jruby-openssl-maven 0.7.4.1

data/test/openssl/test_pkey_rsa.rb

@@ -0,0 +1,49 @@
+begin
+  require "openssl"
+  require File.join(File.dirname(__FILE__), "utils.rb")
+rescue LoadError
+end
+require 'test/unit'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestPKeyRSA < Test::Unit::TestCase
+  def test_padding
+    key = OpenSSL::PKey::RSA.new(512, 3)
+
+    # Need right size for raw mode
+    plain0 = "x" * (512/8)
+    cipher = key.private_encrypt(plain0, OpenSSL::PKey::RSA::NO_PADDING)
+    plain1 = key.public_decrypt(cipher, OpenSSL::PKey::RSA::NO_PADDING)
+    assert_equal(plain0, plain1)
+
+    # Need smaller size for pkcs1 mode
+    plain0 = "x" * (512/8 - 11)
+    cipher1 = key.private_encrypt(plain0, OpenSSL::PKey::RSA::PKCS1_PADDING)
+    plain1 = key.public_decrypt(cipher1, OpenSSL::PKey::RSA::PKCS1_PADDING)
+    assert_equal(plain0, plain1)
+
+    cipherdef = key.private_encrypt(plain0) # PKCS1_PADDING is default
+    plain1 = key.public_decrypt(cipherdef)
+    assert_equal(plain0, plain1)
+    assert_equal(cipher1, cipherdef)
+
+    # Failure cases
+    assert_raise(ArgumentError){ key.private_encrypt() }
+    assert_raise(ArgumentError){ key.private_encrypt("hi", 1, nil) }
+    assert_raise(OpenSSL::PKey::RSAError){ key.private_encrypt(plain0, 666) }
+  end
+
+  def test_private
+    key = OpenSSL::PKey::RSA.new(512, 3)
+    assert(key.private?)
+    key2 = OpenSSL::PKey::RSA.new(key.to_der)
+    assert(key2.private?)
+    key3 = key.public_key
+    assert(!key3.private?)
+    key4 = OpenSSL::PKey::RSA.new(key3.to_der)
+    assert(!key4.private?)
+  end
+end
+
+end

data/test/openssl/test_ssl.rb

@@ -0,0 +1,1035 @@
+begin
+  require "openssl"
+  require File.join(File.dirname(__FILE__), "utils.rb")
+rescue LoadError
+end
+require "rbconfig"
+require "socket"
+require "test/unit"
+require 'tempfile'
+
+if defined?(OpenSSL)
+
+class OpenSSL::TestSSL < Test::Unit::TestCase
+  RUBY = ENV["RUBY"] || File.join(
+    ::Config::CONFIG["bindir"],
+    ::Config::CONFIG["ruby_install_name"] + ::Config::CONFIG["EXEEXT"]
+  )
+  SSL_SERVER = File.join(File.dirname(__FILE__), "ssl_server.rb")
+  PORT = 20443
+  ITERATIONS = ($0 == __FILE__) ? 100 : 10
+
+  # NOT USED: Disable in-proc process launching and either run jruby with
+  # specified args or yield args to a given block
+  def jruby_oop(*args)
+    prev_in_process = JRuby.runtime.instance_config.run_ruby_in_process
+    JRuby.runtime.instance_config.run_ruby_in_process = false
+    if block_given?
