From 84f1dae9d637a2038d1b395bcc2f22404770d2d7 Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 18 Dec 2012 02:02:43 +0000
Subject: * ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a  
 countermeasure for the BEAST attack by default. The default options   of
 OpenSSL::SSL:SSLContext are now:   OpenSSL::SSL::OP_ALL &
 ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS   [Bug #5353] [ruby-core:39673]

* test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.

* NEWS: Announce the new default.



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/openssl/test_ssl.rb | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

(limited to 'test')

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 98ed8ca927..bbfebce4f6 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -3,6 +3,11 @@ require_relative "utils"
 if defined?(OpenSSL)
 
 class OpenSSL::TestSSL < OpenSSL::SSLTestCase
+
+  TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
+                    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
+                    OpenSSL::SSL::OP_ALL
+
   def test_ctx_setup
     ctx = OpenSSL::SSL::SSLContext.new
     assert_equal(ctx.setup, true)
@@ -257,7 +262,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.set_params
       assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
-      assert_equal(OpenSSL::SSL::OP_ALL, ctx.options)
+      assert_equal(TLS_DEFAULT_OPS, ctx.options)
       ciphers = ctx.ciphers
       ciphers_versions = ciphers.collect{|_, v, _, _| v }
       ciphers_names = ciphers.collect{|v, _, _, _| v }
@@ -398,7 +403,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
   def test_unset_OP_ALL
     ctx_proc = Proc.new { |ctx|
-      ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+      # If OP_DONT_INSERT_EMPTY_FRAGMENTS is not defined, this test is
+      # redundant because the default options already are equal to OP_ALL.
+      # But it also degrades gracefully, so keep it
+      ctx.options = OpenSSL::SSL::OP_ALL
     }
     start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port|
       server_connect(port) { |ssl|
-- 
cgit v1.2.3