diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index c6544cc687..1063865f27 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -230,6 +230,34 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_extra_chain_cert_auto_chain + start_server { |port| + server_connect(port) { |ssl| + ssl.puts "abc"; assert_equal "abc\n", ssl.gets + assert_equal @svr_cert.to_der, ssl.peer_cert.to_der + assert_equal [@svr_cert], ssl.peer_cert_chain + } + } + + # AWS-LC enables SSL_MODE_NO_AUTO_CHAIN by default + unless aws_lc? + ctx_proc = -> ctx { + # Sanity check: start_server won't set extra_chain_cert + assert_nil ctx.extra_chain_cert + ctx.cert_store = OpenSSL::X509::Store.new.tap { |store| + store.add_cert(@ca_cert) + } + } + start_server(ctx_proc: ctx_proc) { |port| + server_connect(port) { |ssl| + ssl.puts "abc"; assert_equal "abc\n", ssl.gets + assert_equal @svr_cert.to_der, ssl.peer_cert.to_der + assert_equal [@svr_cert, @ca_cert], ssl.peer_cert_chain + } + } + end + end + def test_sysread_and_syswrite start_server { |port| server_connect(port) { |ssl| @@ -396,11 +424,15 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_client_auth_success vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT - start_server(verify_mode: vflag, - ctx_proc: proc { |ctx| - # LibreSSL doesn't support client_cert_cb in TLS 1.3 - ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? - }) { |port| + ctx_proc = proc { |ctx| + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) + store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT + ctx.cert_store = store + # LibreSSL doesn't support client_cert_cb in TLS 1.3 + ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION if libressl? + } + start_server(verify_mode: vflag, ctx_proc: ctx_proc) { |port| ctx = OpenSSL::SSL::SSLContext.new ctx.key = @cli_key ctx.cert = @cli_cert @@ -445,6 +477,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase pend "LibreSSL doesn't support certificate_authorities" if libressl? ctx_proc = Proc.new do |ctx| + store = OpenSSL::X509::Store.new + store.add_cert(@ca_cert) + store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT + ctx.cert_store = store ctx.client_ca = [@ca_cert] end @@ -510,7 +546,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ssl.sync_close = true begin assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } - assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result) + assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result) ensure ssl.close end @@ -1162,9 +1198,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(ignore_listener_error: true) { |port| ctx = OpenSSL::SSL::SSLContext.new ctx.set_params - # OpenSSL <= 1.1.0: "self signed certificate in certificate chain" - # OpenSSL >= 3.0.0: "self-signed certificate in certificate chain" - assert_raise_with_message(OpenSSL::SSL::SSLError, /self.signed/) { + assert_raise_with_message(OpenSSL::SSL::SSLError, /unable to get local issuer certificate/) { server_connect(port, ctx) } } diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 220edce292..e0c085b53b 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -201,11 +201,7 @@ class OpenSSL::SSLTestCase < OpenSSL::TestCase accept_proc: proc{}, ignore_listener_error: false, &block) IO.pipe {|stop_pipe_r, stop_pipe_w| - store = OpenSSL::X509::Store.new - store.add_cert(@ca_cert) - store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT ctx = OpenSSL::SSL::SSLContext.new - ctx.cert_store = store ctx.cert = @svr_cert ctx.key = @svr_key ctx.verify_mode = verify_mode