net-http-persistent 2.0 → 2.1

data/History.txt

@@ -1,3 +1,15 @@
+=== 2.1 / 2011-09-19
+
+* Minor Enhancement
+  * For HTTPS connections, SSL sessions are now reused avoiding the extra
+    round trips and computations of extra SSL handshakes.  If you have
+    problems with SSL session reuse it can be disabled by
+    Net::HTTP::Persistent#reuse_ssl_sessions
+
+* Bug Fixes
+  * The default certificate store is now used even if #verify_mode was not
+    set.  Issue #7, Pull Request #8 by Matthew M. Boedicker
+
 === 2.0 / 2011-08-26
 
 * Incompatibility

data/Manifest.txt

@@ -6,4 +6,6 @@ README.txt
 Rakefile
 lib/net/http/faster.rb
 lib/net/http/persistent.rb
+lib/net/http/persistent/ssl_reuse.rb
 test/test_net_http_persistent.rb
+test/test_net_http_persistent_ssl_reuse.rb

data/lib/net/http/persistent.rb

@@ -43,7 +43,7 @@ class Net::HTTP::Persistent
   ##
   # The version of Net::HTTP::Persistent use are using
 
-  VERSION = '2.0'
+  VERSION = '2.1'
 
   ##
   # Error class for errors raised by Net::HTTP::Persistent.  Various
@@ -135,6 +135,15 @@ class Net::HTTP::Persistent
 
   attr_reader :request_key # :nodoc:
 
+  ##
+  # By default SSL sessions are reused to avoid extra SSL handshakes.  Set
+  # this to false if you have problems communicating with an HTTPS server
+  # like:
+  #
+  #   SSL_connect [...] read finished A: unexpected message (OpenSSL::SSL::SSLError)
+
+  attr_accessor :reuse_ssl_sessions
+
   ##
   # An array of options for Socket#setsockopt.
   #
@@ -230,12 +239,13 @@ class Net::HTTP::Persistent
     key = ['net_http_persistent', name, 'requests'].compact.join '_'
     @request_key    = key.intern
 
-    @certificate     = nil
-    @ca_file         = nil
-    @private_key     = nil
-    @verify_callback = nil
-    @verify_mode     = nil
-    @cert_store      = nil
+    @certificate        = nil
+    @ca_file            = nil
+    @private_key        = nil
+    @verify_callback    = nil
+    @verify_mode        = OpenSSL::SSL::VERIFY_PEER
+    @cert_store         = nil
+    @reuse_ssl_sessions = true
 
     @retry_change_requests = false
   end
@@ -258,7 +268,7 @@ class Net::HTTP::Persistent
     end
 
     unless connection = connections[connection_id] then
-      connections[connection_id] = Net::HTTP.new(*net_http_args)
+      connections[connection_id] = http_class.new(*net_http_args)
       connection = connections[connection_id]
       ssl connection if uri.scheme.downcase == 'https'
     end
@@ -314,6 +324,10 @@ class Net::HTTP::Persistent
   rescue IOError
   end
 
+  def http_class # :nodoc:
+    @reuse_ssl_sessions ? Net::HTTP::Persistent::SSLReuse : Net::HTTP
+  end
+
   ##
   # Returns the HTTP protocol version for +uri+
 
@@ -522,7 +536,7 @@ class Net::HTTP::Persistent
   def ssl connection
     connection.use_ssl = true
 
-    connection.verify_mode = OpenSSL::SSL::VERIFY_PEER unless @verify_mode
+    connection.verify_mode = @verify_mode
 
     if @ca_file then
       connection.ca_file = @ca_file
@@ -535,18 +549,16 @@ class Net::HTTP::Persistent
       connection.key  = @private_key
     end
 
