Age | Commit message (Collapse) | Author |
|
* ext/openssl/ossl_ssl.c (ossl_sslctx_setup): fix argument types
to suppress shorten-64-to-32 and shorten-64-to-32 warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL [copies the string returned by the pointe](https://github.com/openssl/openssl/blob/9f040d6decca7930e978784c917f731e5c45e8f0/ssl/t1_lib.c#L1800-1809), so it should be safe to just return a pointer to the string object and not set an instance variable on the already frozen object.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51349 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_pair.rb: test for ECDH callback support
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51348 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/extconf.rb: detect ALPN support in OpenSSL
* test/openssl/test_ssl.rb: test for ALPN
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51347 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
Delay hash lookups until we are about to hit an exception. This
gives a minor speedup ratio of 2-3% in the new bm_io_nonblock_noex
benchmark as well as reducing code.
* benchmark/bm_io_nonblock_noex.rb: new benchmark
* ext/openssl/ossl_ssl.c (no_exception_p): new function
(ossl_start_ssl): adjust for no_exception_p
(ossl_ssl_connect): adjust ossl_start_ssl call
(ossl_ssl_connect_nonblock): ditto
(ossl_ssl_accept): ditto
(ossl_ssl_accept_nonblock): ditto
(ossl_ssl_read_internal): adjust for no_exception_p
(ossl_ssl_write_internal): ditto
(ossl_ssl_write): adjust ossl_write_internal call
(ossl_ssl_write_nonblock): ditto
* ext/stringio/stringio.c (strio_read_nonblock):
delay exception check
* io.c (no_exception_p): new function
(io_getpartial): call no_exception_p
(io_readpartial): adjust for io_getpartial
(get_kwargs_exception): remove
(io_read_nonblock): adjust for io_getpartial,
check no_exception_p on EOF
(io_write_nonblock): call no_exception_p
(rb_io_write_nonblock): do not check `exception: false'
(argf_getpartial): adjust for io_getpartial
[ruby-core:69778] [Feature #11318]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51113 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::SSLSocket#sysread does not accept kwargs in blocking
mode, inform users if they make an error.
* ext/openssl/ossl_ssl.c (ossl_ssl_read_internal):
do not process kwargs in blocking mode
* test/openssl/test_ssl.rb: test sysread
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51016 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl: make wrapper objects before allocating structs to
get rid of potential memory leaks.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50673 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
[fix GH-876][ci skip] Patch by @davydovanton
* lib/net/https.rb: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50351 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/{etc,openssl,tk}: Adding parens and comparisons around
assignments to get rid of Wparentheses warnings. [Fix GH-875]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50346 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This is for consistency with accept_nonblock arguments and gives a
minor speedup from avoiding exceptions.
[ruby-core:68838] [Feature #11024]
* ext/openssl/ossl_ssl.c (ossl_ssl_connect_nonblock):
support `exception: false'
* (get_no_exception): move function location
* ext/socket/socket.c (sock_connect_nonblock):
support `exception: false'
* test/openssl/test_pair.rb (test_connect_accept_nonblock_no_exception):
test `exception: false' on connect,
rename from `test_accept_nonblock_no_exception'
* test/socket/test_nonblock.rb (test_connect_nonblock_no_exception):
new test
Benchmark results:
default 0.050000 0.100000 0.150000 ( 0.151307)
exception: false 0.030000 0.080000 0.110000 ( 0.108840)
----------------------------8<-----------------------
require 'socket'
require 'benchmark'
require 'io/wait'
require 'tmpdir'
host = '127.0.0.1'
serv = TCPServer.new(host, 0) # UNIX sockets may not hit EINPROGRESS
nr = 5000 # few iterations to avoid running out of ports
addr = serv.getsockname
pid = fork do
begin
serv.accept.close
rescue => e
warn "#$$: #{e.message} (#{e.class})"
end while true
end
at_exit { Process.kill(:TERM, pid) }
serv.close
Benchmark.bmbm do |x|
x.report("default") do
nr.times do
s = Socket.new(:INET, :STREAM)
s.setsockopt(:SOL_SOCKET, :SO_REUSEADDR, 1)
begin
s.connect_nonblock(addr)
rescue IO::WaitWritable
s.wait_writable
end
s.close
end
end
x.report("exception: false") do
nr.times do
s = Socket.new(:INET, :STREAM)
s.setsockopt(:SOL_SOCKET, :SO_REUSEADDR, 1)
case s.connect_nonblock(addr, exception: false)
when :wait_writable
s.wait_writable
end
s.close
end
end
end
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50254 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/socket/init.c (rsock_s_accept_nonblock): use rb_hash_lookup2
* ext/openssl/ossl_ssl.c (get_no_exception): new function
(ossl_ssl_accept_nonblock): use get_no_exception
(ossl_ssl_read_internal): ditto
(ossl_ssl_write_nonblock): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49955 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This leads to a size reduction in openssl.so and reduces the
chance of bugs due to typos.
