Revert "api: support ssl_verify_client option"

This reverts commit f894779.

Author: themilchenko

CHANGELOG.md

@@ -8,8 +8,6 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## Added
 
-- `ssl_verify_client` option (#207).
-
 ## Changed
 
 ## Fixed

README.md

@@ -158,10 +158,6 @@ httpd = require('http.server').new(host, port[, { options } ])
     * `ssl_ciphers` is a colon-separated list of SSL ciphers, optional;
     * `ssl_password` is a password for decrypting SSL private key, optional;
     * `ssl_password_file` is a SSL file with key for decrypting SSL private key, optional.
-    * `ssl_verify_client` is an option that allows to verify client. It has following values:
-        * `off` (default) means that no client's certs will be verified;
-        * `on` means that server will verify client's certs;
-        * `optional` means that server will verify client's certs only if it exist.
 
 ## Using routes
 

http/server.lua

@@ -1296,12 +1296,6 @@ local function url_for_httpd(httpd, name, args, query)
     end
 end
 
-local VERIFY_CLIENT_OPTS = {
-    off = sslsocket.SET_VERIFY_FLAGS.SSL_VERIFY_NONE,
-    optional = sslsocket.SET_VERIFY_FLAGS.SSL_VERIFY_PEER,
-    on = bit.bor(sslsocket.SET_VERIFY_FLAGS.SSL_VERIFY_PEER, sslsocket.SET_VERIFY_FLAGS.SSL_VERIFY_FAIL_IF_NO_PEER),
-}
-
 local function create_ssl_ctx(host, port, opts)
     local ok, ctx = pcall(sslsocket.ctx, sslsocket.tls_server_method())
     if ok ~= true then
@@ -1334,11 +1328,7 @@ local function create_ssl_ctx(host, port, opts)
             )
         end
 
-        local set_verify_flag = (
-            opts.ssl_verify_client and VERIFY_CLIENT_OPTS[opts.ssl_verify_client] or
-            VERIFY_CLIENT_OPTS.off
-        )
-        sslsocket.ctx_set_verify(ctx, set_verify_flag)
+        sslsocket.ctx_set_verify(ctx, 0x00)
     end
 
     if opts.ssl_ciphers ~= nil then
@@ -1393,12 +1383,6 @@ local function validate_ssl_opts(opts)
                 errorf("%s option must be a string", key)
             end
 
-            if key == 'ssl_verify_client' then
-                if VERIFY_CLIENT_OPTS[value] == nil then
-                    errorf('%q option not exists. Available options: "on", "off", "optional"', value)
-                end
-            end
-
             if string.find(key, 'file') ~= nil and fio.path.exists(value) ~= true then
                 errorf("file %q not exists", value)
             end
@@ -1445,7 +1429,6 @@ local exports = {
             ssl_password_file = options.ssl_password_file,
             ssl_ca_file = options.ssl_ca_file,
             ssl_ciphers = options.ssl_ciphers,
-            ssl_verify_client = options.ssl_verify_client,
         })
 
         local default = {
@@ -1516,7 +1499,6 @@ local exports = {
                     ssl_password_file = self.options.ssl_password_file,
                     ssl_ca_file = self.options.ssl_ca_file,
                     ssl_ciphers = self.options.ssl_ciphers,
-                    ssl_verify_client = self.options.ssl_verify_client,
                 })
                 return sslsocket.tcp_server(host, port, handler, timeout, ssl_ctx)
             end

http/sslsocket.lua

@@ -56,12 +56,6 @@ pcall(ffi.cdef, [[
                  const void *needle, size_t needlelen);
 ]])
 
-local SET_VERIFY_FLAGS = {
-    SSL_VERIFY_NONE = 0x00,
-    SSL_VERIFY_PEER = 0x01,
-    SSL_VERIFY_FAIL_IF_NO_PEER = 0x02,
-}
-
 local function slice_wait(timeout, starttime)
     if timeout == nil then
         return nil
@@ -458,8 +452,6 @@ local function tcp_server(host, port, handler, timeout, sslctx)
 end
 
 return {
-    SET_VERIFY_FLAGS = SET_VERIFY_FLAGS,
-
     tls_server_method = tls_server_method,
 
     ctx = ctx,

test/helpers.lua

@@ -12,16 +12,6 @@ helpers.base_host = '127.0.0.1'
 helpers.base_uri = ('http://%s:%s'):format(helpers.base_host, helpers.base_port)
 helpers.tls_uri = ('https://%s:%s'):format('localhost', helpers.base_port)
 
