enable TLS hostname validation #279
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Ack, what happened to CI??? |
|
and it's back... huh |
|
Note to self to check tomorrow: http://stackoverflow.com/questions/9199660/why-is-ruby-unable-to-verify-an-ssl-certificate#9238221 |
| (((size - n_results) < 126) ? (size - n_results) : 0) | ||
| else | ||
| size | ||
| end |
There was a problem hiding this comment.
No behavioral change, just fiddling with syntax
This was referenced Jan 24, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR is a continuation of #259 and fixes #258. The major additions to @JPvRiel 's work are...
TestBindIntegration#test_bind_timeoutrelies on an iptables-blackhole'd port (tcp/8389). I switched the iptable invocation inscript/install-openldapso that blockage extends to the hypervisor. Also I updated the docs a bit.test/fixtures/cafiles - For Vagrant testing to work, the hypervisor & guest need to both agree on a CA. The previouscacert.pemdidn't have a corresponding private key in the repo, which made that hard. This PR adds a new CA & key, and extendsscript/install-openldapto use them.test/integration/test_bind.rbalready includedtest_bind_tls_with_cafile, so I added the new TLS cert verification tests there. I also refactored that file a teeny bit because of all the repetition: mostly adding some default hashes.The first CI run is going to fail, because I'm not entirely sure what the right value is for- FIXEDtest_bind_tls_with_multiple_bogus_hosts's exception. Once the PR is created and CI runs, I should be able to get that and add it./cc @jch @etdsoft