-    connection.cert_store = @cert_store if @cert_store
-
-    if @verify_mode then
-      connection.verify_mode = @verify_mode
-
-      connection.cert_store ||= begin
-        store = OpenSSL::X509::Store.new
-        store.set_default_paths
-        store
-      end
-    end
+    connection.cert_store = if @cert_store then
+                              @cert_store
+                            else
+                              store = OpenSSL::X509::Store.new
+                              store.set_default_paths
+                              store
+                            end
   end
 
 end
 
+require 'net/http/persistent/ssl_reuse'
+

data/lib/net/http/persistent/ssl_reuse.rb

@@ -0,0 +1,129 @@
+##
+# This Net::HTTP subclass adds SSL session reuse and Server Name Indication
+# (SNI) RFC 3546.
+#
+# DO NOT DEPEND UPON THIS CLASS
+#
+# This class is an implementation detail and is subject to change or removal
+# at any time.
+
+class Net::HTTP::Persistent::SSLReuse < Net::HTTP
+
+  @is_proxy_class = false
+  @proxy_addr = nil
+  @proxy_port = nil
+  @proxy_user = nil
+  @proxy_pass = nil
+
+  def initialize address, port = nil # :nodoc:
+    super
+
+    @ssl_session = nil
+  end
+
+  ##
+  # From ruby trunk r33086 including http://redmine.ruby-lang.org/issues/5341
+
+  def connect # :nodoc:
+    D "opening connection to #{conn_address()}..."
+    s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
+    D "opened"
+    if use_ssl?
+      ssl_parameters = Hash.new
+      iv_list = instance_variables
+      SSL_ATTRIBUTES.each do |name|
+        ivname = "@#{name}".intern
+        if iv_list.include?(ivname) and
+           value = instance_variable_get(ivname)
+          ssl_parameters[name] = value
+        end
+      end
+      unless @ssl_context then
+        @ssl_context = OpenSSL::SSL::SSLContext.new
+        @ssl_context.set_params(ssl_parameters)
+      end
+      s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
+      s.session = @ssl_session if @ssl_session
+      s.sync_close = true
+    end
+    @socket = Net::BufferedIO.new(s)
+    @socket.read_timeout = @read_timeout
+    @socket.continue_timeout = @continue_timeout if
+      @socket.respond_to? :continue_timeout
+    @socket.debug_output = @debug_output
+    if use_ssl?
+      begin
+        if proxy?
+          @socket.writeline sprintf('CONNECT %s:%s HTTP/%s',
+                                    @address, @port, HTTPVersion)
+          @socket.writeline "Host: #{@address}:#{@port}"
+          if proxy_user
+            credential = ["#{proxy_user}:#{proxy_pass}"].pack('m')
+            credential.delete!("\r\n")
+            @socket.writeline "Proxy-Authorization: Basic #{credential}"
+          end
+          @socket.writeline ''
+          HTTPResponse.read_new(@socket).value
+        end
+        # Server Name Indication (SNI) RFC 3546
+        s.hostname = @address if s.respond_to? :hostname=
+        timeout(@open_timeout) { s.connect }
+        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+          s.post_connection_check(@address)
+        end
+        @ssl_session = s.session
+      rescue => exception
+        D "Conn close because of connect error #{exception}"
+        @socket.close if @socket and not @socket.closed?
+        raise exception
+      end
+    end
+    on_connect
+  end if RUBY_VERSION > '1.9'
+
+  ##
+  # From ruby_1_8_7 branch r29865 including a modified
+  # http://redmine.ruby-lang.org/issues/5341
+
+  def connect
+    D "opening connection to #{conn_address()}..."
+    s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
+    D "opened"
+    if use_ssl?
+      unless @ssl_context.verify_mode
+        warn "warning: peer certificate won't be verified in this SSL session"
+        @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      end
+      s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
+      s.session = @ssl_session if @ssl_session
+      s.sync_close = true
+    end
+    @socket = Net::BufferedIO.new(s)
+    @socket.read_timeout = @read_timeout
+    @socket.debug_output = @debug_output
+    if use_ssl?
+      if proxy?
+        @socket.writeline sprintf('CONNECT %s:%s HTTP/%s',
+                                  @address, @port, HTTPVersion)
+        @socket.writeline "Host: #{@address}:#{@port}"
+        if proxy_user
+          credential = ["#{proxy_user}:#{proxy_pass}"].pack('m')
+          credential.delete!("\r\n")
+          @socket.writeline "Proxy-Authorization: Basic #{credential}"
+        end
+        @socket.writeline ''
+        HTTPResponse.read_new(@socket).value
+      end
+      s.connect
+      if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        s.post_connection_check(@address)
+      end
+      @ssl_session = s.session
+    end
+    on_connect
+  end if RUBY_VERSION < '1.9'
+
+  private :connect
+
+end
+