+      yield args
+    else
+      `#{RUBY} #{args.join(' ')}`
+    end
+  ensure
+    JRuby.runtime.instance_config.run_ruby_in_process = prev_in_process
+  end
+
+  def setup
+    @ca_key  = OpenSSL::TestUtils::TEST_KEY_RSA2048
+    @svr_key = OpenSSL::TestUtils::TEST_KEY_RSA1024
+    @cli_key = OpenSSL::TestUtils::TEST_KEY_DSA256
+    @ca  = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=CA")
+    @svr = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
+    @cli = OpenSSL::X509::Name.parse("/DC=org/DC=ruby-lang/CN=localhost")
+
+    now = Time.at(Time.now.to_i)
+    ca_exts = [
+      ["basicConstraints","CA:TRUE",true],
+      ["keyUsage","cRLSign,keyCertSign",true],
+    ]
+    ee_exts = [
+      ["keyUsage","keyEncipherment,digitalSignature",true],
+    ]
+    @ca_cert  = issue_cert(@ca, @ca_key, 1, now, now+3600, ca_exts,
+                           nil, nil, OpenSSL::Digest::SHA1.new)
+    @svr_cert = issue_cert(@svr, @svr_key, 2, now, now+1800, ee_exts,
+                           @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+    @cli_cert = issue_cert(@cli, @cli_key, 3, now, now+1800, ee_exts,
+                           @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+    @server = nil
+  end
+
+  def teardown
+  end
+
+  def issue_cert(*arg)
+    OpenSSL::TestUtils.issue_cert(*arg)
+  end
+
+  def issue_crl(*arg)
+    OpenSSL::TestUtils.issue_crl(*arg)
+  end
+
+  def choose_port(port)
+    tcps = nil
+    100.times{ |i|
+      begin
+        tcps = TCPServer.new("127.0.0.1", port+i)
+        port = port + i
+        break
+      rescue Errno::EADDRINUSE
+        next
+      end
+    }
+    return tcps, port
+  end
+
+  def readwrite_loop(ctx, ssl)
+    while line = ssl.gets
+      if line =~ /^STARTTLS$/
+        ssl.accept
+        next
+      end
+      ssl.write(line)
+    end
+  rescue OpenSSL::SSL::SSLError
+  rescue IOError
+  ensure
+    ssl.close rescue nil
+  end
+
+  def server_loop(ctx, ssls, server_proc)
+    loop do
+      ssl = nil
+      begin
+        ssl = ssls.accept
+      rescue OpenSSL::SSL::SSLError
+        retry
+      end
+
+      Thread.start do
+        Thread.current.abort_on_exception = true
+        server_proc.call(ctx, ssl)
+      end
+    end
+  rescue Errno::EBADF, IOError, Errno::EINVAL, Errno::ECONNABORTED
+  end
+
+  def start_server(port0, verify_mode, start_immediately, args = {}, &block)
+    ctx_proc = args[:ctx_proc]
+    server_proc = args[:server_proc]
+    server_proc ||= method(:readwrite_loop)
+
+    store = OpenSSL::X509::Store.new
+    store.add_cert(@ca_cert)
+    store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
+    ctx = OpenSSL::SSL::SSLContext.new
+    ctx.cert_store = store
+    #ctx.extra_chain_cert = [ ca_cert ]
+    ctx.cert = @svr_cert
+    ctx.key = @svr_key
+    ctx.verify_mode = verify_mode
+    ctx_proc.call(ctx) if ctx_proc
+
+    Socket.do_not_reverse_lookup = true
+    tcps, port = choose_port(port0)
+
+    ssls = OpenSSL::SSL::SSLServer.new(tcps, ctx)
+    ssls.start_immediately = start_immediately
+
+    begin
+      server = Thread.new do
+        Thread.current.abort_on_exception = true
+        server_loop(ctx, ssls, server_proc)
+      end
+
+      $stderr.printf("%s started: pid=%d port=%d\n", SSL_SERVER, $$, port) if $DEBUG
+
+      block.call(server, port.to_i)
+    ensure
+      tcps.close if (tcps)
+      if (server)
+        server.join(5)
+        if server.alive?
+          server.kill
+          server.join
+          flunk("TCPServer was closed and SSLServer is still alive") unless $!
+        end
+      end
+    end
+  end
+
+  def starttls(ssl)
+    ssl.puts("STARTTLS")
+
+    sleep 1   # When this line is eliminated, process on Cygwin blocks
+              # forever at ssl.connect. But I don't know why it does.
+
+    ssl.connect
+  end
+
+  def test_ctx_setup
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_equal(ctx.setup, true)
+    assert_equal(ctx.setup, nil)
+  end
+
+  def test_connect_and_close
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      assert(ssl.connect)
+      ssl.close
+      assert(!sock.closed?)
+      sock.close
+
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.sync_close = true  # !!
+      assert(ssl.connect)
+      ssl.close
+      assert(sock.closed?)