-local is_tarantool1 = luatest_utils.version_ge(
-    luatest_utils.get_tarantool_version(),
-    luatest_utils.version(1, 0, 0)
-)
-
-helpers.CONNECTION_REFUSED_ERR_MSG = "Failure when receiving data from the peer: Connection refused"
-if is_tarantool1 then
-    helpers.CONNECTION_REFUSED_ERR_MSG = "Failure when receiving data from the peer"
-end
-
 helpers.get_testdir_path = function()
     local path = os.getenv('LUA_SOURCE_DIR') or './'
     return fio.pathjoin(path, 'test')

test/integration/http_tls_enabled_test.lua

@@ -145,73 +145,6 @@ local client_test_cases = {
         },
         expected_err_msg = "curl: Problem with the local SSL certificate",
     },
-    test_verify_client_optional_with_certs_valid = {
-        ssl_opts = {
-            ssl_verify_client = 'optional',
-            ssl_key_file = fio.pathjoin(ssl_data_dir, 'server.key'),
-            ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
-            ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
-        },
-        request_opts = {
-            ssl_cert = fio.pathjoin(ssl_data_dir, 'client.crt'),
-            ssl_key = fio.pathjoin(ssl_data_dir, 'client.key'),
-        },
-    },
-    test_verify_client_optional_with_certs_invalid = {
-        ssl_opts = {
-            ssl_verify_client = 'optional',
-            ssl_key_file = fio.pathjoin(ssl_data_dir, 'server.key'),
-            ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
-            ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
-        },
-        request_opts = {
-            ssl_cert = fio.pathjoin(ssl_data_dir, 'bad_client.crt'),
-            ssl_key = fio.pathjoin(ssl_data_dir, 'bad_client.key'),
-        },
-        expected_err_msg = helpers.CONNECTION_REFUSED_ERR_MSG,
-    },
-    test_verify_client_optional_withouts_certs = {
-        ssl_opts = {
-            ssl_verify_client = 'optional',
-            ssl_key_file = fio.pathjoin(ssl_data_dir, 'server.key'),
-            ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
-            ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
-        },
-    },
-    test_verify_client_on_valid = {
-        ssl_opts = {
-            ssl_verify_client = 'on',
-            ssl_key_file = fio.pathjoin(ssl_data_dir, 'server.key'),
-            ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
-            ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
-        },
-        request_opts = {
-            ssl_cert = fio.pathjoin(ssl_data_dir, 'client.crt'),
-            ssl_key = fio.pathjoin(ssl_data_dir, 'client.key'),
-        },
-    },
-    test_verify_client_on_invalid = {
-        ssl_opts = {
-            ssl_verify_client = 'on',
-            ssl_key_file = fio.pathjoin(ssl_data_dir, 'server.key'),
-            ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
-            ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
-        },
-        request_opts = {
-            ssl_cert = fio.pathjoin(ssl_data_dir, 'bad_client.crt'),
-            ssl_key = fio.pathjoin(ssl_data_dir, 'bad_client.key'),
-        },
-        expected_err_msg = helpers.CONNECTION_REFUSED_ERR_MSG,
-    },
-    test_verify_client_on_certs_missing = {
-        ssl_opts = {
-            ssl_verify_client = 'on',
-            ssl_key_file = fio.pathjoin(ssl_data_dir, 'server.key'),
-            ssl_cert_file = fio.pathjoin(ssl_data_dir, 'server.crt'),
-            ssl_ca_file = fio.pathjoin(ssl_data_dir, 'ca.crt'),
-        },
-        expected_err_msg = helpers.CONNECTION_REFUSED_ERR_MSG,
-    },
 }
 
 for name, tc in pairs(client_test_cases) do

test/integration/http_tls_enabled_validate_test.lua

@@ -105,12 +105,6 @@ local test_cases = {
         },
         expected_err_msg = "ssl_ciphers option must be a string",
     },
-    ssl_verify_client_incorrect_value = {
-        opts = {
-            ssl_verify_client = "unknown",
-        },
-        expected_err_msg = '"unknown" option not exists. Available options: "on", "off", "optional"'
-    },
 }
 
 for name, case in pairs(test_cases) do