merge revision(s) 51409,51453: [Backport #10910]

	* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
	  helpful exception when verifying the peer connection and an
	  anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
	  Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.

	* test/openssl/test_ssl.rb (class OpenSSL): test for change

	* .travis.yml: update libssl before running tests. 
	  Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for figuring out the
	  travis settings!


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@51608 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

6 files changed, 50 insertions, 1 deletions

diff --git a/.travis.yml b/.travis.yml
index 8db00587d6..ddf394779e 100644
--- a/.travis.yml
+++ b/.travis.yml
@@ -31,6 +31,8 @@ compiler:
 # far since the 1.9.1 release.
 before_install:
   - "sudo apt-get -qq update"
+  # Travis ships an outdated, broken version of libssl by default
+  - "sudo apt-get -qq --only-upgrade install '^libssl.*'"
   - "sudo apt-get -qq install $CC" # upgrade if any
 install: "sudo apt-get -qq build-dep ruby1.9.1 2>/dev/null"
 
diff --git a/ChangeLog b/ChangeLog
index 45746c2e86..2579992bfe 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+Mon Aug 17 17:16:22 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* .travis.yml: update libssl before running tests. 
+	  Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for figuring out the
+	  travis settings!
+
+Mon Aug 17 17:16:22 2015  Aaron Patterson <tenderlove@ruby-lang.org>
+
+	* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
+	  helpful exception when verifying the peer connection and an
+	  anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
+	  Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
+
+	* test/openssl/test_ssl.rb (class OpenSSL): test for change
+
 Mon Aug 17 17:12:46 2015  NAKAMURA Usaku  <usa@ruby-lang.org>
 
 	* win32/win32.c (waitpid): return immediately if interrupted.
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index b91dce312a..ec7a223bb2 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -228,6 +228,14 @@ module OpenSSL
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
+        if peer_cert.nil?
+          msg = "Peer verification enabled, but no certificate received."
+          if using_anon_cipher?
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+          end
+          raise SSLError, msg
+        end
+
         unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
           raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
         end
@@ -239,6 +247,14 @@ module OpenSSL
       rescue SSL::Session::SessionError
         nil
       end
+
+      private
+
+      def using_anon_cipher?
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = "aNULL"
+        ctx.ciphers.include?(cipher)
+      end
     end
 
     ##
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index bae3dcfc2f..aa61e385d5 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -284,6 +284,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
     }
   end
 
+  def test_post_connect_check_with_anon_ciphers
+    sslerr = OpenSSL::SSL::SSLError
+
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.ciphers = "aNULL"
+      server_connect(port, ctx) { |ssl|
+        msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
+          "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
+        assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
+      }
+    }
+  end
+
   def test_post_connection_check
     sslerr = OpenSSL::SSL::SSLError
 
diff --git a/test/openssl/utils.rb b/test/openssl/utils.rb
index ba9714b3fc..da281610b6 100644
--- a/test/openssl/utils.rb
+++ b/test/openssl/utils.rb
@@ -259,6 +259,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
 
     def start_server(port0, verify_mode, start_immediately, args = {}, &block)
       ctx_proc = args[:ctx_proc]
+      use_anon_cipher = args.fetch(:use_anon_cipher, false)
       server_proc = args[:server_proc]
       server_proc ||= method(:readwrite_loop)
 
@@ -266,6 +267,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
       store.add_cert(@ca_cert)
       store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
       ctx = OpenSSL::SSL::SSLContext.new
+      ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
       ctx.cert_store = store
       #ctx.extra_chain_cert = [ ca_cert ]
       ctx.cert = @svr_cert
diff --git a/version.h b/version.h
index 3610f535f0..76851b44b9 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
 #define RUBY_VERSION "2.1.7"
 #define RUBY_RELEASE_DATE "2015-08-17"
-#define RUBY_PATCHLEVEL 390
+#define RUBY_PATCHLEVEL 391
 
 #define RUBY_RELEASE_YEAR 2015
 #define RUBY_RELEASE_MONTH 8