Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix/remove wrong host test, failing with OpenSSL #139

Closed
StefanKarpinski opened this issue Aug 18, 2021 · 5 comments
Closed

fix/remove wrong host test, failing with OpenSSL #139

StefanKarpinski opened this issue Aug 18, 2021 · 5 comments

Comments

@StefanKarpinski
Copy link
Member

See #114 (comment). Synopsis:

  • conda-forge builds Julia against OpenSSL instead of MbedTLS
  • when build against OpenSSL, leaving CURLOPT_SSL_VERIFYHOST on as we do now causes the wrong host test to fail — this is what we would expect since we have told libcurl to allow hosts that it cannot verify the identity of with a root cert but not to allow connections to hosts that claim to be the wrong host entirely
  • this test doesn't fail when Julia is built against MbedTLS, which seems like a libcurl bug in that build configuration
  • so: Downloads tests pass (they shouldn't) for the standard Julia build using MbedTLS
  • and: Downloads tests fail (they should) for the conda-forge Julia build

Simplest fix seems to be to disable that test, but it would also be good to file an upstream issue with libcurl.
@StefanKarpinski
Copy link
Member Author

@mkitti, can you provide details of how to repro the conda-forge test failure and what the exact output is?

@mkitti
Copy link

mkitti commented Aug 18, 2021

Sure. I'm just copying this over from conda-forge/julia-feedstock#119 (comment).

The build.sh and meta.yaml can be viewed via the corresponding hyperlinks. Two of the key build parameters are USE_SYSTEM_LIBGIT2=1 and USE_SYSTEM_CURL=1. Setting those both to 0 and eliminating the corresponding conda dependencies results in use of the vendored BinaryBuilder builds and resolves the test errors.

To reproduce locally, clone https://github.com/conda-forge/julia-feedstock.git at b02be7bb62fde90656e6dab3c4b002f2aebb056e and run python build-locally.py. This will create a Docker image, download the Julia 1.6.2 tarball, setup the environment as per meta.yaml and build Julia per build.sh.

The full build log is available here:
b02be7bb62fde90656e6dab3c4b002f2aebb056e_downloads_jl_build_log.txt

