tests: skip wrong host test for SSL_NO_VERIFY (fix #139) #140
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Since #114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name.
StefanKarpinski
force-pushed
the
sk/fix-wrong-host-test
branch
from
1f63762
to
7020db8
Compare
Codecov Report
@@ Coverage Diff @@
## master #140 +/- ##
=======================================
Coverage 93.07% 93.07%
=======================================
Files 5 5
Lines 491 491
=======================================
Hits 457 457
Misses 34 34 Continue to review full report at Codecov.
|
ericphanson
pushed a commit
to ericphanson/Downloads.jl
that referenced
this pull request
Jan 26, 2022
…liaLang#140) Since JuliaLang#114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name.
ericphanson
pushed a commit
to ericphanson/Downloads.jl
that referenced
this pull request
Jan 27, 2022
…liaLang#140) Since JuliaLang#114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name. (cherry picked from commit e22219f)
DilumAluthge
added a commit
that referenced
this pull request
Mar 3, 2022
* Before building and testing the package, make sure that the UUID has not been edited (#128) (cherry picked from commit 21843d0) * CI: Standardize the workflow for testing and changing the UUID (#129) (cherry picked from commit cd002c3) * fix #131 and add test (#132) (cherry picked from commit adbb974) * Improve inferability of download() (#133) (cherry picked from commit 848d374) * fix ci badge (#137) (cherry picked from commit 3870614) * Fix a handful of invalidations in expression-checking (#138) ChainRulesCore defines `==(a, b::AbstractThunk)` and its converse, and this invalidates a couple of poorly-typed Symbol checks. This more "SSA-like" way of writing the code is easier to infer. (cherry picked from commit 25f7af3) * tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140) Since #114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name. (cherry picked from commit e22219f) * Fix input body size detection for IOBuffer(codeunits(str)) (#143) Somewhat surprisingly, the type of this is not IOBuffer, but a related type (Base.GenericIOBuffer{Base.CodeUnits{UInt8, String}}). (cherry picked from commit 470b7f0) * Typo fix: indiation -> indication (#144) (cherry picked from commit 5f1509d) * use Timer instead of libuv timer API (cherry picked from commit 11493ff) * use FDWatcher instead of libuv poll API (cherry picked from commit 4c1d2af) * fix wrong definition of curl_socket_t on Windows (cherry picked from commit 2eb0491) * Revert "stop using raw libuv API" (#156) (cherry picked from commit c91876a) * Revert "Revert "stop using raw libuv API" (#156)" This reverts commit c91876a. (cherry picked from commit 69acc13) * add missing locks during Timer callbacks (cherry picked from commit 43a3484) * fix Timer usage (#158) (cherry picked from commit 62b497e) * Workaround for missing isopen check in FDWatcher (#161) (possible multithread race with this still needs to be fixed) (cherry picked from commit 7f91b8a) * Check for timer isopen correctly (#162) (cherry picked from commit 4250b35) * remove trailing whitespace (cherry picked from commit d8c626b) * Avoid infinite recursion in `timer_callback` (#164) Fixes #163 (cherry picked from commit a55825b) * should also look into headers for input_size (#167) If no content length is set while uploading some contents, Curl defaults to use chunked transfer encoding. In some cases we want to prevent that because the server may not support chunked transfers. With this change, the request method will also look at the headers while determining the input size and if found call `set_upload_size` as usual. So to switch off chunked transfers, one must also know and set the content length header while invoking `download` or `request` methods. (cherry picked from commit ab628ab) * rename: singularize add_{upload,seek}_callback These only add one callback so having them be plural is weird. (cherry picked from commit 5bd0826) * add support for setting a debug callback (cherry picked from commit 55a0c39) * end-to-end tests for #167 This adds end-to-end tests for the changes introduced in #167. Verbose mode is switched off for these tests, but switching it on would show that not setting content-length headers results in chunked transfer encoding while setting it prevents that. Both tests should pass. (cherry picked from commit 911368d) * tests: use debug option to test for non/chunked uploads This combines the functionality from the previous two commits to not only trigger both chunked and non-chunked uploads, but also test for that difference by capturing and inspecting the debug events. (cherry picked from commit 4e0408a) * bump patch Co-authored-by: Dilum Aluthge <[email protected]> Co-authored-by: Jakob Nybo Nissen <[email protected]> Co-authored-by: Yuto Horikawa <[email protected]> Co-authored-by: Tim Holy <[email protected]> Co-authored-by: Stefan Karpinski <[email protected]> Co-authored-by: Chris Foster <[email protected]> Co-authored-by: Benoît Legat <[email protected]> Co-authored-by: Jameson Nash <[email protected]> Co-authored-by: Tanmay Mohapatra <[email protected]>
Merged
StefanKarpinski
added a commit
that referenced
this pull request
Mar 24, 2022
Since #114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name. (cherry picked from commit e22219f)
StefanKarpinski
added a commit
that referenced
this pull request
Mar 24, 2022
Since #114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name. (cherry picked from commit e22219f)
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Since #114, we only turn off peer verification, not host verification when the
SSL_NO_VERIFYvariables are set. This means that the last set of tests in the "SSL no verify override" testset should fail forwrong.host.badssl.com. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test does fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset).