ruby/test/webrick/test_ssl_server.rb
usa 1beda2970b merge revision(s) 60172,60189,60208,60210,60211: [Backport #14005]
webrick: do not hang acceptor on slow TLS connections

	OpenSSL::SSL::SSLSocket#accept may block indefinitely on clients
	which negotiate the TCP connection, but fail (or are slow) to
	negotiate the subsequent TLS handshake.  This prevents the
	multi-threaded WEBrick server from accepting other connections.

	Since the TLS handshake (via OpenSSL::SSL::SSLSocket#accept)
	consists of normal read/write traffic over TCP, handle it in the
	per-client thread, instead.

	Furthermore, using non-blocking accept() is useful for non-TLS
	sockets anyways because spurious wakeups are possible from
	select(2).

	* lib/webrick/server.rb (accept_client): use TCPServer#accept_nonblock
	  and remove OpenSSL::SSL::SSLSocket#accept call
	* lib/webrick/server.rb (start_thread): call OpenSSL::SSL::SSLSocket#accept
	* test/webrick/test_ssl_server.rb (test_slow_connect): new test
	  [ruby-core:83221] [Bug #14005]

	webrick: fix up r60172

	By making the socket non-blocking in r60172, TLS/SSL negotiation
	via the SSL_accept function must handle non-blocking sockets
	properly and retry on SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE.
	OpenSSL::SSL::SSLSocket#accept cannot do that properly with a
	non-blocking socket, so it must use non-blocking logic of
	OpenSSL::SSL::SSLSocket#accept_nonblock.

	Thanks to MSP-Greg (Greg L) for finding this.

	* lib/webrick/server.rb (start_thread): use SSL_accept properly
	  with non-blocking socket.
	  [Bug #14013] [Bug #14005]

	webrick: fix up r60172 and revert r60189

	Thanks to MSP-Greg (Greg L) for helping with this.

	* lib/webrick/server.rb (start_thread): ignore ECONNRESET, ECONNABORTED,
	  EPROTO, and EINVAL on TLS negotiation errors the same way they
	  were ignored before r60172 in the accept_client method of the
	  main acceptor thread.
	  [Bug #14013] [Bug #14005]

	webrick: fix up r60172 and r60208

	Thanks to MSP-Greg (Greg L) for helping with this.

	* lib/webrick/server.rb (start_thread): fix non-local return
	  introduced in r60208

	webrick: fix up r60172 and r60210

	Thanks to MSP-Greg (Greg L) for helping with this.

	* lib/webrick/server.rb (start_thread): properly fix non-local return
	  introduced in r60208 and r60210

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_3@61240 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2017-12-14 13:33:54 +00:00

60 lines
1.5 KiB
Ruby

require "test/unit"
require "webrick"
require "webrick/ssl"
require_relative "utils"
require 'timeout'
class TestWEBrickSSLServer < Test::Unit::TestCase
class Echo < WEBrick::GenericServer
def run(sock)
while line = sock.gets
sock << line
end
end
end
def test_self_signed_cert_server
assert_self_signed_cert(
:SSLEnable => true,
:SSLCertName => [["C", "JP"], ["O", "www.ruby-lang.org"], ["CN", "Ruby"]],
)
end
def assert_self_signed_cert(config)
TestWEBrick.start_server(Echo, config){|server, addr, port, log|
io = TCPSocket.new(addr, port)
sock = OpenSSL::SSL::SSLSocket.new(io)
sock.connect
sock.puts(server.ssl_context.cert.subject.to_s)
assert_equal("/C=JP/O=www.ruby-lang.org/CN=Ruby\n", sock.gets, log.call)
sock.close
io.close
}
end
def test_slow_connect
poke = lambda do |io, msg|
begin
sock = OpenSSL::SSL::SSLSocket.new(io)
sock.connect
sock.puts(msg)
assert_equal "#{msg}\n", sock.gets, msg
ensure
sock&.close
io.close
end
end
config = {
:SSLEnable => true,
:SSLCertName => [["C", "JP"], ["O", "www.ruby-lang.org"], ["CN", "Ruby"]],
}
Timeout.timeout(10) do
TestWEBrick.start_server(Echo, config) do |server, addr, port, log|
outer = TCPSocket.new(addr, port)
inner = TCPSocket.new(addr, port)
poke.call(inner, 'fast TLS negotiation')
poke.call(outer, 'slow TLS negotiation')
end
end
end
end