text data bss dec hex
before: 333022 13164 3312 349498 5553a
after: 332790 13164 3232 349186 55402
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49954 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
This is analogous to functionality found in IO#read_nonblock and
IO#wait_nonblock. Raising exceptions for common failures on
non-blocking servers is expensive and makes $DEBUG too noisy.
Benchmark results:
user system total real
default 2.790000 0.870000 3.660000 ( 3.671597)
exception: false 1.120000 0.800000 1.920000 ( 1.922032)
exception: false (cached arg) 0.820000 0.770000 1.590000 ( 1.589267)
--------------------- benchmark script ------------------------
require 'socket'
require 'benchmark'
require 'tmpdir'
nr = 1000000
Dir.mktmpdir('nb_bench') do |path|
sock_path = "#{path}/test.sock"
s = UNIXServer.new(sock_path)
Benchmark.bmbm do |x|
x.report("default") do
nr.times do
begin
s.accept_nonblock
rescue IO::WaitReadable
end
end
end
x.report("exception: false") do
nr.times do
begin
s.accept_nonblock(exception: false)
rescue IO::WaitReadable
abort "should not raise"
end
end
end
x.report("exception: false (cached arg)") do
arg = { exception: false }
nr.times do
begin
s.accept_nonblock(arg)
rescue IO::WaitReadable
abort "should not raise"
end
end
end
end
end
* ext/socket/init.c (rsock_s_accept_nonblock):
support exception: false
[ruby-core:66385] [Feature #10532]
* ext/socket/init.c (rsock_init_socket_init): define new symbols
* ext/socket/rubysocket.h: adjust prototype
* ext/socket/socket.c (sock_accept_nonblock): support exception: false
* ext/openssl/ossl_ssl.c (ossl_ssl_accept_nonblock): ditto
* ext/socket/socket.c (Init_socket): adjust accept_nonblock definition
* ext/openssl/ossl_ssl.c (Init_ossl_ssl): ditto
* ext/socket/tcpserver.c (rsock_init_tcpserver): ditto
* ext/socket/unixserver.c (rsock_init_unixserver): ditto
* ext/socket/tcpserver.c (tcp_accept_nonblock): adjust
rsock_s_accept_nonblock call
* ext/socket/unixserver.c (unix_accept_nonblock): ditto
* ext/openssl/ossl_ssl.c (ossl_start_ssl): support no_exception
* ext/openssl/ossl_ssl.c (ossl_ssl_connect): adjust ossl_start_ssl call
* ext/openssl/ossl_ssl.c (ossl_ssl_connect_nonblock): ditto
* ext/openssl/ossl_ssl.c (ossl_ssl_accept): ditto
* test/socket/test_nonblock.rb (test_accept_nonblock): test for
"exception :false"
* test/socket/test_tcp.rb (test_accept_nonblock): new test
* test/socket/test_unix.rb (test_accept_nonblock): ditto
* test/openssl/test_pair.rb (test_accept_nonblock_no_exception): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@49948 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_ssl_type): use typed data.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48801 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (ossl_sslctx_type): use typed data.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48800 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (GetSSLCTX): accessor macro.
* ext/openssl/ossl_ssl.h (GetSSL): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48790 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47744 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_asn1.c (ossl_asn1_info): constify.
