diff options
author | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2014-10-23 09:59:40 +0000 |
---|---|---|
committer | usa <usa@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2014-10-23 09:59:40 +0000 |
commit | 4a5d839ceb4f08aff4843abc6b369b12a97e02e7 (patch) | |
tree | ea8c0f024684e246407add8187e5af5645a3a508 | |
parent | 28f249a75bb6d6d15ba3ad558af6a5d9d4c650d0 (diff) |
merge revision(s) 45274,45278,45280,48097: [Backport #9424]
* lib/openssl/ssl.rb: Explicitly whitelist the default
SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
compression by default.
Reported by Jeff Hodges.
[ruby-core:59829] [Bug #9424]
* test/openssl/test_ssl.rb: Reuse TLS default options from
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
* ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_0_0@48110 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | ChangeLog | 19 | ||||
-rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 47 | ||||
-rw-r--r-- | test/openssl/test_ssl.rb | 6 | ||||
-rw-r--r-- | version.h | 6 |
4 files changed, 66 insertions, 12 deletions
@@ -1,3 +1,22 @@ +Thu Oct 23 18:56:55 2014 CHIKANAGA Tomoyuki <nagachika@ruby-lang.org> + + * ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override + options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined. + this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424] + +Thu Oct 23 18:56:55 2014 Martin Bosslet <Martin.Bosslet@gmail.com> + + * test/openssl/test_ssl.rb: Reuse TLS default options from + OpenSSL::SSL::SSLContext::DEFAULT_PARAMS. + +Thu Oct 23 18:56:55 2014 Martin Bosslet <Martin.Bosslet@gmail.com> + + * lib/openssl/ssl.rb: Explicitly whitelist the default + SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable + compression by default. + Reported by Jeff Hodges. + [ruby-core:59829] [Bug #9424] + Mon Oct 20 14:41:45 2014 Kazuki Tsujimoto <kazuki@callcc.net> * vm_core.h, vm.c, proc.c: fix GC mark miss on bindings. diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index 5e6a0063cc..495741b391 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -23,10 +23,49 @@ module OpenSSL DEFAULT_PARAMS = { :ssl_version => "SSLv23", :verify_mode => OpenSSL::SSL::VERIFY_PEER, - :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", - :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? - OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : - OpenSSL::SSL::OP_ALL, + :ciphers => %w{ + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + DHE-RSA-AES128-GCM-SHA256 + DHE-DSS-AES128-GCM-SHA256 + DHE-RSA-AES256-GCM-SHA384 + DHE-DSS-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-SHA256 + ECDHE-RSA-AES128-SHA256 + ECDHE-ECDSA-AES128-SHA + ECDHE-RSA-AES128-SHA + ECDHE-ECDSA-AES256-SHA384 + ECDHE-RSA-AES256-SHA384 + ECDHE-ECDSA-AES256-SHA + ECDHE-RSA-AES256-SHA + DHE-RSA-AES128-SHA256 + DHE-RSA-AES256-SHA256 + DHE-RSA-AES128-SHA + DHE-RSA-AES256-SHA + DHE-DSS-AES128-SHA256 + DHE-DSS-AES256-SHA256 + DHE-DSS-AES128-SHA + DHE-DSS-AES256-SHA + AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-SHA256 + AES256-SHA256 + AES128-SHA + AES256-SHA + ECDHE-ECDSA-RC4-SHA + ECDHE-RSA-RC4-SHA + RC4-SHA + }.join(":"), + :options => -> { + opts = OpenSSL::SSL::OP_ALL + opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) + opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) + opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) + opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) + opts + }.call } DEFAULT_CERT_STORE = OpenSSL::X509::Store.new diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 64efa8dd33..56095339c7 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -4,10 +4,6 @@ if defined?(OpenSSL) class OpenSSL::TestSSL < OpenSSL::SSLTestCase - TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? - OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : - OpenSSL::SSL::OP_ALL - def test_ctx_setup ctx = OpenSSL::SSL::SSLContext.new assert_equal(ctx.setup, true) @@ -262,7 +258,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ctx = OpenSSL::SSL::SSLContext.new ctx.set_params assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) - assert_equal(TLS_DEFAULT_OPS, ctx.options) + assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options) ciphers = ctx.ciphers ciphers_versions = ciphers.collect{|_, v, _, _| v } ciphers_names = ciphers.collect{|v, _, _, _| v } @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.0.0" -#define RUBY_RELEASE_DATE "2014-10-20" -#define RUBY_PATCHLEVEL 591 +#define RUBY_RELEASE_DATE "2014-10-23" +#define RUBY_PATCHLEVEL 592 #define RUBY_RELEASE_YEAR 2014 #define RUBY_RELEASE_MONTH 10 -#define RUBY_RELEASE_DAY 20 +#define RUBY_RELEASE_DAY 23 #include "ruby/version.h" |