diff options
author | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-02-08 06:09:40 +0000 |
---|---|---|
committer | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-02-08 06:09:40 +0000 |
commit | 2cb7a6c0569cf2f1da791f21f6af4ff9bfcb97ac (patch) | |
tree | 1467ad0000a906cad6bc131eb81263519ffd5478 /ChangeLog | |
parent | e19bd3eaa8bd71cfc9e5bf436527f015b093f31e (diff) |
Backport r34482 from trunk. See #5353
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_8_7@34486 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ChangeLog')
-rw-r--r-- | ChangeLog | 31 |
1 files changed, 31 insertions, 0 deletions
@@ -1,3 +1,34 @@ +Wed Feb 8 14:06:59 2012 Hiroshi Nakamura <nahi@ruby-lang.org> + + * ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL + option to prevent BEAST attack. See [Bug #5353]. + + In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent + TLS-CBC-IV vulunerability described at + http://www.openssl.org/~bodo/tls-cbc.txt + It's known issue of TLSv1/SSLv3 but it attracts lots of attention + these days as BEAST attack. (CVE-2011-3389) + + Until now ossl sets OP_ALL at SSLContext allocation and call + SSL_CTX_set_options at connection. SSL_CTX_set_options updates the + value by using |= so bits set by OP_ALL cannot be unset afterwards. + + This commit changes to call SSL_CTX_set_options only 1 time for each + SSLContext. It sets the specified value if SSLContext#options= are + called and sets OP_ALL if not. + + To help users to unset bits in OP_ALL, this commit also adds several + constant to SSL such as + OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were + not exposed in Ruby because there's no way to unset bits in OP_ALL + before. + + Following is an example to enable 0/n split for BEAST prevention. + + ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS + + * test/openssl/test_ssl.rb: Test above option exists. + Wed Dec 28 21:34:23 2011 URABE Shyouhei <shyouhei@ruby-lang.org> * string.c (rb_str_hash): randomize hash to avoid algorithmic |