Support extra_chain_cert= setting

Reference: https://bugs.ruby-lang.org/issues/9758
drbrain · Dec 4, 2024 · 455426e · 455426e
1 parent 409b0c7
commit 455426e
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 0 deletions.
diff --git a/lib/net/http/persistent.rb b/lib/net/http/persistent.rb
@@ -65,6 +65,7 @@
 # #ca_path            :: Directory with certificate-authorities
 # #cert_store         :: An SSL certificate store
 # #ciphers            :: List of SSl ciphers allowed
+# #extra_chain_cert   :: Extra certificates to be added to the certificate chain
 # #private_key        :: The client's SSL private key
 # #reuse_ssl_sessions :: Reuse a previously opened SSL session for a new
 #                        connection
@@ -272,6 +273,11 @@ def self.detect_idle_timeout uri, max = 10
 
   attr_reader :ciphers
 
+  ##
+  # Extra certificates to be added to the certificate chain
+
+  attr_reader :extra_chain_cert
+
   ##
   # Sends debug_output to this IO via Net::HTTP#set_debug_output.
   #
@@ -592,6 +598,21 @@ def ciphers= ciphers
     reconnect_ssl
   end
 
+  if Net::HTTP.method_defined?(:extra_chain_cert=)
+    ##
+    # Extra certificates to be added to the certificate chain.
+    # It is only supported starting from Net::HTTP version 0.1.1
+    def extra_chain_cert= extra_chain_cert
+      @extra_chain_cert = extra_chain_cert
+
+      reconnect_ssl
+    end
+  else
+    def extra_chain_cert= _extra_chain_cert
+      raise "extra_chain_cert= is not supported by this version of Net::HTTP"
+    end
+  end
+
   ##
   # Creates a new connection for +uri+
 
@@ -1043,6 +1064,10 @@ def ssl connection
       connection.key  = @private_key
     end
 
+    if defined?(@extra_chain_cert) and @extra_chain_cert
+      connection.extra_chain_cert = @extra_chain_cert
+    end
+
     connection.cert_store = if @cert_store then
                               @cert_store
                             else

diff --git a/test/test_net_http_persistent.rb b/test/test_net_http_persistent.rb
@@ -247,6 +247,14 @@ def test_ciphers_equals
     assert_equal 1, @http.ssl_generation
   end
 
+  def test_extra_chain_cert_equals
+    skip 'extra_chain_cert is not supported by Net::HTTP' unless Net::HTTP.method_defined?(:extra_chain_cert)
+    @http.extra_chain_cert = :extra_chain_cert
+
+    assert_equal :extra_chain_cert, @http.extra_chain_cert
+    assert_equal 1, @http.ssl_generation
+  end
+
   def test_connection_for
     @http.open_timeout = 123
     @http.read_timeout = 321
@@ -1373,6 +1381,18 @@ def test_ssl_disable_verify_hostname
     assert c.verify_hostname == false
   end
 
+  def test_ssl_extra_chain_cert
+    skip 'OpenSSL is missing' unless HAVE_OPENSSL
+    skip 'extra_chain_cert is not supported by Net::HTTP' unless Net::HTTP.method_defined?(:extra_chain_cert)
+
+    @http.extra_chain_cert = :extra_chain_cert
+    c = Net::HTTP.new 'localhost', 80
+
+    @http.ssl c
+
+    assert c.use_ssl?
+    assert_equal :extra_chain_cert, c.extra_chain_cert
+  end
 
   def test_ssl_warning
     skip 'OpenSSL is missing' unless HAVE_OPENSSL