New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TLS Fallback Signaling Cipher Suite Value #165

Merged
merged 1 commit into from Nov 3, 2017

Conversation

Projects
None yet
2 participants
@aeris
Contributor

aeris commented Oct 29, 2017

Support for fallback SCSV RFC 7507.

Expected behaviour is to refuse connection if the client signals a protocol with
the fallback flag but the server supports a better one (downgrade attack detection).

Show outdated Hide outdated ext/openssl/ossl_ssl.c Outdated
Show outdated Hide outdated ext/openssl/ossl_ssl.c Outdated
Show outdated Hide outdated test/utils.rb Outdated
Show outdated Hide outdated ext/openssl/ossl_ssl.c Outdated
Show outdated Hide outdated lib/openssl/ssl.rb Outdated
Show outdated Hide outdated test/test_ssl.rb Outdated
@rhenium

This comment has been minimized.

Show comment
Hide comment
@rhenium

rhenium Oct 30, 2017

Member

Just out of curiosity (I'm fine with either one), is there any particular reason to choose #enable_fallback_scsv over #{send_,}fallback_scsv=true|false?

Member

rhenium commented Oct 30, 2017

Just out of curiosity (I'm fine with either one), is there any particular reason to choose #enable_fallback_scsv over #{send_,}fallback_scsv=true|false?

@aeris

This comment has been minimized.

Show comment
Hide comment
@aeris

aeris Oct 30, 2017

Contributor

fallback_scsv=false is a little non-sense. In practice, you activate SCSV only when you fallback to lower version after a failed connection. "Disabling" SCSV has no meaning.

Contributor

aeris commented Oct 30, 2017

fallback_scsv=false is a little non-sense. In practice, you activate SCSV only when you fallback to lower version after a failed connection. "Disabling" SCSV has no meaning.

@rhenium

This comment has been minimized.

Show comment
Hide comment
@rhenium

rhenium Oct 30, 2017

Member

Fair enough, I agree nobody would bother with setting that explicitly.

Member

rhenium commented Oct 30, 2017

Fair enough, I agree nobody would bother with setting that explicitly.

@@ -1222,6 +1222,56 @@ def test_get_ephemeral_key
end
end
def test_fallback_scsv

This comment has been minimized.

@rhenium

rhenium Nov 3, 2017

Member

This test case is failing with LibreSSL or older patch versions of OpenSSL 1.0.1 because they lack support for TLS_FALLBACK_SCSV. pend if the method does not exist.

https://travis-ci.org/ruby/openssl/jobs/294781400#L660

@rhenium

rhenium Nov 3, 2017

Member

This test case is failing with LibreSSL or older patch versions of OpenSSL 1.0.1 because they lack support for TLS_FALLBACK_SCSV. pend if the method does not exist.

https://travis-ci.org/ruby/openssl/jobs/294781400#L660

This comment has been minimized.

@aeris

aeris Nov 3, 2017

Contributor

Fixed

@aeris

aeris Nov 3, 2017

Contributor

Fixed

Show outdated Hide outdated test/test_ssl.rb Outdated
Show outdated Hide outdated test/test_ssl.rb Outdated
Show outdated Hide outdated test/test_ssl.rb Outdated
Show outdated Hide outdated test/test_ssl.rb Outdated
Show outdated Hide outdated ext/openssl/ossl_ssl.c Outdated
Show outdated Hide outdated test/test_ssl.rb Outdated
@rhenium

This comment has been minimized.

Show comment
Hide comment
@rhenium

rhenium Nov 3, 2017

Member

This looks really nice to me. Thanks for your patience!

Lastly, can you squash the commits into one commit?

Member

rhenium commented Nov 3, 2017

This looks really nice to me. Thanks for your patience!

Lastly, can you squash the commits into one commit?

@rhenium

rhenium approved these changes Nov 3, 2017

TLS Fallback Signaling Cipher Suite Value
Support for fallback SCSV [RFC 7507](https://tools.ietf.org/html/rfc7507).

Expected behaviour is to refuse connection if the client signals a protocol with
the fallback flag but the server supports a better one (downgrade attack detection).
@aeris

This comment has been minimized.

Show comment
Hide comment
@aeris

aeris Nov 3, 2017

Contributor

Done :)

Contributor

aeris commented Nov 3, 2017

Done :)

@rhenium rhenium merged commit 819d7e5 into ruby:master Nov 3, 2017

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@aeris aeris deleted the aeris:scsv branch Nov 3, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment