Merge pull request #2689 from jhass/tls_verify

Turn on TLS client certificate validation by default, expose OpenSSL::SSL::Context in HTTP::Client

Author: ysbaddaden

spec/std/http/client/client_spec.cr

@@ -48,26 +48,47 @@ module HTTP
 
     describe "from URI" do
       it "has sane defaults" do
-        cl = Client.new(URI.parse("http://demo.com"))
-        cl.ssl?.should be_false
+        cl = Client.new(URI.parse("http://example.com"))
+        cl.ssl?.should be_nil
         cl.port.should eq(80)
       end
 
-      it "detects ssl" do
-        cl = Client.new(URI.parse("https://demo.com"))
-        cl.ssl?.should be_true
-        cl.port.should eq(443)
-      end
+      ifdef !without_openssl
+        it "detects ssl" do
+          cl = Client.new(URI.parse("https://example.com"))
+          cl.ssl?.should be_truthy
+          cl.port.should eq(443)
+        end
+
+        it "keeps context" do
+          ctx = OpenSSL::SSL::Context::Client.new
+          cl = Client.new(URI.parse("https://example.com"), ctx)
+          cl.ssl.should be(ctx)
+        end
 
-      it "allows for specified ports" do
-        cl = Client.new(URI.parse("https://demo.com:9999"))
-        cl.ssl?.should be_true
-        cl.port.should eq(9999)
+        it "doesn't take context for HTTP" do
+          ctx = OpenSSL::SSL::Context::Client.new
+          expect_raises(ArgumentError, "SSL context given") do
+            Client.new(URI.parse("http://example.com"), ctx)
+          end
+        end
+
+        it "allows for specified ports" do
+          cl = Client.new(URI.parse("https://example.com:9999"))
+          cl.ssl?.should be_truthy
+          cl.port.should eq(9999)
+        end
+      else
+        it "raises when trying to activate SSL" do
+          expect_raises do
+            Client.new "example.org", 443, ssl: true
+          end
+        end
       end
 
       it "raises error if not http schema" do
         expect_raises(ArgumentError, "Unsupported scheme: ssh") do
-          Client.new(URI.parse("ssh://demo.com"))
+          Client.new(URI.parse("ssh://example.com"))
         end
       end
 

spec/std/http/server/server_spec.cr

@@ -32,7 +32,7 @@ module HTTP
 
     describe Response do
       it "creates default ssl context" do
-        HTTP::Server.default_ssl_context.should be_a(OpenSSL::SSL::Context)
+        HTTP::Server.default_ssl_context.should be_a(OpenSSL::SSL::Context::Server)
       end
 
       it "closes" do

spec/std/openssl/ssl/context_spec.cr

@@ -2,86 +2,115 @@ require "spec"
 require "openssl"
 
 describe OpenSSL::SSL::Context do
-  it "new" do
-    OpenSSL::SSL::Context.new
-    OpenSSL::SSL::Context.new(LibSSL.tlsv1_method)
+  it "new for client" do
+    ssl_context = OpenSSL::SSL::Context::Client.new
+    ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::PEER)
+    OpenSSL::SSL::Context::Client.new(LibSSL.tlsv1_method)
+  end
+
+  it "new for server" do
+    ssl_context = OpenSSL::SSL::Context::Server.new
+    ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE)
+    OpenSSL::SSL::Context::Server.new(LibSSL.tlsv1_method)
+  end
+
+  it "insecure for client" do
+    ssl_context = OpenSSL::SSL::Context::Client.insecure
+    ssl_context.should be_a(OpenSSL::SSL::Context::Client)
+    ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE)
+    OpenSSL::SSL::Context::Client.insecure(LibSSL.tlsv1_method)
+  end
+
+  it "insecure for server" do
+    ssl_context = OpenSSL::SSL::Context::Server.insecure
+    ssl_context.should be_a(OpenSSL::SSL::Context::Server)
+    ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE)
+    OpenSSL::SSL::Context::Server.insecure(LibSSL.tlsv1_method)
   end
 
   it "sets certificate chain" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.certificate_chain = File.join(__DIR__, "openssl.crt")
   end
 
   it "fails to set certificate chain" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     expect_raises(OpenSSL::Error) { ssl_context.certificate_chain = File.join(__DIR__, "unknown.crt") }
     expect_raises(OpenSSL::Error) { ssl_context.certificate_chain = __FILE__ }
   end
 
   it "sets private key" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.private_key = File.join(__DIR__, "openssl.key")
   end
 
   it "fails to set private key" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     expect_raises(OpenSSL::Error) { ssl_context.private_key = File.join(__DIR__, "unknown.key") }
     expect_raises(OpenSSL::Error) { ssl_context.private_key = __FILE__ }
   end
 
   it "sets ciphers" do
     ciphers = "EDH+aRSA DES-CBC3-SHA !RC4"
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     (ssl_context.ciphers = ciphers).should eq(ciphers)
   end
 
   it "adds temporary ecdh curve (P-256)" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.set_tmp_ecdh_key
   end
 
   it "adds options" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.remove_options(ssl_context.options) # reset
     ssl_context.add_options(LibSSL::Options::ALL).should eq(LibSSL::Options::ALL)
     ssl_context.add_options(LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3)
                .should eq(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2 | LibSSL::Options::NO_SSLV3)
   end
 
   it "removes options" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_options(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2)
     ssl_context.remove_options(LibSSL::Options::ALL).should eq(LibSSL::Options::NO_SSLV2)
   end
 
   it "returns options" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_options(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2)
     ssl_context.options.should eq(LibSSL::Options::ALL | LibSSL::Options::NO_SSLV2)
   end
 
   it "adds modes" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_modes(LibSSL::Modes::AUTO_RETRY).should eq(LibSSL::Modes::AUTO_RETRY)
     ssl_context.add_modes(LibSSL::Modes::RELEASE_BUFFERS)
                .should eq(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
   end
 
   it "removes modes" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_modes(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
     ssl_context.remove_modes(LibSSL::Modes::AUTO_RETRY).should eq(LibSSL::Modes::RELEASE_BUFFERS)
   end
 
   it "returns modes" do
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.add_modes(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
     ssl_context.modes.should eq(LibSSL::Modes::AUTO_RETRY | LibSSL::Modes::RELEASE_BUFFERS)
   end
 
+  it "sets the verify mode" do
+    ssl_context = OpenSSL::SSL::Context::Client.new
+    ssl_context.verify_mode = OpenSSL::SSL::VerifyMode::NONE
+    ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::NONE)
+    ssl_context.verify_mode = OpenSSL::SSL::VerifyMode::PEER
+    ssl_context.verify_mode.should eq(OpenSSL::SSL::VerifyMode::PEER)
+  end
+
   pending "alpn_protocol=" do
     # requires OpenSSL 1.0.2+
-    ssl_context = OpenSSL::SSL::Context.new
+    ssl_context = OpenSSL::SSL::Context::Client.new
     ssl_context.alpn_protocol = "h2"
   end
 end