+    }
+  end
+
+  def test_read_and_write
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.sync_close = true
+      ssl.connect
+
+      assert_raise(ArgumentError) { ssl.sysread(-1) }
+
+      # syswrite and sysread
+      ITERATIONS.times{|i|
+        str = "x" * 100 + "\n"
+        ssl.syswrite(str)
+        assert_equal(str, ssl.sysread(str.size))
+
+        str = "x" * i * 100 + "\n"
+        buf = ""
+        ssl.syswrite(str)
+        assert_equal(buf.object_id, ssl.sysread(str.size, buf).object_id)
+        assert_equal(str, buf)
+      }
+
+      # puts and gets
+      ITERATIONS.times{
+        str = "x" * 100 + "\n"
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+      }
+
+      # read and write
+      ITERATIONS.times{|i|
+        str = "x" * 100 + "\n"
+        ssl.write(str)
+        assert_equal(str, ssl.read(str.size))
+
+        str = "x" * i * 100 + "\n"
+        buf = ""
+        ssl.write(str)
+        assert_equal(buf.object_id, ssl.read(str.size, buf).object_id)
+        assert_equal(str, buf)
+      }
+
+      ssl.close
+    }
+  end
+
+  def test_sysread_chunks
+    args = {}
+    args[:server_proc] = proc { |ctx, ssl|
+      while line = ssl.gets
+        if line =~ /^STARTTLS$/
+          ssl.accept
+          next
+        end
+        ssl.write("0" * 800)
+        ssl.write("1" * 200)
+        ssl.close
+        break
+      end
+    }
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, args){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.syswrite("hello\n")
+      assert_equal("0" * 200, ssl.sysread(200))
+      assert_equal("0" * 200, ssl.sysread(200))
+      assert_equal("0" * 200, ssl.sysread(200))
+      assert_equal("0" * 200, ssl.sysread(200))
+      assert_equal("1" * 200, ssl.sysread(200))
+      ssl.close
+    }
+  end
+
+  def test_sysread_buffer
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.sync_close = true
+      ssl.connect
+      ITERATIONS.times{|i|
+        # the given buffer is cleared before concatenating.
+        # NB: SSLSocket#readpartial depends sysread.
+        str = "x" * i * 100 + "\n"
+        ssl.syswrite(str)
+        buf = "asdf"
+        assert_equal(buf.object_id, ssl.sysread(0, buf).object_id)
+        assert_equal("", buf)
+
+        buf = "asdf"
+        read = ssl.sysread(str.size, buf)
+        assert(!read.empty?)
+        assert_equal(buf.object_id, read.object_id)
+        assert_equal(str, buf)
+
+        ssl.syswrite(str)
+        read = ssl.sysread(str.size, nil)
+        assert(!read.empty?)
+        assert_equal(str, read)
+      }
+      ssl.close
+    }
+  end
+
+  def test_client_auth
+    vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    start_server(PORT, vflag, true){|server, port|
+      assert_raise(OpenSSL::SSL::SSLError){
+        sock = TCPSocket.new("127.0.0.1", port)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock)
+        ssl.connect
+      }
+
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+
+      called = nil
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.client_cert_cb = Proc.new{ |sslconn|
+        called = true
+        [@cli_cert, @cli_key]
+      }
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      assert(called)
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+    }
+  end
+
+  def test_client_auth_with_server_store
+    vflag = OpenSSL::SSL::VERIFY_PEER
+
+    localcacert_file = Tempfile.open("cafile")
+    localcacert_file << @ca_cert.to_pem
+    localcacert_file.close
+    localcacert_path = localcacert_file.path
+
+    ssl_store = OpenSSL::X509::Store.new
+    ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
+    ssl_store.add_file(localcacert_path)
+
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.verify_mode = vflag
+      server_ctx.cert_store = ssl_store
+    }
+
+    start_server(PORT, vflag, true, args){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = @cli_cert
+      ctx.key = @cli_key
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+      ssl.close
+      localcacert_file.unlink
+    }
+  end
+
+  def test_client_crl_with_server_store
+    vflag = OpenSSL::SSL::VERIFY_PEER
+
+    localcacert_file = Tempfile.open("cafile")
+    localcacert_file << @ca_cert.to_pem
+    localcacert_file.close
+    localcacert_path = localcacert_file.path
