Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP
Browse files

Merge branch 'master' into mbari

  • Loading branch information...
commit 8017ed2802f533221aa7633ccde88695bcfe8097 2 parents 6f81396 + 04200f6
@FooBarWidget authored
View
31 ChangeLog
@@ -1,3 +1,34 @@
+Wed Feb 8 14:06:59 2012 Hiroshi Nakamura <nahi@ruby-lang.org>
+
+ * ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
+ option to prevent BEAST attack. See [Bug #5353].
+
+ In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
+ TLS-CBC-IV vulunerability described at
+ http://www.openssl.org/~bodo/tls-cbc.txt
+ It's known issue of TLSv1/SSLv3 but it attracts lots of attention
+ these days as BEAST attack. (CVE-2011-3389)
+
+ Until now ossl sets OP_ALL at SSLContext allocation and call
+ SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
+ value by using |= so bits set by OP_ALL cannot be unset afterwards.
+
+ This commit changes to call SSL_CTX_set_options only 1 time for each
+ SSLContext. It sets the specified value if SSLContext#options= are
+ called and sets OP_ALL if not.
+
+ To help users to unset bits in OP_ALL, this commit also adds several
+ constant to SSL such as
+ OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
+ not exposed in Ruby because there's no way to unset bits in OP_ALL
+ before.
+
+ Following is an example to enable 0/n split for BEAST prevention.
+
+ ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
+
+ * test/openssl/test_ssl.rb: Test above option exists.
+
Wed Dec 28 21:34:23 2011 URABE Shyouhei <shyouhei@ruby-lang.org>
* string.c (rb_str_hash): randomize hash to avoid algorithmic
View
31 ext/openssl/ossl_ssl.c
@@ -140,7 +140,6 @@ ossl_sslctx_s_alloc(VALUE klass)
ossl_raise(eSSLError, "SSL_CTX_new:");
}
SSL_CTX_set_mode(ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
- SSL_CTX_set_options(ctx, SSL_OP_ALL);
return Data_Wrap_Struct(klass, 0, ossl_sslctx_free, ctx);
}
@@ -560,7 +559,11 @@ ossl_sslctx_setup(VALUE self)
if(!NIL_P(val)) SSL_CTX_set_verify_depth(ctx, NUM2LONG(val));
val = ossl_sslctx_get_options(self);
- if(!NIL_P(val)) SSL_CTX_set_options(ctx, NUM2LONG(val));
+ if(!NIL_P(val)) {
+ SSL_CTX_set_options(ctx, NUM2LONG(val));
+ } else {
+ SSL_CTX_set_options(ctx, SSL_OP_ALL);
+ }
rb_obj_freeze(self);
val = ossl_sslctx_get_sess_id_ctx(self);
@@ -1441,18 +1444,20 @@ Init_ossl_ssl()
ossl_ssl_def_const(VERIFY_PEER);
ossl_ssl_def_const(VERIFY_FAIL_IF_NO_PEER_CERT);
ossl_ssl_def_const(VERIFY_CLIENT_ONCE);
- /* Not introduce constants included in OP_ALL such as...
- * ossl_ssl_def_const(OP_MICROSOFT_SESS_ID_BUG);
- * ossl_ssl_def_const(OP_NETSCAPE_CHALLENGE_BUG);
- * ossl_ssl_def_const(OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
- * ossl_ssl_def_const(OP_SSLREF2_REUSE_CERT_TYPE_BUG);
- * ossl_ssl_def_const(OP_MICROSOFT_BIG_SSLV3_BUFFER);
- * ossl_ssl_def_const(OP_MSIE_SSLV2_RSA_PADDING);
- * ossl_ssl_def_const(OP_SSLEAY_080_CLIENT_DH_BUG);
- * ossl_ssl_def_const(OP_TLS_D5_BUG);
- * ossl_ssl_def_const(OP_TLS_BLOCK_PADDING_BUG);
- * ossl_ssl_def_const(OP_DONT_INSERT_EMPTY_FRAGMENTS);
+ /* Introduce constants included in OP_ALL. These constants are mostly for
+ * unset some bits in OP_ALL such as;
+ * ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
*/
+ ossl_ssl_def_const(OP_MICROSOFT_SESS_ID_BUG);
+ ossl_ssl_def_const(OP_NETSCAPE_CHALLENGE_BUG);
+ ossl_ssl_def_const(OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG);
+ ossl_ssl_def_const(OP_SSLREF2_REUSE_CERT_TYPE_BUG);
+ ossl_ssl_def_const(OP_MICROSOFT_BIG_SSLV3_BUFFER);
+ ossl_ssl_def_const(OP_MSIE_SSLV2_RSA_PADDING);
+ ossl_ssl_def_const(OP_SSLEAY_080_CLIENT_DH_BUG);
+ ossl_ssl_def_const(OP_TLS_D5_BUG);
+ ossl_ssl_def_const(OP_TLS_BLOCK_PADDING_BUG);
+ ossl_ssl_def_const(OP_DONT_INSERT_EMPTY_FRAGMENTS);
ossl_ssl_def_const(OP_ALL);
#if defined(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
ossl_ssl_def_const(OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
View
15 test/openssl/test_ssl.rb
@@ -532,6 +532,21 @@ def test_server_session
end
end
end
+
+ def test_unset_OP_ALL
+ ctx_proc = Proc.new { |ctx|
+ ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+ }
+ start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port|
+ sock = TCPSocket.new("127.0.0.1", port)
+ ssl = OpenSSL::SSL::SSLSocket.new(sock)
+ ssl.sync_close = true
+ ssl.connect
+ ssl.puts('hello')
+ assert_equal("hello\n", ssl.gets)
+ ssl.close
+ }
+ end
end
end
View
12 version.h
@@ -1,15 +1,15 @@
#define RUBY_VERSION "1.8.7"
-#define RUBY_RELEASE_DATE "2011-12-28"
+#define RUBY_RELEASE_DATE "2012-02-08"
#define RUBY_VERSION_CODE 187
-#define RUBY_RELEASE_CODE 20111228
-#define RUBY_PATCHLEVEL 357
+#define RUBY_RELEASE_CODE 20120208
+#define RUBY_PATCHLEVEL 358
#define RUBY_VERSION_MAJOR 1
#define RUBY_VERSION_MINOR 8
#define RUBY_VERSION_TEENY 7
-#define RUBY_RELEASE_YEAR 2011
-#define RUBY_RELEASE_MONTH 12
-#define RUBY_RELEASE_DAY 28
+#define RUBY_RELEASE_YEAR 2012
+#define RUBY_RELEASE_MONTH 2
+#define RUBY_RELEASE_DAY 8
#ifdef RUBY_EXTERN
RUBY_EXTERN const char ruby_version[];
Please sign in to comment.
Something went wrong with that request. Please try again.