connection = conn.session_reused?
binary_data.scan(/.{1,1024}/nm) do |s|
conn.print(s)
end
@ -1823,6 +1825,11 @@ EOF
assert_match(/\A(PORT|EPRT) /, commands.shift)
assert_equal("RETR foo\r\n", commands.shift)
assert_equal(nil, commands.shift)
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
# See https://github.com/openssl/openssl/pull/5967 for details.
if OpenSSL::OPENSSL_LIBRARY_VERSION !~ /OpenSSL 1.1.0h/
assert_equal(true, session_reused_for_data_connection)
end
ensure
ftp.close
end
@ -1832,6 +1839,7 @@ EOF
server = TCPServer.new(SERVER_ADDR, 0)
port = server.addr[1]
commands = []
session_reused_for_data_connection = nil
binary_data = (0..0xff).map {|i| i.chr}.join * 4 * 3
@thread = Thread.start do
sock = server.accept
@ -1869,6 +1877,7 @@ EOF
conn = OpenSSL::SSL::SSLSocket.new(conn, ctx)
conn.sync_close = true
conn.accept
session_reused_for_data_connection = conn.session_reused?
binary_data.scan(/.{1,1024}/nm) do |s|
conn.print(s)
end
@ -1900,6 +1909,10 @@ EOF
assert_match(/\A(PASV|EPSV)\r\n/, commands.shift)
assert_equal("RETR foo\r\n", commands.shift)
assert_equal(nil, commands.shift)
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
if OpenSSL::OPENSSL_LIBRARY_VERSION !~ /OpenSSL 1.1.0h/
assert_equal(true, session_reused_for_data_connection)
end
ensure
ftp.close
end

View file

@ -63,6 +63,10 @@ class TestNetHTTPS < Test::Unit::TestCase
end
def test_session_reuse
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
# See https://github.com/openssl/openssl/pull/5967 for details.
skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
http = Net::HTTP.new("localhost", config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE
@ -83,6 +87,9 @@ class TestNetHTTPS < Test::Unit::TestCase
end
def test_session_reuse_but_expire
# FIXME: The new_session_cb is known broken for clients in OpenSSL 1.1.0h.
skip if OpenSSL::OPENSSL_LIBRARY_VERSION =~ /OpenSSL 1.1.0h/
http = Net::HTTP.new("localhost", config("port"))
http.use_ssl = true
http.cert_store = TEST_STORE