1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/openssl] ssl: fix misuse of assert_handshake_error in tests

Browse Source 
assert_handshake_error is useful for checking handshake failures
triggered by the peer, as the underlying socket may be closed
prematurely, leading to different exceptions depending on the platform
and timing.

However, when the local end aborts a handshake, the only possible
exception is OpenSSL::SSL::SSLError. Use stricter assertions in such
cases.

https://github.com/ruby/openssl/commit/637ba65818
This commit is contained in:
Kazuki Yamaguchi 2025-02-06 23:51:44 +09:00 committed by git
parent 5791c93f8e
commit 64a98decf2
1 changed files with 10 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
test/openssl/test_ssl.rb
View File

@ -1111,7 +1111,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.connect
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
else
assert_handshake_error { ssl.connect }
assert_raise(OpenSSL::SSL::SSLError) { ssl.connect }
end
ensure
ssl.close if ssl
@ -1149,7 +1149,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
sock = TCPSocket.new("127.0.0.1", port)
ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
ssl.hostname = "b.example.com"
assert_handshake_error { ssl.connect }
assert_raise(OpenSSL::SSL::SSLError) { ssl.connect }
assert_equal false, verify_callback_ok
assert_equal OpenSSL::X509::V_ERR_HOSTNAME_MISMATCH, verify_callback_err
ensure
@ -1250,7 +1250,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
start_server(ctx_proc: ctx_proc, ignore_listener_error: true) { |port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(cert_store: store, verify_hostname: false)
assert_handshake_error { server_connect(port, ctx) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx) }
}
end
end
@ -1283,7 +1283,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
}
else
assert_handshake_error { server_connect(port, ctx1) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx1) }
end
# There is no version-specific SSL methods for TLS 1.3
@ -1297,7 +1297,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
}
else
assert_handshake_error { server_connect(port, ctx2) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx2) }
end
end
end
@ -1338,7 +1338,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
}
else
assert_handshake_error { server_connect(port, ctx2) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx2) }
end
end
}
@ -1357,7 +1357,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ssl.puts "abc"; assert_equal "abc\n", ssl.gets
}
else
assert_handshake_error { server_connect(port, ctx1) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx1) }
end
# Client sets max_version
@ -1489,7 +1489,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# Client only supports TLS 1.2
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.min_version = ctx1.max_version = OpenSSL::SSL::TLS1_2_VERSION
assert_handshake_error { server_connect(port, ctx1) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx1) }
# Client only supports TLS 1.3
ctx2 = OpenSSL::SSL::SSLContext.new
@ -1505,7 +1505,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
# Client doesn't support TLS 1.2
ctx1 = OpenSSL::SSL::SSLContext.new
ctx1.options |= OpenSSL::SSL::OP_NO_TLSv1_2
assert_handshake_error { server_connect(port, ctx1) { } }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx1) }
# Client supports TLS 1.2 by default
ctx2 = OpenSSL::SSL::SSLContext.new
@ -1654,7 +1654,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
ctx = OpenSSL::SSL::SSLContext.new
ctx.max_version = :TLS1_2
ctx.npn_select_cb = -> (protocols) { "a" * 256 }
assert_handshake_error { server_connect(port, ctx) }
assert_raise(OpenSSL::SSL::SSLError) { server_connect(port, ctx) }
}
end