+
+    ssl_store = OpenSSL::X509::Store.new
+    ssl_store.purpose = OpenSSL::X509::PURPOSE_ANY
+    ssl_store.add_file(localcacert_path)
+    ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+
+    crl = issue_crl([], 1, Time.now, Time.now+1600, [],
+                    @cli_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+
+    ssl_store.add_crl(OpenSSL::X509::CRL.new(crl.to_pem))
+
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.verify_mode = vflag
+      server_ctx.cert_store = ssl_store
+    }
+
+    start_server(PORT, vflag, true, args){|s, p|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = @cli_cert
+      ctx.key = @cli_key
+      assert_raise(OpenSSL::SSL::SSLError){
+        sock = TCPSocket.new("127.0.0.1", p)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.sync_close = true
+        ssl.connect
+        ssl.close
+      }
+      localcacert_file.unlink
+    }
+  end
+
+  def test_starttls
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, false){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.sync_close = true
+      str = "x" * 1000 + "\n"
+
+      ITERATIONS.times{
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+      }
+
+      starttls(ssl)
+
+      ITERATIONS.times{
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+      }
+
+      ssl.close
+    }
+  end
+
+  def test_parallel
+    GC.start
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      ssls = []
+      10.times{
+        sock = TCPSocket.new("127.0.0.1", port)
+        ssl = OpenSSL::SSL::SSLSocket.new(sock)
+        ssl.connect
+        ssl.sync_close = true
+        ssls << ssl
+      }
+      str = "x" * 1000 + "\n"
+      ITERATIONS.times{
+        ssls.each{|ssl|
+          ssl.puts(str)
+          assert_equal(str, ssl.gets)
+        }
+      }
+      ssls.each{|ssl| ssl.close }
+    }
+  end
+
+  def test_verify_result
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
+      assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
+
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params(
+        :verify_callback => Proc.new do |preverify_ok, store_ctx|
+          store_ctx.error = OpenSSL::X509::V_OK
+          true
+        end
+      )
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.connect
+      assert_equal(OpenSSL::X509::V_OK, ssl.verify_result)
+
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params(
+        :verify_callback => Proc.new do |preverify_ok, store_ctx|
+          store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION
+          false
+        end
+      )
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
+      assert_equal(OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION, ssl.verify_result)
+    }
+  end
+
+  def test_extra_chain_cert
+    start_server(PORT, OpenSSL::SSL::VERIFY_PEER, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
+      assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
+    }
+    # server returns a chain w/o root cert so the client verification fails
+    # with UNABLE_TO_GET_ISSUER_CERT_LOCALLY not SELF_SIGNED_CERT_IN_CHAIN.
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.extra_chain_cert = [@svr_cert]
+    }
+    start_server(PORT, OpenSSL::SSL::VERIFY_PEER, true, args){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
+      assert_equal(OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, ssl.verify_result)
+    }
+  end
+
+  def test_client_ca
+    args = {}
+    vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+
+    # client_ca as a cert
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.client_ca = @ca_cert
+    }
+    start_server(PORT, vflag, true, args){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+    }
+
+    # client_ca as an array
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.client_ca = [@ca_cert, @svr_cert]
+    }
+    start_server(PORT, vflag, true, args){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts("foo")
+      assert_equal("foo\n", ssl.gets)
+    }
+  end
+
+  def test_sslctx_ssl_version_client
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ctx.ssl_version = "TLSv1"
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_nothing_raised do
+        ssl.connect
+      end
+      ssl.puts("hello TLSv1")