Click here to see a summary of the test errors. 
2021-08-17T04:14:54.4131231Z Error in testset Downloads:
2021-08-17T04:14:54.4131759Z Test Failed at $PREFIX/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:387
2021-08-17T04:14:54.4132273Z   Expression: resp isa Response
2021-08-17T04:14:54.4133823Z    Evaluated: Downloads.RequestError("https://wrong.host.badssl.com", 60, "SSL: no alternative certificate subject name matches target host name 'wrong.host.badssl.com'", Downloads.Response("https", "https://wrong.host.badssl.com/", 0, "", Pair{String, String}[])) isa Downloads.Response
2021-08-17T04:14:54.4134974Z Error in testset Downloads:
2021-08-17T04:14:54.4135537Z Error During Test at $PREFIX/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:388
2021-08-17T04:14:54.4136057Z   Test threw exception
2021-08-17T04:14:54.4136472Z   Expression: resp.status == 200
2021-08-17T04:14:54.4136927Z   type RequestError has no field status
2021-08-17T04:14:54.4137707Z   Stacktrace:
2021-08-17T04:14:54.4138190Z    [1] getproperty(x::Downloads.RequestError, f::Symbol)
2021-08-17T04:14:54.4138690Z      @ Base ./Base.jl:33
2021-08-17T04:14:54.4139091Z    [2] macro expansion
2021-08-17T04:14:54.4139962Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:388 [inlined]
2021-08-17T04:14:54.4140854Z    [3] macro expansion
2021-08-17T04:14:54.4141402Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4141976Z    [4] macro expansion
2021-08-17T04:14:54.4142817Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:377 [inlined]
2021-08-17T04:14:54.4143703Z    [5] macro expansion
2021-08-17T04:14:54.4144266Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4144821Z    [6] macro expansion
2021-08-17T04:14:54.4145677Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:367 [inlined]
2021-08-17T04:14:54.4146719Z    [7] macro expansion
2021-08-17T04:14:54.4147270Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4148064Z    [8] top-level scope
2021-08-17T04:14:54.4148954Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:4
2021-08-17T04:14:54.4149845Z Error in testset Downloads:
2021-08-17T04:14:54.4150364Z Test Failed at $PREFIX/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:395
2021-08-17T04:14:54.4150873Z   Expression: resp isa Response
2021-08-17T04:14:54.4152373Z    Evaluated: Downloads.RequestError("https://wrong.host.badssl.com", 60, "SSL: no alternative certificate subject name matches target host name 'wrong.host.badssl.com'", Downloads.Response("https", "https://wrong.host.badssl.com/", 0, "", Pair{String, String}[])) isa Downloads.Response
2021-08-17T04:14:54.4153779Z Error in testset Downloads:
2021-08-17T04:14:54.4154297Z Error During Test at $PREFIX/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:396
2021-08-17T04:14:54.4154813Z   Test threw exception
2021-08-17T04:14:54.4155226Z   Expression: resp.status == 200
2021-08-17T04:14:54.4155684Z   type RequestError has no field status
2021-08-17T04:14:54.4156095Z   Stacktrace:
2021-08-17T04:14:54.4156578Z    [1] getproperty(x::Downloads.RequestError, f::Symbol)
2021-08-17T04:14:54.4157079Z      @ Base ./Base.jl:33
2021-08-17T04:14:54.4157478Z    [2] macro expansion
2021-08-17T04:14:54.4158351Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:396 [inlined]
2021-08-17T04:14:54.4159245Z    [3] macro expansion
2021-08-17T04:14:54.4159795Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4160366Z    [4] macro expansion
2021-08-17T04:14:54.4161334Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:377 [inlined]
2021-08-17T04:14:54.4162237Z    [5] macro expansion
2021-08-17T04:14:54.4162804Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4163359Z    [6] macro expansion
2021-08-17T04:14:54.4164221Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:367 [inlined]
2021-08-17T04:14:54.4165099Z    [7] macro expansion
2021-08-17T04:14:54.4165652Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4166411Z    [8] top-level scope
2021-08-17T04:14:54.4167258Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:4
2021-08-17T04:14:54.4168146Z Error in testset Downloads:
2021-08-17T04:14:54.4168779Z Test Failed at $PREFIX/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:404
2021-08-17T04:14:54.4169288Z   Expression: resp isa Response
2021-08-17T04:14:54.4170799Z    Evaluated: Downloads.RequestError("https://wrong.host.badssl.com", 60, "SSL: no alternative certificate subject name matches target host name 'wrong.host.badssl.com'", Downloads.Response("https", "https://wrong.host.badssl.com/", 0, "", Pair{String, String}[])) isa Downloads.Response
2021-08-17T04:14:54.4171917Z Error in testset Downloads:
2021-08-17T04:14:54.4172431Z Error During Test at $PREFIX/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:405
2021-08-17T04:14:54.4172943Z   Test threw exception
2021-08-17T04:14:54.4173354Z   Expression: resp.status == 200
2021-08-17T04:14:54.4173807Z   type RequestError has no field status
2021-08-17T04:14:54.4174219Z   Stacktrace:
2021-08-17T04:14:54.4174696Z    [1] getproperty(x::Downloads.RequestError, f::Symbol)
2021-08-17T04:14:54.4175209Z      @ Base ./Base.jl:33
2021-08-17T04:14:54.4175612Z    [2] macro expansion
2021-08-17T04:14:54.4176474Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:405 [inlined]
2021-08-17T04:14:54.4177352Z    [3] macro expansion
2021-08-17T04:14:54.4177909Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1226 [inlined]
2021-08-17T04:14:54.4178484Z    [4] macro expansion
2021-08-17T04:14:54.4179326Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:402 [inlined]
2021-08-17T04:14:54.4180206Z    [5] macro expansion
2021-08-17T04:14:54.4180775Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4181332Z    [6] macro expansion
2021-08-17T04:14:54.4182193Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:367 [inlined]
2021-08-17T04:14:54.4183266Z    [7] macro expansion
2021-08-17T04:14:54.4183816Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/work/usr/share/julia/stdlib/v1.6/Test/src/Test.jl:1151 [inlined]
2021-08-17T04:14:54.4184574Z    [8] top-level scope
2021-08-17T04:14:54.4185421Z      @ ~/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/stdlib/v1.6/Downloads/test/runtests.jl:4
2021-08-17T04:14:54.4186332Z ERROR: LoadError: Test run finished with errors
2021-08-17T04:14:54.4187247Z in expression starting at /home/conda/feedstock_root/build_artifacts/julia_1629172591757/_test_env_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_placehold_/share/julia/test/runtests.jl:84
2021-08-17T04:14:55.6619941Z ERROR: A test has failed. Please submit a bug report (https://github.com/JuliaLang/julia/issues)
2021-08-17T04:14:55.6621526Z including error messages above and the output of versioninfo():
2021-08-17T04:14:55.6622097Z Julia Version 1.6.2
2021-08-17T04:14:55.6623264Z Commit 1b93d53fc4* (2021-07-14 15:36 UTC)
2021-08-17T04:14:55.6623743Z Platform Info:
2021-08-17T04:14:55.6624370Z   OS: Linux (x86_64-conda-linux-gnu)
2021-08-17T04:14:55.6625129Z   CPU: Intel(R) Xeon(R) Platinum 8272CL CPU @ 2.60GHz
2021-08-17T04:14:55.6625595Z   WORD_SIZE: 64
2021-08-17T04:14:55.6626002Z   LIBM: libopenlibm
2021-08-17T04:14:55.6626642Z   LLVM: libLLVM-11.0.1 (ORCJIT, skylake-avx512)

