Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ignore expiration in NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds test #83157

Closed
wants to merge 1 commit into from
Closed

ignore expiration in NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds test #83157

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 28 additions & 4 deletions src/libraries/Common/tests/System/Net/Http/HttpClientHandlerTest.ServerCertificates.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,14 +228,38 @@ public async Task NoCallback_BadCertificate_ThrowsException(string url)
}

[OuterLoop("Uses external servers")]
[ActiveIssue("https://github.com/dotnet/runtime/issues/77726")]
[ConditionalFact(nameof(ClientSupportsDHECipherSuites))]
public async Task NoCallback_RevokedCertificate_NoRevocationChecking_Succeeds()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Name of the test now seems not fully correct, as we do have a callback now 😄

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good point. I can make it work without callback - but only for SocketsHttpHandler as that is the only one exposing SSL options and therefore certificate validation policy.
Or we can just rename the test.
Cast your vote.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have a feeling this group of tests starting with "NoCallback_" was supposed to validate HttpClient's default behavior... so can we have both tests? The one without callback for SocketsHttpHandler (which should technically cover HttpClientHandler without callback on platforms where it has SocketsHttpHandler inside), and the one with the callback you've added for general HttpClientHandler?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One way how to solve this is removing dependency on badssl.com. It may need some more infrastructure changes but perhaps it is better fix.

{
using (HttpClient client = CreateHttpClient())
using (HttpResponseMessage response = await client.GetAsync(Configuration.Http.RevokedCertRemoteServer))
using (HttpClientHandler handler = CreateHttpClientHandler())
{
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
handler.ServerCertificateCustomValidationCallback = (request, cert, chain, errors) =>
{
if (errors == SslPolicyErrors.None)
{
return true;
}
else if (errors == SslPolicyErrors.RemoteCertificateChainErrors)
{
// Ignore certificate expiration
// https://github.com/chromium/badssl.com/issues/515
foreach (var status in chain.ChainStatus)
{
if ((status.Status & ~X509ChainStatusFlags.NotTimeValid) != X509ChainStatusFlags.NoError)
{
return false;
}
}
}

return true;
};

using (HttpClient client = CreateHttpClient(handler))
using (HttpResponseMessage response = await client.GetAsync(Configuration.Http.RevokedCertRemoteServer))
{
Assert.Equal(HttpStatusCode.OK, response.StatusCode);
}
}
}

Expand Down