From 3ff2f9f3a32fbd87caab29f7fe163c63ab50e305 Mon Sep 17 00:00:00 2001
From: nahi <nahi@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Wed, 8 Feb 2012 05:27:14 +0000
Subject: * ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL  
 option to prevent BEAST attack. See [Bug #5353].

  In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
  TLS-CBC-IV vulunerability described at
  http://www.openssl.org/~bodo/tls-cbc.txt
  It's known issue of TLSv1/SSLv3 but it attracts lots of attention
  these days as BEAST attack. (CVE-2011-3389)

  Until now ossl sets OP_ALL at SSLContext allocation and call
  SSL_CTX_set_options at connection.  SSL_CTX_set_options updates the
  value by using |= so bits set by OP_ALL cannot be unset afterwards.

  This commit changes to call SSL_CTX_set_options only 1 time for each
  SSLContext. It sets the specified value if SSLContext#options= are
  called and sets OP_ALL if not.

  To help users to unset bits in OP_ALL, this commit also adds several
  constant to SSL such as
  OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS.  These constants were
  not exposed in Ruby because there's no way to unset bits in OP_ALL
  before.

  Following is an example to enable 0/n split for BEAST prevention.

    ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS

* test/openssl/test_ssl.rb: Test above option exists.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/openssl/test_ssl.rb | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

(limited to 'test/openssl')

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 39d9b5e126..033d1e8be5 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -422,6 +422,21 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       }
     }
   end
+
+  def test_unset_OP_ALL
+    ctx_proc = Proc.new { |ctx|
+      ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+    }
+    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port|
+      sock = TCPSocket.new("127.0.0.1", port)
+      ssl = OpenSSL::SSL::SSLSocket.new(sock)
+      ssl.sync_close = true
+      ssl.connect
+      ssl.puts('hello')
+      assert_equal("hello\n", ssl.gets)
+      ssl.close
+    }
+  end
 end
 
 end
-- 
cgit v1.2.3