From 40aa32a0d7ce7a651a610cc69cced23319a11cd5 Mon Sep 17 00:00:00 2001 From: gotoyuzo Date: Sat, 22 Dec 2007 08:31:53 +0000 Subject: [PATCH] * ext/openssl/lib/net/ssl.rb (OpenSSL::SSL::SSLContext.build): removed. * ext/openssl/lib/net/ssl.rb (OpenSSL::SSL::SSLContext#set_params): new method to set suitable SSL parameters. * lib/net/pop.rb, lib/net/http.rb, lib/net/imap.rb, test/openssl/test_ssl.rb: follow above change. * test/net/http/test_https.rb: refine error case. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@14479 b2dd03c8-39d4-4d8f-98ff-823fe69b080e --- ChangeLog | 14 +++++++++++- ext/openssl/lib/openssl/ssl.rb | 42 ++++++++++++++++------------------ lib/net/http.rb | 3 ++- lib/net/imap.rb | 5 ++-- lib/net/pop.rb | 7 +++--- test/net/http/test_https.rb | 2 +- test/openssl/test_ssl.rb | 14 ++++++++---- 7 files changed, 52 insertions(+), 35 deletions(-) diff --git a/ChangeLog b/ChangeLog index 9e9abe4c31..877e33bb61 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +Sat Dec 22 17:06:50 2007 GOTOU Yuuzou + + * ext/openssl/lib/net/ssl.rb (OpenSSL::SSL::SSLContext.build): removed. + + * ext/openssl/lib/net/ssl.rb (OpenSSL::SSL::SSLContext#set_params): + new method to set suitable SSL parameters. + + * lib/net/pop.rb, lib/net/http.rb, lib/net/imap.rb, + test/openssl/test_ssl.rb: follow above change. + + * test/net/http/test_https.rb: refine error case. + Sat Dec 22 16:58:49 2007 Shugo Maeda * lib/net/imap.rb (encode_utf7): accept UTF-8 strings. @@ -19,7 +31,7 @@ Sat Dec 22 15:45:45 2007 Martin Duerst * transcode_data_japanese: new data file for EUC-JP and SHIFT_JIS (not yet optimized; tests to follow; data from http://nkf.sourceforge.jp/ucm/{SJIS|eucJP}-nkf.ucm) - + * common.mk, transcode.c: Adjusted for transcode_data_japanese Sat Dec 22 15:30:13 2007 NAKAMURA Usaku diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index 71726801c0..948c55f259 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -21,30 +21,28 @@ require "fcntl" module OpenSSL module SSL class SSLContext - class < "SSLv23", - :verify_mode => OpenSSL::SSL::VERIFY_PEER, - :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", - :options => OpenSSL::SSL::OP_ALL, - } - params = default_params.merge(params) - ctx = new() - params.each{|name, value| ctx.__send__("#{name}=", value) } - ctx.verify_mode ||= OpenSSL::SSL::VERIFY_NONE - if ctx.verify_mode != OpenSSL::SSL::VERIFY_NONE - unless ctx.ca_file or ctx.ca_path or - ctx.cert_store or ctx.verify_callback - ctx.cert_store = OpenSSL::X509::Store.new - if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL) - ctx.cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL - end - ctx.cert_store.set_default_paths - end + DEFAULT_PARAMS = { + :ssl_version => "SSLv23", + :verify_mode => OpenSSL::SSL::VERIFY_PEER, + :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", + :options => OpenSSL::SSL::OP_ALL, + } + + DEFAULT_CERT_STORE = OpenSSL::X509::Store.new + DEFAULT_CERT_STORE.set_default_paths + if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL) + DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL + end + + def set_params(params={}) + params = DEFAULT_PARAMS.merge(params) + params.each{|name, value| self.__send__("#{name}=", value) } + if self.verify_mode != OpenSSL::SSL::VERIFY_NONE + unless self.ca_file or self.ca_path or self.cert_store + self.cert_store = DEFAULT_CERT_STORE end - return ctx end + return params end end diff --git a/lib/net/http.rb b/lib/net/http.rb index 9e2aeee2c4..b9fadd2fe5 100644 --- a/lib/net/http.rb +++ b/lib/net/http.rb @@ -581,7 +581,8 @@ module Net #:nodoc: ssl_parameters[name] = value end end - @ssl_context = OpenSSL::SSL::SSLContext.build(ssl_parameters) + @ssl_context = OpenSSL::SSL::SSLContext.new + @ssl_context.set_params(ssl_parameters) s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context) s.sync_close = true end diff --git a/lib/net/imap.rb b/lib/net/imap.rb index 2398a5d10c..394f0d9890 100644 --- a/lib/net/imap.rb +++ b/lib/net/imap.rb @@ -892,7 +892,7 @@ module Net # OpenSSL [OSSL] and the Ruby OpenSSL [RSSL] extensions need to # be installed. # if options[:ssl] is a hash, it's passed to - # OpenSSL::SSL::SSLContext.build as parameters. + # OpenSSL::SSL::SSLContext#set_params as parameters. # # The most common errors are: # @@ -1263,7 +1263,8 @@ module Net rescue NoMethodError params = {} end - context = SSLContext.build(params) + context = SSLContext.new + context.set_params(params) if defined?