* ext/openssl/ossl_pkcs7.c (ossl_pkcs7_sym2typeid): constify and
remove sentinel as the count is used.
* ext/openssl/ossl_ssl.c (ossl_ssl_method_tab): constify.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47048 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@47042 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
when SSL is not started.
This fix the fd leak by test_https_proxy_authentication in
test/net/http/test_https_proxy.rb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46209 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
when SSL session has not been started.
* test/openssl/test_ssl.rb: test for change.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@44732 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c: ditto
* ext/psych/yaml/scanner.c: ditto
* ext/socket/init.c: ditto
* ext/socket/socket.c: ditto
* ext/tk/tcltklib.c: ditto
* ext/win32ole/win32ole.c: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@44649 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c (Init_ossl_ssl): Declare a constant
`OP_MSIE_SSLV2_RSA_PADDING` only if the macro is defined. The
`SSL_OP_MSIE_SSLV2_RSA_PADDING` has been removed from latest
snapshot of OpenSSL 1.0.1. [Fixes GH-488]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@44402 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* ext/openssl/ossl_ssl.c: ditto.
* test/ruby/test_m17n.rb: ditto.
https://github.com/ruby/ruby/pull/475
[ci-skip]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@44148 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* include/ruby/ruby.h (RB_BLOCK_CALL_FUNC_ARGLIST): for declaration
argument list of rb_block_call_func.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@43910 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
wait_writable with wait_readable.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42711 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
exceptions. As in: `io.read_nonblock(size, exception: false)`
[ruby-core:38666] [Feature #5138]
* ext/openssl/ossl_ssl.c (ossl_ssl_read_internal): ditto
* ext/stringio/stringio.c (strio_sysread): ditto
* io.c (rb_io_write_nonblock): support non-blocking writes without
raising an exception.
* ext/openssl/ossl_ssl.c (ossl_ssl_write_internal): ditto
* test/openssl/test_pair.rb (class OpenSSL): tests
* test/ruby/test_io.rb (class TestIO): ditto
* test/socket/test_nonblock.rb (class TestSocketNonblock): ditto
* test/stringio/test_stringio.rb (class TestStringIO): ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@42695 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40825 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
defined(OPENSSL_NO_SOCK).
This fixes a linkage error on platforms which do not have socket.
OpenSSL itself is still useful as a set of cryptographic functions
even on such platforms.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40680 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40316 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Add tests to verify correct behavior.
[Bug #8240] Patch provided by Shugo Maeda. Thanks!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40304 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40247 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
subclasses that include WaitReadable or WaitWritable rather than
extending them into the exception object each time.
* error.c: Capture EGAIN, EWOULDBLOCK, EINPROGRESS exceptions and
export them for use in WaitReadable/Writable exceptions.
* io.c: Create versions of EAGAIN, EWOULDBLOCK, EINPROGRESS that
include WaitReadable and WaitWritable. Add rb_readwrite_sys_fail
for nonblocking failures using those exceptions. Use that
function in io_getpartial and io_write_nonblock instead of
rb_mod_sys_fail
* ext/openssl/ossl_ssl.c: Add new SSLError subclasses that include
WaitReadable and WaitWritable. Use those classes for
write_would_block and read_would_block instead of rb_mod_sys_fail.
* ext/socket/ancdata.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in bsock_sendmsg_internal and
bsock_recvmsg_internal.
* ext/socket/init.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in rsock_s_recvfrom_nonblock and
rsock_s_connect_nonblock.
* ext/socket/socket.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in sock_connect_nonblock.
* include/ruby/ruby.h: Export rb_readwrite_sys_fail for use instead
of rb_mod_sys_fail. Introduce new constants RB_IO_WAIT_READABLE and
RB_IO_WAIT_WRITABLE for first arg to rb_readwrite_sys_fail.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40195 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
issue on big-endian architecture [ruby-core:50292] [Bug #7463]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@37996 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
suppress warning: instance variable @npn_select_cb not initialized
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36985 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36895 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Handle ECONNRESET in code instead to avoid
the test failing in Ruby CI [1]
[1] http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20120507T190102Z.log.html.gz#test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
before ossl_raise. this cause a test failure on Linux.
http://u64.rubyci.org/~chkbuild/ruby-trunk/log/20120507T190102Z.log.html.gz
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35583 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
OpenSSL::SSL::OP_NO_TLSv1_1
OpenSSL::SSL::OP_NO_TLSv1_2
to allow blocking specific TLS versions. Thanks to Justin Guyett for
pointing this out to me.