data/test/test_net_http_persistent.rb

@@ -4,10 +4,10 @@ require 'net/http/persistent'
 require 'openssl'
 require 'stringio'
 
-class Net::HTTP
+class Net::HTTP::Persistent::SSLReuse
   alias orig_connect connect
 
-  def connect
+  def test_connect
     unless use_ssl? then
       io = Object.new
       def io.setsockopt(*a) @setsockopts ||= []; @setsockopts << a end
@@ -29,6 +29,11 @@ class Net::HTTP
 
     @socket = Net::BufferedIO.new s
   end
+
+  def self.use_connect which
+    self.send :remove_method, :connect
+    self.send :alias_method, :connect, which
+  end
 end
 
 class TestNetHttpPersistent < MiniTest::Unit::TestCase
@@ -43,12 +48,16 @@ class TestNetHttpPersistent < MiniTest::Unit::TestCase
     ENV.delete 'HTTP_PROXY_USER'
     ENV.delete 'http_proxy_pass'
     ENV.delete 'HTTP_PROXY_PASS'
+
+    Net::HTTP::Persistent::SSLReuse.use_connect :test_connect
   end
 
   def teardown
     Thread.current.keys.each do |key|
       Thread.current[key] = nil
     end
+
+    Net::HTTP::Persistent::SSLReuse.use_connect :orig_connect
   end
 
   class BasicConnection
@@ -140,6 +149,8 @@ class TestNetHttpPersistent < MiniTest::Unit::TestCase
     @http.read_timeout = 321
     c = @http.connection_for @uri
 
+    assert_kind_of Net::HTTP::Persistent::SSLReuse, c
+
     assert c.started?
     refute c.proxy?
 
@@ -245,6 +256,15 @@ class TestNetHttpPersistent < MiniTest::Unit::TestCase
     refute_includes conns.keys, 'example:80'
   end
 
+  def test_connection_for_no_ssl_reuse
+    @http.reuse_ssl_sessions = false
+    @http.open_timeout = 123
+    @http.read_timeout = 321
+    c = @http.connection_for @uri
+
+    assert_instance_of Net::HTTP, c
+  end
+
   def test_connection_for_proxy
     uri = URI.parse 'http://proxy.example'
     uri.user     = 'johndoe'
@@ -759,6 +779,7 @@ class TestNetHttpPersistent < MiniTest::Unit::TestCase
 
     assert c.use_ssl?
     assert_equal OpenSSL::SSL::VERIFY_PEER, c.verify_mode
+    assert_kind_of OpenSSL::X509::Store,    c.cert_store
     assert_nil c.verify_callback
   end
 

