tests: skip wrong host test for SSL_NO_VERIFY (fix #139) (#140)

StefanKarpinski · web-flow · commit e22219f6cf8e · 2021-08-19T11:49:03.000-04:00
Since #114, we only turn off peer verification, not host verification when the `SSL_NO_VERIFY` variables are set. This means that the last set of tests in the "SSL no verify override" testset *should* fail for `wrong.host.badssl.com`. That is not what I was seeing, however — the test was still passing — which I found puzzling but just moved on with my life at the time. It turns out that the test *does* fail if libcurl is build with OpenSSL. Since whether the test passes or not for that host depends on how things are built, this change simply skips the test (by popping the URL from the set of tested URLS for that testset). The tests above that which use the easy hook mechanism are fixed in a different way: for those I made the hook disable both host and peer verification, which should fix the tests for any bad host including when the server sends the wrong host name.
diff --git a/test/runtests.jl b/test/runtests.jl
@@ -426,8 +426,8 @@ include("setup.jl")
 
     @testset "bad TLS" begin
         urls = [
-            "https://wrong.host.badssl.com"
             "https://untrusted-root.badssl.com"
+            "https://wrong.host.badssl.com"
         ]
         @testset "bad TLS is rejected" for url in urls
             resp = request(url, throw=false)
@@ -437,7 +437,9 @@ include("setup.jl")
         @testset "easy hook work-around" begin
             local url
             easy_hook = (easy, info) -> begin
-                Curl.set_ssl_verify(easy, false)
+                # don't verify anything (this disables SNI also)
+                Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYPEER, false)
+                Curl.setopt(easy, Curl.CURLOPT_SSL_VERIFYHOST, false)
                 @test info.url == url
             end
             # downloader-specific easy hook
@@ -460,6 +462,9 @@ include("setup.jl")
             Downloads.EASY_HOOK[] = nothing
         end
         ENV["JULIA_SSL_NO_VERIFY_HOSTS"] = "**.badssl.com"
+        # wrong host *should* still fail, but may not due
+        # to libcurl bugs when using non-OpenSSL backends:
+        pop!(urls) # <= skip wrong host URL entirely here
         @testset "SSL no verify override" for url in urls
             resp = request(url, throw=false)
             @test resp isa Response
