diff options
author | Jeremy Evans <code@jeremyevans.net> | 2022-01-04 11:32:11 -0800 |
---|---|---|
committer | Nobuyoshi Nakada <nobu@ruby-lang.org> | 2022-07-08 23:18:07 +0900 |
commit | 01025a0055bb5fe1a9a161e86cbd58c8fa2350ae (patch) | |
tree | e2d23502919eeb52767e30b67f411a16ebe7b0ad /test | |
parent | 58e7205c82ad07b949302589e89aad388519c01d (diff) | |
download | ruby-01025a0055bb5fe1a9a161e86cbd58c8fa2350ae.tar.gz |
[ruby/openssl] Skip optional wildcard SAN tests on LibreSSL 3.5.0+
RFC 6066 states how some wildcard SAN entries MAY be handled, but
it does not say they MUST be handled. LibreSSL 3.5.0 only handles
suffix wildcard SANs, not prefix wildcard SANs, or interior
wildcard SANs, so return early from the wildcard SAN tests on
LibreSSL 3.5.0.
Fixes #471
https://github.com/ruby/openssl/commit/717d7009d6
Diffstat (limited to 'test')
-rw-r--r-- | test/openssl/test_ssl.rb | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index a7607da073..39964bf493 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -676,10 +676,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase # buzz.example.net, respectively). ... assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:baz*.example.com'), 'baz1.example.com')) + + # LibreSSL 3.5.0+ doesn't support other wildcard certificates + # (it isn't required to, as RFC states MAY, not MUST) + return if libressl?(3, 5, 0) + assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:*baz.example.com'), 'foobaz.example.com')) assert_equal(true, OpenSSL::SSL.verify_certificate_identity( create_cert_with_san('DNS:b*z.example.com'), 'buzz.example.com')) + # Section 6.4.3 of RFC6125 states that client should NOT match identifier # where wildcard is other than left-most label. # |