The errors are due to 818cd12 which is a backport of #114 for the Downloads.jl 1.4 branch (Julia 1.6.2).

Specifically, the test failures occur around lines 387, 395, and 405 of Downloads.jl 1.4.1 which tests a mechanism to override host verification. This is due to only modification of only CURLOPT_SSL_VERIFYPEER and not CURLOPT_SSL_VERIFYHOST.

StefanKarpinski added a commit that referenced this issue Aug 19, 2021
@StefanKarpinski
tests: skip wrong host test for SSL_NO_VERIFY (fix #139)
1f63762 
Since #114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).
StefanKarpinski added a commit that referenced this issue Aug 19, 2021
@StefanKarpinski
tests: skip wrong host test for SSL_NO_VERIFY (fix #139)
7020db8 
Since #114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.
@StefanKarpinski
Copy link
Member Author

StefanKarpinski commented Aug 19, 2021
edited
Loading

Thanks for the debug info. I've made a change that will hopefully fix the issue. I think it could also be backported to Julia 1.6 but that will take a bunch of additional PRs. Is it possible for you to test against Julia master? I can make a Pr to update Downloads on master.

@mkitti
Copy link

mkitti commented Aug 19, 2021

Yes, I can change the build script to pull from git rather than a tarball.

@StefanKarpinski
Copy link
Member Author

Just for testing. You should probably be building a real release, which we can handle once we've verified that this actually fixes the issue.

@mkitti mkitti mentioned this issue Dec 29, 2021
Closed
5 tasks
ericphanson pushed a commit to ericphanson/Downloads.jl that referenced this issue Jan 26, 2022
@StefanKarpinski @ericphanson
tests: skip wrong host test for SSL_NO_VERIFY (fix JuliaLang#139) (Ju…
22420d7 
…liaLang#140)

Since JuliaLang#114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.
ericphanson pushed a commit to ericphanson/Downloads.jl that referenced this issue Jan 27, 2022
@StefanKarpinski @ericphanson
tests: skip wrong host test for SSL_NO_VERIFY (fix JuliaLang#139) (Ju…
928f957 
…liaLang#140)

Since JuliaLang#114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.

(cherry picked from commit e22219f)
DilumAluthge added a commit that referenced this issue Mar 3, 2022
@ericphanson @DilumAluthge
@jakobnissen @hyrodium @timholy @StefanKarpinski @c42f @blegat @vtjnash @tanmaykm
[release-1.5] Backport bugfixes to release-1.5 branch (#175)
b0f23d0 
* Before building and testing the package, make sure that the UUID has not been edited (#128)

(cherry picked from commit 21843d0)

* CI: Standardize the workflow for testing and changing the UUID (#129)

(cherry picked from commit cd002c3)

* fix #131 and add test (#132)

(cherry picked from commit adbb974)

* Improve inferability of download() (#133)

(cherry picked from commit 848d374)

* fix ci badge (#137)

(cherry picked from commit 3870614)

* Fix a handful of invalidations in expression-checking (#138)

ChainRulesCore defines `==(a, b::AbstractThunk)` and its converse,
and this invalidates a couple of poorly-typed Symbol checks.
This more "SSA-like" way of writing the code is easier to infer.

(cherry picked from commit 25f7af3)

* tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140)

Since #114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.

