mirror of
https://github.com/nim-lang/Nim.git
synced 2026-01-08 05:53:22 +00:00
5b85444244
* Implement SSL/TLS certificate checking #782 * SSL: Add nimDisableCertificateValidation Remove NIM_SSL_CERT_VALIDATION env var tests/untestable/thttpclient_ssl.nim ran successfully on Linux with libssl 1.1.1d * SSL: update integ test to skip flapping tests * Revert .travis.yml change * nimDisableCertificateValidation disable imports Prevent loading symbols that are not defined on older SSL libs * SSL: disable verification in net.nim ..when nimDisableCertificateValidation is set * Update changelog * Fix peername type * Add define check for windows * Disable test on windows * Add exprimental GitHub action CI for SSL * Test nimDisableCertificateValidation
75 lines
2.4 KiB
Nim
75 lines
2.4 KiB
Nim
#
|
|
# Nim - SSL integration tests
|
|
# (c) Copyright 2017 Nim contributors
|
|
#
|
|
# See the file "copying.txt", included in this
|
|
# distribution, for details about the copyright.
|
|
#
|
|
## Warning: this test performs external networking.
|
|
## Compile with:
|
|
## ./bin/nim c -d:ssl -p:. tests/untestable/thttpclient_ssl_env_var.nim
|
|
##
|
|
## Test with:
|
|
## SSL_CERT_FILE=BogusInexistentFileName tests/untestable/thttpclient_ssl_env_var
|
|
## SSL_CERT_DIR=BogusInexistentDirName tests/untestable/thttpclient_ssl_env_var
|
|
|
|
import httpclient, unittest, ospaths
|
|
from net import newSocket, newContext, wrapSocket, connect, close, Port,
|
|
CVerifyPeerUseEnvVars
|
|
from strutils import contains
|
|
|
|
const
|
|
expired = "https://expired.badssl.com/"
|
|
good = "https://google.com/"
|
|
|
|
|
|
suite "SSL certificate check":
|
|
|
|
test "httpclient with inexistent file":
|
|
if existsEnv("SSL_CERT_FILE"):
|
|
var ctx = newContext(verifyMode=CVerifyPeerUseEnvVars)
|
|
var client = newHttpClient(sslContext=ctx)
|
|
checkpoint("Client created")
|
|
check client.getContent("https://google.com").contains("doctype")
|
|
checkpoint("Google ok")
|
|
try:
|
|
let a = $client.getContent(good)
|
|
echo "Connection should have failed"
|
|
fail()
|
|
except:
|
|
echo getCurrentExceptionMsg()
|
|
check getCurrentExceptionMsg().contains("certificate verify failed")
|
|
|
|
elif existsEnv("SSL_CERT_DIR"):
|
|
try:
|
|
var ctx = newContext(verifyMode=CVerifyPeerUseEnvVars)
|
|
var client = newHttpClient(sslContext=ctx)
|
|
echo "Should have raised 'No SSL/TLS CA certificates found.'"
|
|
fail()
|
|
except:
|
|
check getCurrentExceptionMsg() ==
|
|
"No SSL/TLS CA certificates found."
|
|
|
|
test "net socket with inexistent file":
|
|
if existsEnv("SSL_CERT_FILE"):
|
|
var sock = newSocket()
|
|
var ctx = newContext(verifyMode=CVerifyPeerUseEnvVars)
|
|
ctx.wrapSocket(sock)
|
|
checkpoint("Socket created")
|
|
try:
|
|
sock.connect("expired.badssl.com", 443.Port)
|
|
fail()
|
|
except:
|
|
sock.close
|
|
check getCurrentExceptionMsg().contains("certificate verify failed")
|
|
|
|
elif existsEnv("SSL_CERT_DIR"):
|
|
var sock = newSocket()
|
|
checkpoint("Socket created")
|
|
try:
|
|
var ctx = newContext(verifyMode=CVerifyPeerUseEnvVars) # raises here
|
|
fail()
|
|
except:
|
|
check getCurrentExceptionMsg() ==
|
|
"No SSL/TLS CA certificates found."
|