data/test/test_net_http_persistent_ssl_reuse.rb

@@ -0,0 +1,100 @@
+require 'rubygems'
+require 'minitest/autorun'
+require 'net/http/persistent'
+require 'openssl'
+require 'webrick'
+require 'webrick/ssl'
+
+##
+# This test is based on (and contains verbatim code from) the Net::HTTP tests
+# in ruby
+
+class TestNetHttpPersistentSSLReuse < MiniTest::Unit::TestCase
+
+  class NullWriter
+    def <<(s) end
+    def puts(*args) end
+    def print(*args) end
+    def printf(*args) end
+  end
+
+  def setup
+    @name = OpenSSL::X509::Name.parse 'CN=localhost'
+
+    @key = OpenSSL::PKey::RSA.new 512
+
+    @cert = OpenSSL::X509::Certificate.new
+    @cert.version = 2
+    @cert.serial = 0
+    @cert.not_before = Time.now
+    @cert.not_after = Time.now + 300
+    @cert.public_key = @key.public_key
+    @cert.subject = @name
+
+    @host = 'localhost'
+    @port = 10082
+
+    config = {
+      :BindAddress                => @host,
+      :Port                       => @port,
+      :Logger                     => WEBrick::Log.new(NullWriter.new),
+      :AccessLog                  => [],
+      :ShutDownSocketWithoutClose => true,
+      :ServerType                 => Thread,
+      :SSLEnable                  => true,
+      :SSLCertificate             => @cert,
+      :SSLPrivateKey              => @key,
+      :SSLStartImmediately        => true,
+    }
+
+    @server = WEBrick::HTTPServer.new config
+
+    @server.mount_proc '/' do |req, res|
+      res.body = "ok"
+    end
+
+    @server.start
+
+    begin
+      TCPSocket.open(@host, @port).close
+    rescue Errno::ECONNREFUSED
+      sleep 0.2
+      n_try_max -= 1
+      raise 'cannot spawn server; give up' if n_try_max < 0
+      retry
+    end
+  end
+
+  def teardown
+    if @server then
+      @server.shutdown
+      sleep 0.01 until @server.status == :Stop
+    end
+  end
+
+  def test_ssl_connection_reuse
+    @http = Net::HTTP::Persistent::SSLReuse.new @host, @port
+    @http.use_ssl = true
+    @http.verify_callback = proc do |_, store_ctx|
+      store_ctx.current_cert.to_der == @cert.to_der
+    end
+
+    @http.start
+    @http.get '/'
+    @http.finish
+
+    @http.start
+    @http.get '/'
+    @http.finish
+
+    @http.start
+    @http.get '/'
+
+    socket = @http.instance_variable_get :@socket
+    ssl_socket = socket.io
+
+    assert ssl_socket.session_reused?
+  end
+
+end
+

metadata

@@ -1,12 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: net-http-persistent
 version: !ruby/object:Gem::Version 
-  hash: 3
+  hash: 1
   prerelease: 
   segments: 
   - 2
-  - 0
-  version: "2.0"
+  - 1
+  version: "2.1"
 platform: ruby
 authors: 
 - Eric Hodel
@@ -35,7 +35,7 @@ cert_chain:
   x52qPcexcYZR7w==
   -----END CERTIFICATE-----
 
-date: 2011-08-27 00:00:00 Z
+date: 2011-09-20 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: minitest
@@ -43,14 +43,13 @@ dependencies:
   requirement: &id001 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
-    - - ">="
+    - - ~>
       - !ruby/object:Gem::Version 
-        hash: 1
+        hash: 5
         segments: 
         - 2
         - 3
-        - 1
-        version: 2.3.1
+        version: "2.3"
   type: :development
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
@@ -98,7 +97,9 @@ files:
 - Rakefile
 - lib/net/http/faster.rb
 - lib/net/http/persistent.rb
+- lib/net/http/persistent/ssl_reuse.rb
 - test/test_net_http_persistent.rb
+- test/test_net_http_persistent_ssl_reuse.rb
 homepage: http://docs.seattlerb.org/net-http-persistent
 licenses: []
 
@@ -129,9 +130,10 @@ required_rubygems_version: !ruby/object:Gem::Requirement
 requirements: []
 
 rubyforge_project: net-http-persistent
-rubygems_version: 1.8.9
+rubygems_version: 1.8.10
 signing_key: 
 specification_version: 3
 summary: Manages persistent connections using Net::HTTP plus a speed fix for Ruby 1.8
 test_files: 
 - test/test_net_http_persistent.rb
+- test/test_net_http_persistent_ssl_reuse.rb