* test/openssl/test_ssl.rb: add tests to assert correct behavior when
blocking certain versions of TLS/SSL both on server and client side.
Also refactored tests to reduce boilerplate code a little.
* test/openssl/utils.rb: rescue Errno::ECONNRESET for tests where
client rejects the connection because a forbidden protocol version
was used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
SSLContext#version to inspect the version that was negotiated for
a given connection.
* ext/openssl/extconf.rb: detect TLS 1.1 & 1.2 support.
* test/openssl/test_ssl.rb: add tests for TLS 1.1 & 1.2 given they
are supported by the native OpenSSL being used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35549 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
reaches end of non-void function" warnings. [ruby-trunk - Bug #6066]
* re.c (name_to_backref_number): ditto.
* object.c (rb_Float): ditto.
* io.c (io_readpartial): ditto.
* io.c (io_read_nonblock): ditto.
* pack.c (rb_uv_to_utf8): ditto.
* proc.c (rb_method_entry_arity): ditto.
* vm_method.c (rb_f_notimplement): ditto.
* struct.c (rb_struct_aset_id): ditto.
* class.c (rb_scan_args): ditto.
* process.c (rlimit_resource_type): ditto.
* process.c (rlimit_resource_value): ditto.
* process.c (p_uid_switch): ditto.
* process.c (p_gid_switch): ditto.
* ext/digest/digest.c (rb_digest_instance_update): ditto.
* ext/digest/digest.c (rb_digest_instance_finish): ditto.
* ext/digest/digest.c (rb_digest_instance_reset): ditto.
* ext/digest/digest.c (rb_digest_instance_block_length): ditto.
* ext/bigdecimal/bigdecimal.c (BigDecimalCmp): ditto.
* ext/dl/handle.c (rb_dlhandle_close): ditto.
* ext/tk/tcltklib.c (pending_exception_check0): ditto.
* ext/tk/tcltklib.c (pending_exception_check1): ditto.
* ext/tk/tcltklib.c (ip_cancel_eval_core): ditto.
* ext/tk/tcltklib.c (lib_get_reltype_name): ditto.
* ext/tk/tcltklib.c (create_dummy_encoding_for_tk_core): ditto.
* ext/tk/tkutil/tkutil.c (tk_hash_kv): ditto.
* ext/openssl/ossl_ssl.c (ossl_ssl_session_reused): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_key_dsa_verify_asn1): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_is_at_infinit): ditto.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_is_on_curve): ditto.
* ext/fiddle/conversions.c (generic_to_value): ditto.
* ext/socket/raddrinfo.c (rsock_io_socket_addrinfo): ditto.
* ext/socket/socket.c (sock_s_getnameinfo): ditto.
* ext/ripper/eventids2.c (ripper_token2eventid): ditto.
* cont.c (return_fiber): ditto.
* dmydln.c (dln_load): ditto.
* vm_insnhelper.c (vm_search_normal_superclass): ditto.
* bignum.c (big_fdiv): ditto.
* marshal.c (r_symlink): ditto.
* marshal.c (r_symbol): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35321 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
of OpenSSL::SSL::SSLSocket#session.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
message.
* ext/openssl/ossl_ssl.c: ditto.
* ext/openssl/ossl_pkey_rsa: ditto.
[Bug #5604] [ruby-core:40896]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33821 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
ext/openssl/ossl_pkey.c: ditto
* ext/openssl/ossl_pkey_dh.c: Make functions passed to
rb_thread_blocking_region return VALUE instead of void.
ext/openssl/ossl_pkey_dsa.c: ditto
ext/openssl/ossl_pkey_rsa.c: ditto
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33477 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32973 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|