diff options
| author | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-02-08 05:27:14 +0000 |
|---|---|---|
| committer | nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-02-08 05:27:14 +0000 |
| commit | 3ff2f9f3a32fbd87caab29f7fe163c63ab50e305 (patch) | |
| tree | ee61ccfb83b5c9f6a91b89b10fba6389b15c0866 /test | |
| parent | 45706e70c9e5bfefc3921c6fc406aabe83c19768 (diff) | |
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test')
| -rw-r--r-- | test/openssl/test_ssl.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 39d9b5e126..033d1e8be5 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -422,6 +422,21 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase } } end + + def test_unset_OP_ALL + ctx_proc = Proc.new { |ctx| + ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS + } + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port| + sock = TCPSocket.new("127.0.0.1", port) + ssl = OpenSSL::SSL::SSLSocket.new(sock) + ssl.sync_close = true + ssl.connect + ssl.puts('hello') + assert_equal("hello\n", ssl.gets) + ssl.close + } + end end end |