New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
support full certificate chain PEM for cert_pem:
parameter to ssl_bind
#3174
Conversation
Thanks for working on this. Not sure if you've thought about tests. I've got two commits on https://github.com/MSP-Greg/puma/commits/00-3174, I believe they add what's needed. Thoughts? EDIT: I just noticed "I need guidance on how to add a test for this". Added the two commits, one adds files, the other adds tests. The tests load the the files in four different ways, connect an SSLSocket, then check what certs it shows from the server (peer). |
Re the effect of this PR, after cherry-picking the two last commits (which only have test changes) onto master, then running
|
Thanks for those tests! That's the result I was looking for. And that's what I would expect on master, that's what I was seeing when doing the commandline testing. One thing we probably want to do is use different certs. Those anchor from my example are set to expire in 1 year, so probably not good for test data. We'll have some unexpected test failures next June - which will make everyone unhappy. I'll take a look at getting better test data, or generating it. |
Glad those helped. I didn't want to assume that an openssl exe was in PATH, so I used Ruby SSLSockets. I like to point out the failures/errors in master, helps when one has totally forgotten what change/feature the PR adds.
Glad you remembered that, I didn't look.
Thanks. If you could, adding the code to generate them in the comments/notes is helpful. |
- adds the certificate_authority gem for development purposes
@MSP-Greg I think we're all good - added I also added This test did find that the certs in examples/CA all expired a while ago. And I wasn't able to find if they are actually used for something. This might be a cleanup for another PR, but thought I would mention it here. |
If we only use that gem in |
cert_pem:
parameter to ssl_bind
cert_pem:
parameter to ssl_bind
Good call - I'll make that change - I use inline bundler all the time. |
A few days ago I added a 'feature' label. Now, I'm not sure if it should be 'feature' or 'bug'. I'm now thinking it should be 'bug'. Currently, when using cert_pem: path_to_cert
cert_pem: File.read(path_to_cert) This PR aligns the functionality of the two. Thoughts? |
Description
Bring the
cert_pem:
parameter into parity with thecert:
parameter tossl_bind
.Currently the
cert:
parameter allows for a full certificate chain file to be used, and thecert_pem:
only allows a certificate. This patch allows thecert_pem:
parameter to be be a full certificate chain String.See #3172 for an in depth discussion of the issue.
Closes #3172
Your checklist for this pull request
#issue
" to the PR description or my commit messages.