+      ssl.close
+      sock.close
+      #
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx.ssl_version = "SSLv3"
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_nothing_raised do
+        ssl.connect
+      end
+      ssl.puts("hello SSLv3")
+      ssl.close
+      sock.close
+      #
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx.ssl_version = "SSLv3_server"
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError) do
+        ssl.connect
+      end
+      sock.close
+      #
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx.ssl_version = "TLSv1_client"
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_nothing_raised do
+        ssl.connect
+      end
+      ssl.puts("hello TLSv1_client")
+      ssl.close
+      sock.close
+    }
+  end
+
+  def test_sslctx_ssl_version
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.ssl_version = "TLSv1"
+    }
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, args){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ctx.ssl_version = "TLSv1"
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_nothing_raised do
+        ssl.connect
+      end
+      ssl.puts("hello TLSv1")
+      ssl.close
+      sock.close
+      #
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx.ssl_version = "SSLv3"
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError) do
+        ssl.connect
+      end
+    }
+  end
+
+  def test_verify_depth
+    vflag = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
+    args = {}
+    # depth == 1 => OK
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.verify_mode = vflag
+      server_ctx.verify_depth = 1
+    }
+    start_server(PORT, vflag, true, args){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_nothing_raised do
+        ssl.connect
+      end
+      ssl.close
+    }
+    # depth == 0 => error
+    error = nil
+    args[:ctx_proc] = proc { |server_ctx|
+      server_ctx.cert = @svr_cert
+      server_ctx.key = @svr_key
+      server_ctx.verify_mode = vflag
+      server_ctx.verify_depth = 0
+      server_ctx.verify_callback = proc { |preverify_ok, store_ctx|
+        error = store_ctx.error
+        preverify_ok
+      }
+    }
+    start_server(PORT, vflag, true, args){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.key = @cli_key
+      ctx.cert = @cli_cert
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raises(OpenSSL::SSL::SSLError) do
+        ssl.connect
+      end
+      ssl.close
+    }
+    assert_equal OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY, error
+  end
+
+  def test_sslctx_set_params
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
+      assert_equal(OpenSSL::SSL::OP_ALL, ctx.options)
+      ciphers = ctx.ciphers
+      ciphers_versions = ciphers.collect{|_, v, _, _| v }
+      ciphers_names = ciphers.collect{|v, _, _, _| v }
+      assert(ciphers_names.all?{|v| /ADH/ !~ v })
+      assert(ciphers_versions.all?{|v| /SSLv2/ !~ v })
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError){ ssl.connect }
+      assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result)
+    }
+  end
+
+  def test_sslctx_ciphers
+    c = OpenSSL::SSL::SSLContext.new
+
+    c.ciphers = 'DEFAULT'
+    default = c.ciphers
+    assert(default.size > 0)
+
+    c.ciphers = 'ALL'
+    all = c.ciphers
+    assert(all.size > 0)
+
+    c.ciphers = 'LOW'
+    low = c.ciphers
+    assert(low.size > 0)
+
+    c.ciphers = 'MEDIUM'
+    medium = c.ciphers
+    assert(medium.size > 0)
+
+    c.ciphers = 'HIGH'
+    high = c.ciphers
+    assert(high.size > 0)
+
+    c.ciphers = 'EXP'
+    exp = c.ciphers
+    assert(exp.size > 0)
+
+    # -
+    c.ciphers = 'ALL:-LOW'
+    assert_equal(all - low, c.ciphers)
+    c.ciphers = 'ALL:-MEDIUM'
+    assert_equal(all - medium, c.ciphers)
+    c.ciphers = 'ALL:-HIGH'
+    assert_equal(all - high, c.ciphers)
+    c.ciphers = 'ALL:-EXP'
+    assert_equal(all - exp, c.ciphers)
+    c.ciphers = 'ALL:-LOW:-MEDIUM'
+    assert_equal(all - low - medium, c.ciphers)
+    c.ciphers = 'ALL:-LOW:-MEDIUM:-HIGH'
+    assert_equal(all - low - medium - high, c.ciphers)
+    assert_raise(OpenSSL::SSL::SSLError) do
+      # should be empty for OpenSSL/0.9.8l. check OpenSSL changes if this test fail.
+      c.ciphers = 'ALL:-LOW:-MEDIUM:-HIGH:-EXP'
+    end
+
+    # !
