aboutsummaryrefslogtreecommitdiffstats
path: root/lib/ssl
diff options
context:
space:
mode:
authorErlang/OTP <[email protected]>2010-04-07 06:59:25 +0000
committerErlang/OTP <[email protected]>2010-04-07 06:59:25 +0000
commit10ef6faeed5f2c4050df2eecc3cfbe93e9e9bae9 (patch)
treecdaaaa86cff2e2702ee92b8add99ab0f9ec45687 /lib/ssl
parent1b6a7c949bcf51e2d537de5cb89cbb6231abbf49 (diff)
parent16dafd19b34d1b458cf68857f65c7d3c77d6f291 (diff)
downloadotp-10ef6faeed5f2c4050df2eecc3cfbe93e9e9bae9.tar.gz
otp-10ef6faeed5f2c4050df2eecc3cfbe93e9e9bae9.tar.bz2
otp-10ef6faeed5f2c4050df2eecc3cfbe93e9e9bae9.zip
Merge branch 'rb/ssl-opts-fix' into dev
* rb/ssl-opts-fix: Fix verification of ssl client when fail_if_no_peer_cert Fix mishandling of valid ssl options OTP-8557 rb/ssl-opts-fix
Diffstat (limited to 'lib/ssl')
-rw-r--r--lib/ssl/src/ssl.erl3
-rw-r--r--lib/ssl/src/ssl_connection.erl3
-rw-r--r--lib/ssl/test/ssl_basic_SUITE.erl119
3 files changed, 120 insertions, 5 deletions
diff --git a/lib/ssl/src/ssl.erl b/lib/ssl/src/ssl.erl
index 87a0939897..965e40a109 100644
--- a/lib/ssl/src/ssl.erl
+++ b/lib/ssl/src/ssl.erl
@@ -560,10 +560,11 @@ handle_options(Opts0, Role) ->
CbInfo = proplists:get_value(cb_info, Opts, {gen_tcp, tcp, tcp_closed}),
SslOptions = [versions, verify, verify_fun,
+ fail_if_no_peer_cert, verify_client_once,
depth, certfile, keyfile,
key, password, cacertfile, dhfile, ciphers,
debug, reuse_session, reuse_sessions, ssl_imp,
- cd_info, renegotiate_at],
+ cb_info, renegotiate_at],
SockOpts = lists:foldl(fun(Key, PropList) ->
proplists:delete(Key, PropList)
diff --git a/lib/ssl/src/ssl_connection.erl b/lib/ssl/src/ssl_connection.erl
index 4ec90600e9..defcfa31bd 100644
--- a/lib/ssl/src/ssl_connection.erl
+++ b/lib/ssl/src/ssl_connection.erl
@@ -441,7 +441,8 @@ certify(#certificate{} = Cert,
Opts#ssl_options.verify,
Opts#ssl_options.verify_fun) of
{PeerCert, PublicKeyInfo} ->
- handle_peer_cert(PeerCert, PublicKeyInfo, State);
+ State1 = State#state{client_certificate_requested = false},
+ handle_peer_cert(PeerCert, PublicKeyInfo, State1);
#alert{} = Alert ->
handle_own_alert(Alert, Version, certify_certificate, State),
{stop, normal, State}
diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index 8dc987e3ff..30a721b0b5 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -151,7 +151,7 @@ all(doc) ->
all(suite) ->
[app, connection_info, controlling_process, controller_dies,
peercert, connect_dist,
- peername, sockname, socket_options, versions, cipher_suites,
+ peername, sockname, socket_options, valid_ssl_options, versions, cipher_suites,
upgrade, upgrade_with_timeout, tcp_connect,
ipv6, ekeyfile, ecertfile, ecacertfile, eoptions, shutdown,
shutdown_write, shutdown_both, shutdown_error, ciphers,
@@ -159,8 +159,9 @@ all(suite) ->
server_verify_peer_passive,
server_verify_peer_active, server_verify_peer_active_once,
server_verify_none_passive, server_verify_none_active,
- server_verify_none_active_once,
- server_verify_no_cacerts, client_verify_none_passive,
+ server_verify_none_active_once, server_verify_no_cacerts,
+ server_require_peer_cert_ok, server_require_peer_cert_fail,
+ client_verify_none_passive,
client_verify_none_active, client_verify_none_active_once
%%, session_cache_process_list, session_cache_process_mnesia
,reuse_session, reuse_session_expired, server_does_not_want_to_reuse_session,
@@ -605,6 +606,59 @@ socket_options_result(Socket, Options, DefaultValues, NewOptions, NewValues) ->
ok.
