1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

webrick: fix SNI support

* lib/webrick/https.rb: check ssl context of virtual host.
* lib/webrick/ssl.rb: ensure to return ssl context.
* test/webrick/test_https.rb: test returned cert is correct.
  [Feature #13729][ruby-dev:50173]

Author: Tietew <tietew@gmail.com>

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@59351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
normal 2017-07-18 01:59:28 +00:00
parent 23e9a4ec16
commit a6c13d08d7
3 changed files with 82 additions and 35 deletions

View file

@ -131,5 +131,22 @@ module WEBrick
server = lookup_server(req)
server ? server.ssl_context : nil
end
# :stopdoc:
##
# Check whether +server+ is also SSL server.
# Also +server+'s SSL context will be created.
alias orig_virtual_host virtual_host
def virtual_host(server)
if @config[:SSLEnable] && !server.ssl_context
raise ArgumentError, "virtual host must set SSLEnable to true"
end
orig_virtual_host(server)
end
# :startdoc:
end
end

View file

@ -147,7 +147,13 @@ module WEBrick
# SSL context for the server when run in SSL mode
def ssl_context # :nodoc:
@ssl_context ||= nil
@ssl_context ||= begin
if @config[:SSLEnable]
ssl_context = setup_ssl_context(@config)
@logger.info("\n" + @config[:SSLCertificate].to_text)
ssl_context
end
end
end
undef listen
@ -158,10 +164,6 @@ module WEBrick
def listen(address, port) # :nodoc:
listeners = Utils::create_listeners(address, port)
if @config[:SSLEnable]
unless ssl_context
@ssl_context = setup_ssl_context(@config)
@logger.info("\n" + @config[:SSLCertificate].to_text)
end
listeners.collect!{|svr|
ssvr = ::OpenSSL::SSL::SSLServer.new(svr, ssl_context)
ssvr.start_immediately = @config[:SSLStartImmediately]

View file

@ -28,57 +28,85 @@ class TestWEBrickHTTPS < Test::Unit::TestCase
super
end
def https_get(addr, port, hostname, path)
def https_get(addr, port, hostname, path, verifyname = nil)
subject = nil
http = HTTPSNITest.new(addr, port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.verify_callback = proc { |x, store| subject = store.chain[0].subject.to_s; x }
http.sni_hostname = hostname
req = Net::HTTP::Get.new(path)
req["Host"] = "#{hostname}:#{port}"
http.request(req).body
response = http.start { http.request(req).body }
assert_equal("/CN=#{verifyname || hostname}", subject)
response
end
def test_sni
config = {
:ServerName => "localhost",
:SSLEnable => true,
:SSLCertName => "/CN=locahost",
:SSLCertName => "/CN=localhost",
}
TestWEBrick.start_httpserver(config){|server, addr, port, log|
server.mount_proc("/") {|req, res| res.body = "master" }
vhost_config1 = {
:ServerName => "vhost1",
:Port => port,
:DoNotListen => true,
:Logger => NoLog,
:AccessLog => [],
:SSLEnable => true,
:SSLCertName => "/CN=vhost1",
}
vhost1 = WEBrick::HTTPServer.new(vhost_config1)
vhost1.mount_proc("/") {|req, res| res.body = "vhost1" }
server.virtual_host(vhost1)
# catch stderr in create_self_signed_cert
stderr_buffer = StringIO.new
old_stderr, $stderr = $stderr, stderr_buffer
vhost_config2 = {
:ServerName => "vhost2",
:ServerAlias => ["vhost2alias"],
:Port => port,
:DoNotListen => true,
:Logger => NoLog,
:AccessLog => [],
:SSLEnable => true,
:SSLCertName => "/CN=vhost2",
}
vhost2 = WEBrick::HTTPServer.new(vhost_config2)
vhost2.mount_proc("/") {|req, res| res.body = "vhost2" }
server.virtual_host(vhost2)
begin
vhost_config1 = {
:ServerName => "vhost1",
:Port => port,
:DoNotListen => true,
:Logger => NoLog,
:AccessLog => [],
:SSLEnable => true,
:SSLCertName => "/CN=vhost1",
}
vhost1 = WEBrick::HTTPServer.new(vhost_config1)
vhost1.mount_proc("/") {|req, res| res.body = "vhost1" }
server.virtual_host(vhost1)
vhost_config2 = {
:ServerName => "vhost2",
:ServerAlias => ["vhost2alias"],
:Port => port,
:DoNotListen => true,
:Logger => NoLog,
:AccessLog => [],
:SSLEnable => true,
:SSLCertName => "/CN=vhost2",
}
vhost2 = WEBrick::HTTPServer.new(vhost_config2)
vhost2.mount_proc("/") {|req, res| res.body = "vhost2" }
server.virtual_host(vhost2)
ensure
# restore stderr
$stderr = old_stderr
end
assert_match(/\A([.+*]+\n)+\z/, stderr_buffer.string)
assert_equal("master", https_get(addr, port, "localhost", "/localhost"))
assert_equal("master", https_get(addr, port, "unknown", "/unknown"))
assert_equal("master", https_get(addr, port, "unknown", "/unknown", "localhost"))
assert_equal("vhost1", https_get(addr, port, "vhost1", "/vhost1"))
assert_equal("vhost2", https_get(addr, port, "vhost2", "/vhost2"))
assert_equal("vhost2", https_get(addr, port, "vhost2alias", "/vhost2alias"))
assert_equal("vhost2", https_get(addr, port, "vhost2alias", "/vhost2alias", "vhost2"))
}
end
def test_check_ssl_virtual
config = {
:ServerName => "localhost",
:SSLEnable => true,
:SSLCertName => "/CN=localhost",
}
TestWEBrick.start_httpserver(config){|server, addr, port, log|
assert_raise ArgumentError do
vhost = WEBrick::HTTPServer.new({:DoNotListen => true, :Logger => NoLog})
server.virtual_host(vhost)
end
}
end
end