@@ -81,7 +81,7 @@ def test_add_certificate_multiple_certs
8181 add0_chain_supported = openssl? ( 1 , 0 , 2 )
8282
8383 if add0_chain_supported
84- ca2_key = Fixtures . pkey ( "rsa1024" )
84+ ca2_key = @ca_key
8585 ca2_exts = [
8686 [ "basicConstraints" , "CA:TRUE" , true ] ,
8787 [ "keyUsage" , "cRLSign, keyCertSign" , true ] ,
@@ -871,44 +871,6 @@ def test_unset_OP_ALL
871871 }
872872 end
873873
874- def check_supported_protocol_versions
875- possible_versions = [
876- OpenSSL ::SSL ::SSL3_VERSION ,
877- OpenSSL ::SSL ::TLS1_VERSION ,
878- OpenSSL ::SSL ::TLS1_1_VERSION ,
879- OpenSSL ::SSL ::TLS1_2_VERSION ,
880- # OpenSSL 1.1.1
881- defined? ( OpenSSL ::SSL ::TLS1_3_VERSION ) && OpenSSL ::SSL ::TLS1_3_VERSION ,
882- ] . compact
883-
884- # Prepare for testing & do sanity check
885- supported = [ ]
886- possible_versions . each do |ver |
887- catch ( :unsupported ) {
888- ctx_proc = proc { |ctx |
889- begin
890- ctx . min_version = ctx . max_version = ver
891- rescue ArgumentError , OpenSSL ::SSL ::SSLError
892- throw :unsupported
893- end
894- }
895- start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) do |port |
896- begin
897- server_connect ( port ) { |ssl |
898- ssl . puts "abc" ; assert_equal "abc\n " , ssl . gets
899- }
900- rescue OpenSSL ::SSL ::SSLError , Errno ::ECONNRESET
901- else
902- supported << ver
903- end
904- end
905- }
906- end
907- assert_not_empty supported
908-
909- supported
910- end
911-
912874 def test_set_params_min_version
913875 supported = check_supported_protocol_versions
914876 store = OpenSSL ::X509 ::Store . new
@@ -1051,45 +1013,42 @@ def test_minmax_version
10511013
10521014 def test_options_disable_versions
10531015 # Note: Use of these OP_* flags has been deprecated since OpenSSL 1.1.0.
1054- supported = check_supported_protocol_versions
1016+ unless tls11_supported? && tls12_supported?
1017+ pend "TLS 1.1 and TLS 1.2 must be supported"
1018+ end
10551019
1056- if supported . include? ( OpenSSL ::SSL ::TLS1_1_VERSION ) &&
1057- supported . include? ( OpenSSL ::SSL ::TLS1_2_VERSION )
1058- # Server disables ~ TLS 1.1
1059- ctx_proc = proc { |ctx |
1060- ctx . options |= OpenSSL ::SSL ::OP_NO_SSLv2 | OpenSSL ::SSL ::OP_NO_SSLv3 |
1061- OpenSSL ::SSL ::OP_NO_TLSv1 | OpenSSL ::SSL ::OP_NO_TLSv1_1
1062- }
1063- start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1064- # Client only supports TLS 1.1
1065- ctx1 = OpenSSL ::SSL ::SSLContext . new
1066- ctx1 . min_version = ctx1 . max_version = OpenSSL ::SSL ::TLS1_1_VERSION
1067- assert_handshake_error { server_connect ( port , ctx1 ) { } }
1020+ # Server disables ~ TLS 1.1
1021+ ctx_proc = proc { |ctx |
1022+ ctx . options |= OpenSSL ::SSL ::OP_NO_SSLv2 | OpenSSL ::SSL ::OP_NO_SSLv3 |
1023+ OpenSSL ::SSL ::OP_NO_TLSv1 | OpenSSL ::SSL ::OP_NO_TLSv1_1
1024+ }
1025+ start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1026+ # Client only supports TLS 1.1
1027+ ctx1 = OpenSSL ::SSL ::SSLContext . new
1028+ ctx1 . min_version = ctx1 . max_version = OpenSSL ::SSL ::TLS1_1_VERSION
1029+ assert_handshake_error { server_connect ( port , ctx1 ) { } }
10681030
1069- # Client only supports TLS 1.2
1070- ctx2 = OpenSSL ::SSL ::SSLContext . new
1071- ctx2 . min_version = ctx2 . max_version = OpenSSL ::SSL ::TLS1_2_VERSION
1072- assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1073- }
1031+ # Client only supports TLS 1.2
1032+ ctx2 = OpenSSL ::SSL ::SSLContext . new
1033+ ctx2 . min_version = ctx2 . max_version = OpenSSL ::SSL ::TLS1_2_VERSION
1034+ assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1035+ }
10741036
1075- # Server only supports TLS 1.1
1076- ctx_proc = proc { |ctx |
1077- ctx . min_version = ctx . max_version = OpenSSL ::SSL ::TLS1_1_VERSION
1078- }
1079- start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1080- # Client disables TLS 1.1
1081- ctx1 = OpenSSL ::SSL ::SSLContext . new
1082- ctx1 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_1
1083- assert_handshake_error { server_connect ( port , ctx1 ) { } }
1037+ # Server only supports TLS 1.1
1038+ ctx_proc = proc { |ctx |
1039+ ctx . min_version = ctx . max_version = OpenSSL ::SSL ::TLS1_1_VERSION
1040+ }
1041+ start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1042+ # Client disables TLS 1.1
1043+ ctx1 = OpenSSL ::SSL ::SSLContext . new
1044+ ctx1 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_1
1045+ assert_handshake_error { server_connect ( port , ctx1 ) { } }
10841046
1085- # Client disables TLS 1.2
1086- ctx2 = OpenSSL ::SSL ::SSLContext . new
1087- ctx2 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_2
1088- assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1089- }
1090- else
1091- pend "TLS 1.1 and TLS 1.2 must be supported; skipping"
1092- end
1047+ # Client disables TLS 1.2
1048+ ctx2 = OpenSSL ::SSL ::SSLContext . new
1049+ ctx2 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_2
1050+ assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1051+ }
10931052 end
10941053
10951054 def test_ssl_methods_constant
@@ -1330,6 +1289,9 @@ def test_get_ephemeral_key
13301289 def test_fallback_scsv
13311290 pend "Fallback SCSV is not supported" unless \
13321291 OpenSSL ::SSL ::SSLContext . method_defined? ( :enable_fallback_scsv )
1292+ unless tls11_supported? && tls12_supported?
1293+ pend "TLS 1.1 and TLS 1.2 must be supported"
1294+ end
13331295
13341296 start_server do |port |
13351297 ctx = OpenSSL ::SSL ::SSLContext . new
0 commit comments