@@ -1208,46 +1208,51 @@ def test_minmax_version
12081208 end
12091209
12101210 def test_options_disable_versions
1211- # Note: Use of these OP_* flags has been deprecated since OpenSSL 1.1.0.
1211+ # It's recommended to use SSLContext#{min,max}_version= instead in real
1212+ # applications. The purpose of this test case is to check that SSL options
1213+ # are properly propagated to OpenSSL library.
12121214 supported = check_supported_protocol_versions
1215+ if !defined? ( OpenSSL ::SSL ::TLS1_3_VERSION ) ||
1216+ !supported . include? ( OpenSSL ::SSL ::TLS1_2_VERSION ) ||
1217+ !supported . include? ( OpenSSL ::SSL ::TLS1_3_VERSION ) ||
1218+ !defined? ( OpenSSL ::SSL ::OP_NO_TLSv1_3 ) # LibreSSL < 3.4
1219+ pend "this test case requires both TLS 1.2 and TLS 1.3 to be supported " \
1220+ "and enabled by default"
1221+ end
12131222
1214- if supported . include? ( OpenSSL ::SSL ::TLS1_1_VERSION ) &&
1215- supported . include? ( OpenSSL ::SSL ::TLS1_2_VERSION )
1216- # Server disables ~ TLS 1.1
1217- ctx_proc = proc { |ctx |
1218- ctx . options |= OpenSSL ::SSL ::OP_NO_SSLv2 | OpenSSL ::SSL ::OP_NO_SSLv3 |
1219- OpenSSL ::SSL ::OP_NO_TLSv1 | OpenSSL ::SSL ::OP_NO_TLSv1_1
1220- }
1221- start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1222- # Client only supports TLS 1.1
1223- ctx1 = OpenSSL ::SSL ::SSLContext . new
1224- ctx1 . min_version = ctx1 . max_version = OpenSSL ::SSL ::TLS1_1_VERSION
1225- assert_handshake_error { server_connect ( port , ctx1 ) { } }
1223+ # Server disables TLS 1.2 and earlier
1224+ ctx_proc = proc { |ctx |
1225+ ctx . options |= OpenSSL ::SSL ::OP_NO_SSLv2 | OpenSSL ::SSL ::OP_NO_SSLv3 |
1226+ OpenSSL ::SSL ::OP_NO_TLSv1 | OpenSSL ::SSL ::OP_NO_TLSv1_1 |
1227+ OpenSSL ::SSL ::OP_NO_TLSv1_2
1228+ }
1229+ start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1230+ # Client only supports TLS 1.2
1231+ ctx1 = OpenSSL ::SSL ::SSLContext . new
1232+ ctx1 . min_version = ctx1 . max_version = OpenSSL ::SSL ::TLS1_2_VERSION
1233+ assert_handshake_error { server_connect ( port , ctx1 ) { } }
12261234
1227- # Client only supports TLS 1.2
1228- ctx2 = OpenSSL ::SSL ::SSLContext . new
1229- ctx2 . min_version = ctx2 . max_version = OpenSSL ::SSL ::TLS1_2_VERSION
1230- assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1231- }
1235+ # Client only supports TLS 1.3
1236+ ctx2 = OpenSSL ::SSL ::SSLContext . new
1237+ ctx2 . min_version = ctx2 . max_version = OpenSSL ::SSL ::TLS1_3_VERSION
1238+ assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1239+ }
12321240
1233- # Server only supports TLS 1.1
1234- ctx_proc = proc { |ctx |
1235- ctx . min_version = ctx . max_version = OpenSSL ::SSL ::TLS1_1_VERSION
1236- }
1237- start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1238- # Client disables TLS 1.1
1239- ctx1 = OpenSSL ::SSL ::SSLContext . new
1240- ctx1 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_1
1241- assert_handshake_error { server_connect ( port , ctx1 ) { } }
1241+ # Server only supports TLS 1.2
1242+ ctx_proc = proc { |ctx |
1243+ ctx . min_version = ctx . max_version = OpenSSL ::SSL ::TLS1_2_VERSION
1244+ }
1245+ start_server ( ctx_proc : ctx_proc , ignore_listener_error : true ) { |port |
1246+ # Client doesn't support TLS 1.2
1247+ ctx1 = OpenSSL ::SSL ::SSLContext . new
1248+ ctx1 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_2
1249+ assert_handshake_error { server_connect ( port , ctx1 ) { } }
12421250
1243- # Client disables TLS 1.2
1244- ctx2 = OpenSSL ::SSL ::SSLContext . new
1245- ctx2 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_2
1246- assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1247- }
1248- else
1249- pend "TLS 1.1 and TLS 1.2 must be supported; skipping"
1250- end
1251+ # Client supports TLS 1.2 by default
1252+ ctx2 = OpenSSL ::SSL ::SSLContext . new
1253+ ctx2 . options |= OpenSSL ::SSL ::OP_NO_TLSv1_3
1254+ assert_nothing_raised { server_connect ( port , ctx2 ) { } }
1255+ }
12511256 end
12521257
12531258 def test_ssl_methods_constant
0 commit comments