(VerifyCallbackProc) context.verify_callback = VerifyCallbackProc end diff --git a/lib/net/pop.rb b/lib/net/pop.rb index 6b21da189c..cbe5630271 100644 --- a/lib/net/pop.rb +++ b/lib/net/pop.rb @@ -328,7 +328,7 @@ module Net # Net::POP.enable_ssl(params = {}) # # Enable SSL for all new instances. - # +params+ is passed to OpenSSL::SSLContext.build. + # +params+ is passed to OpenSSL::SSLContext#set_params. def POP3.enable_ssl(*args) @ssl_params = create_ssl_params(*args) end @@ -441,7 +441,7 @@ module Net # Enables SSL for this instance. Must be called before the connection is # established to have any effect. # +params[:port]+ is port to establish the SSL connection on; Defaults to 995. - # +params+ (except :port) is passed to OpenSSL::SSLContext.build. + # +params+ (except :port) is passed to OpenSSL::SSLContext#set_params. def enable_ssl(verify_or_params = {}, certs = nil, port = nil) begin @ssl_params = verify_or_params.to_hash.dup @@ -534,7 +534,8 @@ module Net s = timeout(@open_timeout) { TCPSocket.open(@address, port) } if use_ssl? raise 'openssl library not installed' unless defined?(OpenSSL) - context = OpenSSL::SSL::SSLContext.build(@ssl_params) + context = OpenSSL::SSL::SSLContext.new + context.set_params(@ssl_params) s = OpenSSL::SSL::SSLSocket.new(s, context) s.sync_close = true s.connect diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb index d74f10712c..133e957133 100644 --- a/test/net/http/test_https.rb +++ b/test/net/http/test_https.rb @@ -59,7 +59,7 @@ class TestNetHTTPS < Test::Unit::TestCase http = Net::HTTP.new("ssl.netlab.jp", 443) http.use_ssl = true assert( - http.request_head("/"){|res| }, + (http.request_head("/"){|res| } rescue false), "The system may not have default CA certificate store." ) end diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 1b89aa78c3..2bd6689a62 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -245,13 +245,15 @@ class OpenSSL::TestSSL < Test::Unit::TestCase def test_verify_result start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port| sock = TCPSocket.new("127.0.0.1", port) - ctx = OpenSSL::SSL::SSLContext.build + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx) assert_raise(OpenSSL::SSL::SSLError){ ssl.connect } assert_equal(OpenSSL::X509::V_ERR_SELF_SIGNED_CERT_IN_CHAIN, ssl.verify_result) sock = TCPSocket.new("127.0.0.1", port) - ctx = OpenSSL::SSL::SSLContext.build( + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params( :verify_callback => Proc.new do |preverify_ok, store_ctx| store_ctx.error = OpenSSL::X509::V_OK true @@ -262,7 +264,8 @@ class OpenSSL::TestSSL < Test::Unit::TestCase assert_equal(OpenSSL::X509::V_OK, ssl.verify_result) sock = TCPSocket.new("127.0.0.1", port) - ctx = OpenSSL::SSL::SSLContext.build( + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params( :verify_callback => Proc.new do |preverify_ok, store_ctx| store_ctx.error = OpenSSL::X509::V_ERR_APPLICATION_VERIFICATION false @@ -274,10 +277,11 @@ class OpenSSL::TestSSL < Test::Unit::TestCase } end - def test_sslctx_build + def test_sslctx_set_params start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true){|server, port| sock = TCPSocket.new("127.0.0.1", port) - ctx = OpenSSL::SSL::SSLContext.build + ctx = OpenSSL::SSL::SSLContext.new + ctx.set_params assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) assert_equal(OpenSSL::SSL::OP_ALL, ctx.options) ciphers = ctx.ciphers