+    c.ciphers = 'ALL:-LOW:LOW'
+    assert_equal(all.sort, c.ciphers.sort)
+    c.ciphers = 'ALL:!LOW:LOW'
+    assert_equal(all - low, c.ciphers)
+    c.ciphers = 'ALL:!LOW:+LOW'
+    assert_equal(all - low, c.ciphers)
+
+    # +
+    c.ciphers = 'HIGH:LOW:+LOW'
+    assert_equal(high + low, c.ciphers)
+    c.ciphers = 'HIGH:LOW:+HIGH'
+    assert_equal(low + high, c.ciphers)
+
+    # name+name
+    c.ciphers = 'RC4'
+    rc4 = c.ciphers
+    c.ciphers = 'RSA'
+    rsa = c.ciphers
+    c.ciphers = 'RC4+RSA'
+    assert_equal(rc4&rsa, c.ciphers) 
+    c.ciphers = 'RSA+RC4'
+    assert_equal(rc4&rsa, c.ciphers) 
+    c.ciphers = 'ALL:RSA+RC4'
+    assert_equal(all + ((rc4&rsa) - all), c.ciphers) 
+  end
+
+  def test_sslctx_options
+    args = {}
+    args[:ctx_proc] = proc { |server_ctx|
+      # TLSv1 only
+      server_ctx.options = OpenSSL::SSL::OP_NO_SSLv2|OpenSSL::SSL::OP_NO_SSLv3
+    }
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, args){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ctx.options = OpenSSL::SSL::OP_NO_TLSv1
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_raise(OpenSSL::SSL::SSLError, Errno::ECONNRESET) do
+        ssl.connect
+      end
+      ssl.close
+      sock.close
+      #
+      sock = TCPSocket.new("127.0.0.1", port)
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.set_params
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      ctx.options = OpenSSL::SSL::OP_NO_SSLv3
+      ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+      assert_nothing_raised do
+        ssl.connect
+      end
+      ssl.close
+      sock.close
+    }
+  end
+
+  def test_post_connection_check
+    sslerr = OpenSSL::SSL::SSLError
+
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.connect
+      assert_raise(sslerr){ssl.post_connection_check("localhost.localdomain")}
+      assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
+      assert(ssl.post_connection_check("localhost"))
+      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
+
+      cert = ssl.peer_cert
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
+      assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "foo.example.com"))
+    }
+
+    now = Time.now
+    exts = [
+      ["keyUsage","keyEncipherment,digitalSignature",true],
+      ["subjectAltName","DNS:localhost.localdomain",false],
+      ["subjectAltName","IP:127.0.0.1",false],
+    ]
+    @svr_cert = issue_cert(@svr, @svr_key, 4, now, now+1800, exts,
+                           @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.connect
+      assert(ssl.post_connection_check("localhost.localdomain"))
+      assert(ssl.post_connection_check("127.0.0.1"))
+      assert_raise(sslerr){ssl.post_connection_check("localhost")}
+      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
+
+      cert = ssl.peer_cert
+      assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
+      assert(OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "foo.example.com"))
+    }
+
+    now = Time.now
+    exts = [
+      ["keyUsage","keyEncipherment,digitalSignature",true],
+      ["subjectAltName","DNS:*.localdomain",false],
+    ]
+    @svr_cert = issue_cert(@svr, @svr_key, 5, now, now+1800, exts,
+                           @ca_cert, @ca_key, OpenSSL::Digest::SHA1.new)
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.connect
+      assert(ssl.post_connection_check("localhost.localdomain"))
+      assert_raise(sslerr){ssl.post_connection_check("127.0.0.1")}
+      assert_raise(sslerr){ssl.post_connection_check("localhost")}
+      assert_raise(sslerr){ssl.post_connection_check("foo.example.com")}
+      cert = ssl.peer_cert
+      assert(OpenSSL::SSL.verify_certificate_identity(cert, "localhost.localdomain"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "127.0.0.1"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "localhost"))
+      assert(!OpenSSL::SSL.verify_certificate_identity(cert, "foo.example.com"))
+    }
+  end
+
+  def TODO_implement_SSLSession_test_client_session
+    last_session = nil
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true) do |server, port|
+      2.times do
+        sock = TCPSocket.new("127.0.0.1", port)
+        # Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
+        # when use default SSLContext. [ruby-dev:36167]
+        ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.sync_close = true
+        ssl.session = last_session if last_session
+        ssl.connect
+
+        session = ssl.session
+        if last_session
+          assert(ssl.session_reused?)
+
+          if session.respond_to?(:id)
+            assert_equal(session.id, last_session.id)
+          end
+          assert_equal(session.to_pem, last_session.to_pem)
+          assert_equal(session.to_der, last_session.to_der)
+          # Older version of OpenSSL may not be consistent.  Look up which versions later.
+          assert_equal(session.to_text, last_session.to_text)
+        else
+          assert(!ssl.session_reused?)
