diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-12 15:16:42 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-12 15:16:42 +0000 |
commit | 04a567fb4bb650b2b5c94851db6b59bd460e7da1 (patch) | |
tree | 07a27025bbd17c51fa856b5d07d76a9983a0f765 | |
parent | 6cf3dc3145a48ce1ddc0e5265c4d16ce61ce9cb4 (diff) |
merge revision(s) 51409,51453: [Backport #10910]
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
helpful exception when verifying the peer connection and an
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
* test/openssl/test_ssl.rb (class OpenSSL): test for change
* .travis.yml: update libssl before running tests.
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for figuring out the
travis settings!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@51554 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
-rw-r--r-- | .travis.yml | 2 | ||||
-rw-r--r-- | ChangeLog | 15 | ||||
-rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 16 | ||||
-rw-r--r-- | test/openssl/test_ssl.rb | 14 | ||||
-rw-r--r-- | test/openssl/utils.rb | 2 | ||||
-rw-r--r-- | version.h | 6 |
6 files changed, 52 insertions, 3 deletions
diff --git a/.travis.yml b/.travis.yml index 4550563a02..ccd4d3884c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -35,6 +35,8 @@ os: # far since the 1.9.1 release. before_install: - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then sudo apt-get -qq update; fi" + # Travis ships an outdated, broken version of libssl by default + - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then sudo apt-get -qq --only-upgrade install '^libssl.*'; fi" - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then sudo apt-get -qq install $CC; fi" # upgrade if any - "if [[ $TRAVIS_OS_NAME = 'linux' ]]; then JOBS='-j'; fi" - "if [[ $TRAVIS_OS_NAME = 'osx' ]]; then brew install autoconf openssl; fi" @@ -1,3 +1,18 @@ +Thu Aug 13 00:03:24 2015 Aaron Patterson <tenderlove@ruby-lang.org> + + * .travis.yml: update libssl before running tests. + Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for figuring out the + travis settings! + +Thu Aug 13 00:03:24 2015 Aaron Patterson <tenderlove@ruby-lang.org> + + * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more + helpful exception when verifying the peer connection and an + anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] + Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch. + + * test/openssl/test_ssl.rb (class OpenSSL): test for change + Wed Aug 12 23:57:01 2015 NARUSE, Yui <naruse@ruby-lang.org> * ext/date/extconf.rb: try_cflags("-std=iso9899:1999") [Bug #10906] diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index caf0b9ae44..f9e561ae0d 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -228,6 +228,14 @@ module OpenSSL # This method MUST be called after calling #connect to ensure that the # hostname of a remote peer has been verified. def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -239,6 +247,14 @@ module OpenSSL rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end end ## diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index f107c0ee39..8aa18e57fd 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -351,6 +351,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } end + def test_post_connect_check_with_anon_ciphers + sslerr = OpenSSL::SSL::SSLError + + start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + server_connect(port, ctx) { |ssl| + msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \ + "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification." + assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")} + } + } + end + def test_post_connection_check sslerr = OpenSSL::SSL::SSLError diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb index 1da3bcf979..bd936beed7 100644 --- a/test/openssl/utils.rb +++ b/test/openssl/utils.rb @@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC ctx_proc = args[:ctx_proc] server_proc = args[:server_proc] ignore_listener_error = args.fetch(:ignore_listener_error, false) + use_anon_cipher = args.fetch(:use_anon_cipher, false) server_proc ||= method(:readwrite_loop) store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher ctx.cert_store = store #ctx.extra_chain_cert = [ ca_cert ] ctx.cert = @svr_cert @@ -1,10 +1,10 @@ #define RUBY_VERSION "2.2.3" -#define RUBY_RELEASE_DATE "2015-08-12" -#define RUBY_PATCHLEVEL 160 +#define RUBY_RELEASE_DATE "2015-08-13" +#define RUBY_PATCHLEVEL 161 #define RUBY_RELEASE_YEAR 2015 #define RUBY_RELEASE_MONTH 8 -#define RUBY_RELEASE_DAY 12 +#define RUBY_RELEASE_DAY 13 #include "ruby/version.h" |