Skip to content

Commit

Permalink
tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140)
Browse files Browse the repository at this point in the history
Since #114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.
  • Loading branch information
StefanKarpinski authored Aug 19, 2021
1 parent 25f7af3 commit e22219f
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions test/runtests.jl
Original file line number Diff line number Diff line change
Expand Up @@ -426,8 +426,8 @@ include("setup.jl")

@testset "bad TLS" begin
urls = [
"https://wrong.host.badssl.com"
"https://untrusted-root.badssl.com"
"https://wrong.host.badssl.com"
]
@testset "bad TLS is rejected" for url in urls
resp = request(url, throw=false)
Expand All @@ -437,7 +437,9 @@ include("setup.jl")
@testset "easy hook work-around" begin
local url
easy_hook = (easy, info) -> begin
Curl.set_ssl_verify(easy, false)
# don't verify anything (this disables SNI also)
Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYPEER, false)
Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYHOST, false)
@test info.url == url
end
# downloader-specific easy hook
Expand All @@ -460,6 +462,9 @@ include("setup.jl")
Downloads.EASY_HOOK[] = nothing
end
ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "**.badssl.com"
# wrong host *should* still fail, but may not due
# to libcurl bugs when using non-OpenSSL backends:
pop!(urls) # <= skip wrong host URL entirely here
@testset "SSL no verify override" for url in urls
resp = request(url, throw=false)
@test resp isa Response
Expand Down

0 comments on commit e22219f

Please sign in to comment.