+        end
+        last_session = session
+
+        str = "x" * 100 + "\n"
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+
+        ssl.close
+      end
+    end
+  end
+
+  def TODO_implement_SSLSession_test_server_session
+    connections = 0
+    saved_session = nil
+
+    ctx_proc = Proc.new do |ctx, ssl|
+# add test for session callbacks here
+    end
+
+    server_proc = Proc.new do |ctx, ssl|
+      session = ssl.session
+      stats = ctx.session_cache_stats
+
+      case connections
+      when 0
+        assert_equal(stats[:cache_num], 1)
+        assert_equal(stats[:cache_hits], 0)
+        assert_equal(stats[:cache_misses], 0)
+        assert(!ssl.session_reused?)
+      when 1
+        assert_equal(stats[:cache_num], 1)
+        assert_equal(stats[:cache_hits], 1)
+        assert_equal(stats[:cache_misses], 0)
+        assert(ssl.session_reused?)
+        ctx.session_remove(session)
+        saved_session = session
+      when 2
+        assert_equal(stats[:cache_num], 1)
+        assert_equal(stats[:cache_hits], 1)
+        assert_equal(stats[:cache_misses], 1)
+        assert(!ssl.session_reused?)
+        ctx.session_add(saved_session)
+      when 3
+        assert_equal(stats[:cache_num], 2)
+        assert_equal(stats[:cache_hits], 2)
+        assert_equal(stats[:cache_misses], 1)
+        assert(ssl.session_reused?)
+        ctx.flush_sessions(Time.now + 5000)
+      when 4
+        assert_equal(stats[:cache_num], 1)
+        assert_equal(stats[:cache_hits], 2)
+        assert_equal(stats[:cache_misses], 2)
+        assert(!ssl.session_reused?)
+        ctx.session_add(saved_session)
+      end
+      connections += 1
+
+      readwrite_loop(ctx, ssl)
+    end
+
+    first_session = nil
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
+      10.times do |i|
+        sock = TCPSocket.new("127.0.0.1", port)
+        ctx = OpenSSL::SSL::SSLContext.new
+        if defined?(OpenSSL::SSL::OP_NO_TICKET)
+          # disable RFC4507 support
+          ctx.options = OpenSSL::SSL::OP_NO_TICKET
+        end
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.sync_close = true
+        ssl.session = first_session if first_session
+        ssl.connect
+
+        session = ssl.session
+        if first_session
+          case i
+          when 1; assert(ssl.session_reused?)
+          when 2; assert(!ssl.session_reused?)
+          when 3; assert(ssl.session_reused?)
+          when 4; assert(!ssl.session_reused?)
+          when 5..10; assert(ssl.session_reused?)
+          end
+        end
+        first_session ||= session
+
+        str = "x" * 100 + "\n"
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+
+        ssl.close
+      end
+    end
+  end
+
+  def test_tlsext_hostname
+    return unless OpenSSL::SSL::SSLSocket.instance_methods.include?("hostname")
+
+    ctx_proc = Proc.new do |ctx, ssl|
+      foo_ctx = ctx.dup
+
+      ctx.servername_cb = Proc.new do |ssl2, hostname|
+        case hostname
+        when 'foo.example.com'
+          foo_ctx
+        when 'bar.example.com'
+          nil
+        else
+          raise "unknown hostname #{hostname.inspect}"
+        end
+      end
+    end
+
+    server_proc = Proc.new do |ctx, ssl|
+      readwrite_loop(ctx, ssl)
+    end
+
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc, :server_proc => server_proc) do |server, port|
+      2.times do |i|
+        sock = TCPSocket.new("127.0.0.1", port)
+        ctx = OpenSSL::SSL::SSLContext.new
+        if defined?(OpenSSL::SSL::OP_NO_TICKET)
+          # disable RFC4507 support
+          ctx.options = OpenSSL::SSL::OP_NO_TICKET
+        end
+        ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
+        ssl.sync_close = true
+        ssl.hostname = (i & 1 == 0) ? 'foo.example.com' : 'bar.example.com'
+        ssl.connect
+
+        str = "x" * 100 + "\n"
+        ssl.puts(str)
+        assert_equal(str, ssl.gets)
+
+        ssl.close
+      end
+    end
+  end
+end
+
+end