[test] peer_cert_chain server-side behavior difference

kares · claude · kares · commit 9640a938c6dd · 2026-03-22T19:29:41.000+01:00
OpenSSL's SSL_get_peer_cert_chain excludes the peer's leaf cert on
the server side (available via peer_cert).

JSSE's getPeerCertificates always includes it.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/src/test/ruby/ssl/test_ssl.rb b/src/test/ruby/ssl/test_ssl.rb
@@ -390,6 +390,64 @@ def test_extra_chain_cert_sends_leaf
     end
   end
 
+  # SSL_get_peer_cert_chain behavior differs between C OpenSSL and JSSE:
+  #   C OpenSSL server-side: excludes the peer's leaf cert (use peer_cert for that)
+  #   C OpenSSL client-side: includes the server's leaf cert
+  #   JSSE (both sides):     always includes the leaf cert
+  # This test documents the difference; both are valid TLS implementations.
+  def test_peer_cert_chain_server_side
+    now = Time.now
+    int_key = OpenSSL::PKey::RSA.new(2048)
+    int_cert = issue_cert(
+      OpenSSL::X509::Name.parse("/CN=Intermediate"), int_key, 10,
+      [["basicConstraints","CA:TRUE",true],["keyUsage","cRLSign,keyCertSign",true]],
+      @ca_cert, @ca_key, not_before: now, not_after: now + 3600)
+    leaf_key = OpenSSL::PKey::RSA.new(2048)
+    leaf_cert = issue_cert(
+      OpenSSL::X509::Name.parse("/CN=Leaf"), leaf_key, 11,
+      [["keyUsage","keyEncipherment,digitalSignature",true]],
+      int_cert, int_key, not_before: now, not_after: now + 1800)
+
+    server_peer_cert = nil
+    server_peer_chain = nil
+
+    ctx_proc = Proc.new do |ctx|
+      ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      ctx.cert_store = OpenSSL::X509::Store.new
+      ctx.cert_store.add_cert(@ca_cert)
+    end
+
+    server_proc = Proc.new do |sctx, ssl|
+      server_peer_cert = ssl.peer_cert
+      server_peer_chain = ssl.peer_cert_chain
+      readwrite_loop(sctx, ssl)
+    end
+
+    start_server(OpenSSL::SSL::VERIFY_NONE, true,
+                 ctx_proc: ctx_proc, server_proc: server_proc) do |server, port|
+      cctx = OpenSSL::SSL::SSLContext.new
+      cctx.cert = leaf_cert
+      cctx.key = leaf_key
+      cctx.extra_chain_cert = [int_cert]
+      cctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
+      server_connect(port, cctx) do |ssl|
+        ssl.puts "hello"; ssl.gets
+      end
+    end
+
+    # Both: peer_cert is the leaf
+    assert_equal "/CN=Leaf", server_peer_cert.subject.to_s
+
+    chain_subjects = server_peer_chain.map { |c| c.subject.to_s }
+    if defined?(JRUBY_VERSION)
+      # JSSE's getPeerCertificates always includes the leaf
+      assert_equal ["/CN=Leaf", "/CN=Intermediate"], chain_subjects
+    else
+      # C OpenSSL's SSL_get_peer_cert_chain on server side excludes the leaf
+      assert_equal ["/CN=Intermediate"], chain_subjects
+    end
+  end
+
   def test_post_connect_check_with_anon_ciphers
     unless OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
       return skip('OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384 not enabled')
