From 22420d7ac15c132c0becbd40ef973a950305da4d Mon Sep 17 00:00:00 2001 From: Stefan Karpinski Date: Thu, 19 Aug 2021 11:49:03 -0400 Subject: [PATCH] tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Since https://github.com/JuliaLang/Downloads.jl/pull/114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name. --- test/runtests.jl | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/test/runtests.jl b/test/runtests.jl index 9d02f23..e12ac44 100644 --- a/test/runtests.jl +++ b/test/runtests.jl @@ -426,8 +426,8 @@ include("setup.jl") @testset "bad TLS" begin urls = [ - "https://wrong.host.badssl.com" "https://untrusted-root.badssl.com" + "https://wrong.host.badssl.com" ] @testset "bad TLS is rejected" for url in urls resp = request(url, throw=false) @@ -437,7 +437,9 @@ include("setup.jl") @testset "easy hook work-around" begin local url easy_hook = (easy, info) -> begin - Curl.set_ssl_verify(easy, false) + # don't verify anything (this disables SNI also) + Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYPEER, false) + Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYHOST, false) @test info.url == url end # downloader-specific easy hook @@ -460,6 +462,9 @@ include("setup.jl") Downloads.EASY_HOOK[] = nothing end ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "**.badssl.com" + # wrong host *should* still fail, but may not due + # to libcurl bugs when using non-OpenSSL backends: + pop!(urls) # <= skip wrong host URL entirely here @testset "SSL no verify override" for url in urls resp = request(url, throw=false) @test resp isa Response