Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Openssl updates #1836

Merged
merged 4 commits into from
Aug 6, 2019
Merged

Openssl updates #1836

merged 4 commits into from
Aug 6, 2019

Conversation

MSP-Greg
Copy link
Member

@MSP-Greg MSP-Greg commented Jul 9, 2019
edited
Loading

1st commit - OpenSSL 1.1.1 updates, add #no_tlsv1_1
1.1 Adds three constants to MiniSSL, as many OpenSSL builds cannot/will not connect with older protocols:

   OPENSSL_NO_SSL3
   OPENSSL_NO_TLS1
   OPENSSL_NO_TLS1_1

1.2 Uses SSL_CTX_set_min_proto_version when available
1.3 Add #no_tlsv1_1 method to Puma::MiniSSL::Context

2nd commit - travis.yml - add bionic 18.04 job
2.1 Add Ubuntu bionic 18.04 job with Ruby 2.6.3. This tests with OpenSSL 1.1.1

3rd commit - test_puma_server_ssl.rb - add tests for #no_tlsv1, #no_tlsv1_1
3.1 Adds tests for #no_tlsv1 and #no_tlsv1_1
3.2 Changes setup (via adding a start_server method), allowing the context to be passed to a block

4th commit - add no_tlsv1_1 to binder, config, etc
4.1 Adds use of #no_tlsv1_1 with binder.rb and dsl.rb
4.2 Adds tests to test_binder.rb and test_config.rb for above
4.3 Adds feature to MiniSSL.java

@MSP-Greg
Copy link
Member Author

MSP-Greg commented Jul 9, 2019

A few notes:

  1. I mentioned the new #no_tlsv1_1 method in another thread, immediately after that, I googled TLSv1.1. There are several major sites (including GitHub?) that have disabled TLSv1.1. It's time, and I had already started on the PR.

  2. Travis/rvm seems to have Ruby master/trunk/head messed up again. If it isn't fixed soon, I'll patch then. I think RUBYOPT=--jit needs to be defined after bundle install, which fixed the issue in another repo...

  3. Ruby 2.6.3 is currently tested in Xenial (1.0.2), and on Appveyor, Bionic, & OSX, all with 1.1.1. Since OSX jobs take quite a while, I'd suggest removing the OSX 2.6.3 job. On OSX, both the 2.4 & 2.5 jobs test on 1.1.1.

  4. Lastly, I think with the additions/changes in this PR, all OpenSSL issues are resolved, and nothing will need to be added/changed in the foreseeable future. After all, we're testing on 1.0.1 thru 1.1.1, all is passing, and protocols can be restricted if needed...

This was referenced Jul 9, 2019
Closed
Closed
@nateberkopec
Copy link
Member

🙏 Really solid work on all of this @MSP-Greg. The way a PR should be done!

Will review soon, looks like there was an unrelated build failure.

@MSP-Greg
Copy link
Member Author

MSP-Greg commented Jul 10, 2019
edited
Loading

@nateberkopec

Thank you, really. Sorry for adding the method, but I needed a break from a Ruby/JS mess, and I've done a few other OpenSSL PR's this week, similar issues. So, I just wanted to get it done...

looks like there was an unrelated build failure.

That pissed me off.

  1. Passed in my fork.
  2. Been involved with testing enought that I generally don't write unstable tests. Checked other jobs, and some ran all the SSL tests before the tests that failed.
  3. I think the failed tests involve fork, and being a windows guy, I can't test them locally.

Long story short, I guess we'll all keep an eye on it...

nateberkopec
nateberkopec reviewed Jul 16, 2019
View reviewed changes
test/test_puma_server_ssl.rb Outdated
end

def teardown
@http.finish if !@http.nil? && @http.started?
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

style nitpick but I hate unnecessary predicates. I think if @http is sufficient here, as is unless @server in the next line.

Copy link
Member Author

@MSP-Greg MSP-Greg Jul 17, 2019
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@nateberkopec

I just pushed this change, and it's breaking things.

Although I can't recall what/why, there are times when connections aren't 'made' due to testing for restricted protocol versions. Are you ok with returning these to the original code in the PR?

EDIT: Generally, with new things, I will always test in my fork. I will not always check 'old code', but I am not the type to make code more complex. I also forget things/reasons (better with theory than details...). I'll try to add more comments in the future...

    @http.finish if !@http.nil? && @http.started?
    @server.stop(true) unless @server.nil?

changed to:

    @http.finish if @http && @http.started?
    @server.stop(true) if @server

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup! if the predicate is necessary, then it's necessary. just thought it wasn't.

nateberkopec
nateberkopec reviewed Jul 16, 2019
View reviewed changes
test/test_puma_server_ssl.rb
else
@http.ssl_version = :TLSv1
end
# Ruby 2.4.5 on Travis raises ArgumentError
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lmao

@nateberkopec
Copy link
Member

The Ruby here is good with me, needs a review from someone else on the C.

@nateberkopec
Copy link
Member

I think RUBYOPT=--jit needs to be defined after bundle install
I'd suggest removing the OSX 2.6.3 job. On OSX, both the 2.4 & 2.5 jobs test on 1.1.1.

make-it-so-captain-102843

@nateberkopec nateberkopec added the waiting-for-changes Waiting on changes from the requestor label Jul 16, 2019
@MSP-Greg MSP-Greg force-pushed the openssl-updates branch 2 times, most recently from 0cca7c0 to b397cc5 Compare July 17, 2019 02:35
@MSP-Greg
Copy link
Member Author

Should be ok if the 'review from someone else on the C' is good.

Ruby master will fail on Travis until a bundler issue specific to 'nested bundle commands used when bundler is a default gem' is fixed. PR submitted to bundler...

@MSP-Greg
Copy link
Member Author

MSP-Greg commented Jul 17, 2019
edited
Loading

@nateberkopec

  1. rebased
  2. added the code to use no_tlsv1_1 to binder, config, tests, etc. Previously, the PR just added it to MiniSSL::Context, which isn't very useful...

@nateberkopec nateberkopec removed the waiting-for-changes Waiting on changes from the requestor label Jul 17, 2019
@MSP-Greg MSP-Greg mentioned this pull request Jul 21, 2019
Closed
@nateberkopec nateberkopec added this to the 4.1.0 milestone Jul 28, 2019
@MSP-Greg
Copy link
Member Author

MSP-Greg commented Aug 3, 2019
edited
Loading

2019-08-03 15:30 UTC, I selfishly rebased to trigger a CI run to test ruby-head.

The fix for 'nested bundle commands when bundler is a default gem' has been pushed from Bundler to ruby-head/trunk, and ruby-head is now passing.

A small patch in this PR additionally fixes ruby-head with --jit, and it is also passing.

See:
https://travis-ci.org/puma/puma/builds/567321441

Note that this wasn't an issue on Appveyor, as all the tests that have bundle commands also use fork, which is unavailable on Windows & JRuby...

@nateberkopec nateberkopec removed this from the 4.1.0 milestone Aug 4, 2019
@MSP-Greg MSP-Greg mentioned this pull request Aug 6, 2019
Closed
@evanphx evanphx merged commit 3ea2471 into puma:master Aug 6, 2019
@MSP-Greg MSP-Greg deleted the openssl-updates branch September 18, 2019 22:54
@dentarg dentarg mentioned this pull request Mar 16, 2020
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nateberkopec nateberkopec nateberkopec left review comments

Assignees

@evanphx evanphx

Labels
feature ssl
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@MSP-Greg @nateberkopec @evanphx