(cherry picked from commit e22219f)

* Fix input body size detection for IOBuffer(codeunits(str)) (#143)

Somewhat surprisingly, the type of this is not IOBuffer, but a related
type (Base.GenericIOBuffer{Base.CodeUnits{UInt8, String}}).

(cherry picked from commit 470b7f0)

* Typo fix: indiation -> indication (#144)

(cherry picked from commit 5f1509d)

* use Timer instead of libuv timer API

(cherry picked from commit 11493ff)

* use FDWatcher instead of libuv poll API

(cherry picked from commit 4c1d2af)

* fix wrong definition of curl_socket_t on Windows

(cherry picked from commit 2eb0491)

* Revert "stop using raw libuv API" (#156)

(cherry picked from commit c91876a)

* Revert "Revert "stop using raw libuv API" (#156)"

This reverts commit c91876a.

(cherry picked from commit 69acc13)

* add missing locks during Timer callbacks

(cherry picked from commit 43a3484)

* fix Timer usage (#158)

(cherry picked from commit 62b497e)

* Workaround for missing isopen check in FDWatcher (#161)

(possible multithread race with this still needs to be fixed)

(cherry picked from commit 7f91b8a)

* Check for timer isopen correctly (#162)

(cherry picked from commit 4250b35)

* remove trailing whitespace

(cherry picked from commit d8c626b)

* Avoid infinite recursion in `timer_callback` (#164)

Fixes #163

(cherry picked from commit a55825b)

* should also look into headers for input_size (#167)

If no content length is set while uploading some contents, Curl defaults to use
chunked transfer encoding. In some cases we want to prevent that because the
server may not support chunked transfers.

With this change, the request method will also look at the headers while
determining the input size and if found call `set_upload_size` as usual. So to
switch off chunked transfers, one must also know and set the content length
header while invoking `download` or `request` methods.

(cherry picked from commit ab628ab)

* rename: singularize add_{upload,seek}_callback

These only add one callback so having them be plural is weird.

(cherry picked from commit 5bd0826)

* add support for setting a debug callback

(cherry picked from commit 55a0c39)

* end-to-end tests for #167

This adds end-to-end tests for the changes introduced in #167.

Verbose mode is switched off for these tests, but switching it on would show that not setting content-length headers results in chunked transfer encoding while setting it prevents that. Both tests should pass.

(cherry picked from commit 911368d)

* tests: use debug option to test for non/chunked uploads

This combines the functionality from the previous two commits to not
only trigger both chunked and non-chunked uploads, but also test for
that difference by capturing and inspecting the debug events.

(cherry picked from commit 4e0408a)

* bump patch

Co-authored-by: Dilum Aluthge <[email protected]>
Co-authored-by: Jakob Nybo Nissen <[email protected]>
Co-authored-by: Yuto Horikawa <[email protected]>
Co-authored-by: Tim Holy <[email protected]>
Co-authored-by: Stefan Karpinski <[email protected]>
Co-authored-by: Chris Foster <[email protected]>
Co-authored-by: Benoît Legat <[email protected]>
Co-authored-by: Jameson Nash <[email protected]>
Co-authored-by: Tanmay Mohapatra <[email protected]>
@StefanKarpinski StefanKarpinski mentioned this issue Mar 24, 2022
Merged
StefanKarpinski added a commit that referenced this issue Mar 24, 2022
@StefanKarpinski
tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140)
3dcf0b1 
Since #114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.

(cherry picked from commit e22219f)
StefanKarpinski added a commit that referenced this issue Mar 24, 2022
@StefanKarpinski
tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140)
0c90392 
Since #114, we only turn
off peer verification, not host verification when the `SSL_NO_VERIFY`
variables are set. This means that the last set of tests in the "SSL no
verify override" testset *should* fail for `wrong.host.badssl.com`. That
is not what I was seeing, however — the test was still passing — which I
found puzzling but just moved on with my life at the time. It turns out
that the test *does* fail if libcurl is build with OpenSSL. Since
whether the test passes or not for that host depends on how things are
built, this change simply skips the test (by popping the URL from the
set of tested URLS for that testset).

The tests above that which use the easy hook mechanism are fixed in a
different way: for those I made the hook disable both host and peer
verification, which should fix the tests for any bad host including when
the server sends the wrong host name.

(cherry picked from commit e22219f)
@StefanKarpinski StefanKarpinski mentioned this issue Mar 24, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@StefanKarpinski @mkitti