* lib/openssl/ssl.rb: Use a simple random number to generate the

session id. MD5, as was used before, causes problems when using a FIPS version of OpenSSL. Issue was found by Jared Jennings, thank you! [ruby-trunk - Bug #6137] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2012-06-10 01:53:20 +00:00 · 2012-06-10 01:53:20 +00:00 · 43759fc1ed
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+Sun Jun 10 10:48:15 2012  Martin Bosslet  <Martin.Bosslet@googlemail.com>
+
+	* lib/openssl/ssl.rb: Use a simple random number to generate the
+	  session id. MD5, as was used before, causes problems when
+	  using a FIPS version of OpenSSL. Issue was found by Jared
+	  Jennings, thank you!
+	  [ruby-trunk - Bug #6137]
+
 Sun Jun 10 10:27:34 2012  Martin Bosslet  <Martin.Bosslet@googlemail.com>

 	* NEWS: Add note about the new private key export behavior.
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@ -146,7 +146,9 @@ module OpenSSL
        @svr = svr
        @ctx = ctx
        unless ctx.session_id_context
-          session_id = OpenSSL::Digest::MD5.hexdigest($0)
+          # see #6137 - session id may not exceed 32 bytes
+          prng = ::Random.new($0.hash)
+          session_id = prng.bytes(16).unpack('H*')[0]
          @ctx.session_id_context = session_id
        end
        @start_immediately = true