%%--------------------------------------------------------------------
+valid_ssl_options(doc) ->
+ ["Test what happens when we give valid options"];
+
+valid_ssl_options(suite) ->
+ [];
+
+valid_ssl_options(Config) when is_list(Config) ->
+ ClientOpts = [{reuseaddr, true} | ?config(client_opts, Config)],
+ ServerOpts = [{reuseaddr, true} | ?config(server_opts, Config)],
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ Port = ssl_test_lib:inet_port(ServerNode),
+
+ StartOk =
+ fun(Peer, Pid, TestOpt) ->
+ receive
+ {Pid, ok} when Peer =:= server ->
+ ok;
+ {Pid, {ok, _}} when Peer =:= client ->
+ ok;
+ {Pid, Error} ->
+ test_server:fail({Peer,
+ {option_being_tested, TestOpt},
+ {got, Error}})
+ end
+ end,
+
+ %% The following contains both documented and undocumented options as
+ %% listed in ssl:handle_options/2. It excludes file options which are
+ %% tested elsewhere (cacertfile, certfile, keyfile).
+ TestOpts = [{versions, []}, {verify, verify_none}, {verify_fun, fun(_) -> false end},
+ {fail_if_no_peer_cert, false}, {verify_client_once, false},
+ {depth, 1}, {key, undefined}, {password, "secret"}, {ciphers, []},
+ {reuse_sessions, true}, {reuse_session, fun(_,_,_,_) -> true end},
+ {renegotiate_at, 1000000000}, {debug, []},
+ {cb_info, {gen_tcp, tcp, tcp_closed}}],
+ [begin
+ Server =
+ ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ {from, self()},
+ {options, [TestOpt | ServerOpts]}]),
+ Client =
+ ssl_test_lib:start_client_error([{node, ClientNode}, {port, Port},
+ {host, Hostname}, {from, self()},
+ {options, [TestOpt | ClientOpts]}]),
+ StartOk(server, Server, TestOpt),
+ StartOk(client, Client, TestOpt),
+ ssl_test_lib:close(Server),
+ ssl_test_lib:close(Client),
+ ok
+ end || TestOpt <- TestOpts],
+ ok.
+
+%%--------------------------------------------------------------------
versions(doc) ->
["Test API function versions/0"];
@@ -1779,7 +1833,66 @@ server_verify_no_cacerts(Config) when is_list(Config) ->
| ServerOpts]}]),
ssl_test_lib:check_result(Server, {error, {eoptions, {cacertfile, ""}}}).
+
+%%--------------------------------------------------------------------
+
+server_require_peer_cert_ok(doc) ->
+ ["Test server option fail_if_no_peer_cert when peer sends cert"];
+
+server_require_peer_cert_ok(suite) ->
+ [];
+
+server_require_peer_cert_ok(Config) when is_list(Config) ->
+ ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+ | ?config(server_verification_opts, Config)],
+ ClientOpts = ?config(client_verification_opts, Config),
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+ Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result, []}},
+ {options, [{active, false} | ServerOpts]}]),
+ Port = ssl_test_lib:inet_port(Server),
+ Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result, []}},
+ {options, [{active, false} | ClientOpts]}]),
+
+ ssl_test_lib:check_result(Server, ok, Client, ok),
+ ssl_test_lib:close(Server),
+ ssl_test_lib:close(Client).
+
+%%--------------------------------------------------------------------
+
+server_require_peer_cert_fail(doc) ->
+ ["Test server option fail_if_no_peer_cert when peer doesn't send cert"];
+
+server_require_peer_cert_fail(suite) ->
+ [];
+
+server_require_peer_cert_fail(Config) when is_list(Config) ->
+ ServerOpts = [{verify, verify_peer}, {fail_if_no_peer_cert, true}
+ | ?config(server_verification_opts, Config)],
+ BadClientOpts = ?config(client_opts, Config),
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ Port = ssl_test_lib:inet_port(ServerNode),
+
+ Server = ssl_test_lib:start_server_error([{node, ServerNode}, {port, Port},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result, []}},
+ {options, [{active, false} | ServerOpts]}]),
+ Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+ {host, Hostname},
+ {from, self()},
+ {mfa, {?MODULE, send_recv_result, []}},
+ {options, [{active, false} | BadClientOpts]}]),
+ ssl_test_lib:check_result(Server, {error, esslaccept},
+ Client, {error, esslconnect}),
+ ssl_test_lib:close(Server),
+ ssl_test_lib:close(Client).
+
%%--------------------------------------------------------------------
client_verify_none_passive(doc) ->