Ssl rspec SNI test

spec_helpers.rb

require 'openssl'
require 'socket'

def ssl_peek(host)
  ip = ENV['TIP_HOST'] || '0.0.0.0'
  port = ENV['TIP_PORT'] || '8121'
  tcp_client = TCPSocket.new(ip, port)
  ssl_client = OpenSSL::SSL::SSLSocket.new(tcp_client)
  ssl_client.hostname = host
  ssl_client.connect
  cert = OpenSSL::X509::Certificate.new(ssl_client.peer_cert)
  ssl_client.sysclose
  tcp_client.close

  cert
end

def cert_value(cert, kind, key)
  values = cert.send(kind).to_a.select do |k, _, _|
    k.to_s == key.to_s
  end
  values.first ? values.first[1] : ''
end

def expect_subject(cert, field, value)
  expect(cert_value(cert, :subject, field)).to eq(value)
end

ssl_spec.rb

describe 'Ssl' do
  
  it "serves foo wildcard for test.foo.com" do
    cert = ssl_peek('test.foo.com')
    expect_subject(cert,'CN','*.foo.com')
  end
  
  it "serves bar wildcard for test.bar.com" do
    cert = ssl_peek('test.bar.com')
    expect_subject(cert,'CN','*.bar.com')
  end
  
end

Credit to https://gist.github.com/matiaskorhonen/81b87ede6af1704c67b8 on how to write ssl_peek with SNI support in Ruby
and https://sourcegraph.com/github.com/otahi/rspec-ssltls/-/blob/lib/rspec_ssltls/have_certificate.rb#L102

rspec_ssltls did not allow me to specify the server name ip / port separately from the server_name we wish to send (think curl --resolve flag)

(or I didn't figure out how to do it) - if your hostname and ip/port are resolved properly (you may use /etc/hosts or dnsmasq to force this) - then it is much easier to use the existing library:

require 'rspec_ssltls'

describe 'Cert' do
  it "Serves host-1 certificate for host-1" do
    expect("0.0.0.0:8121").to have_certificate.subject(CN: 'host-1')
  end
end