From 57a57e6e561cb7c350dc1953c44cbe65cf4f214c Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Sat, 18 Jul 2020 16:45:01 +0900 Subject: [PATCH] [ruby/openssl] test/openssl/test_ssl: revise a test case for client_cert_cb The current test_client_auth_public_key test case checks that supplying a PKey containing only public components through client_cert_cb will cause handshake to fail. While this is a correct behavior as a whole, the assertions are misleading in the sense that giving a public key is causing the failure. Actually, the handshake fails because a client certificate is not supplied at all, as a result of ArgumentError that is silently ignored. Rename the test case to test_client_cert_cb_ignore_error and simplify it to clarify what it is testing. https://github.com/ruby/openssl/commit/785b5569fc --- test/openssl/test_ssl.rb | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index b4619de259..1d3cdf90d6 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -282,20 +282,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end - def test_client_auth_public_key + def test_client_cert_cb_ignore_error vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT start_server(verify_mode: vflag, ignore_listener_error: true) do |port| - assert_raise(ArgumentError) { - ctx = OpenSSL::SSL::SSLContext.new - ctx.key = @cli_key.public_key - ctx.cert = @cli_cert - server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } - } - ctx = OpenSSL::SSL::SSLContext.new - ctx.client_cert_cb = Proc.new{ |ssl| - [@cli_cert, @cli_key.public_key] + ctx.client_cert_cb = -> ssl { + raise "exception in client_cert_cb must be suppressed" } + # 1. Exception in client_cert_cb is suppressed + # 2. No client certificate will be sent to the server + # 3. SSL_VERIFY_FAIL_IF_NO_PEER_CERT causes the handshake to fail assert_handshake_error { server_connect(port, ctx) { |ssl| ssl.puts("abc"); ssl.gets } }