[ruby/drb] Support :SSL{Min,Max}Version config options

These are necessary to get the tests passing with LibreSSL 3.8.1+,
which dropped support for TLSv1.0 and TLSv1.1 for security reasons.

This updates the tests to use TLSv1.2 on OpenBSD.  This is only
strictly necessary on OpenBSD 7.4+, but it will work fine in previous
versions as well.

https://github.com/ruby/drb/commit/32707b2db5
This commit is contained in:
Jeremy Evans 2023-10-18 22:13:12 +01:00 коммит произвёл git
Родитель f51b92fe23
Коммит de07645019
3 изменённых файлов: 18 добавлений и 0 удалений

Просмотреть файл

@ -73,6 +73,14 @@ module DRb
# :SSLTmpDhCallback :: # :SSLTmpDhCallback ::
# A DH callback. See OpenSSL::SSL::SSLContext.tmp_dh_callback # A DH callback. See OpenSSL::SSL::SSLContext.tmp_dh_callback
# #
# :SSLMinVersion ::
# This is the minimum SSL version to allow. See
# OpenSSL::SSL::SSLContext#min_version=.
#
# :SSLMaxVersion ::
# This is the maximum SSL version to allow. See
# OpenSSL::SSL::SSLContext#max_version=.
#
# :SSLVerifyMode :: # :SSLVerifyMode ::
# This is the SSL verification mode. See OpenSSL::SSL::VERIFY_* for # This is the SSL verification mode. See OpenSSL::SSL::VERIFY_* for
# available modes. The default is OpenSSL::SSL::VERIFY_NONE # available modes. The default is OpenSSL::SSL::VERIFY_NONE
@ -208,6 +216,8 @@ module DRb
ctx = ::OpenSSL::SSL::SSLContext.new ctx = ::OpenSSL::SSL::SSLContext.new
ctx.cert = @cert ctx.cert = @cert
ctx.key = @pkey ctx.key = @pkey
ctx.min_version = self[:SSLMinVersion]
ctx.max_version = self[:SSLMaxVersion]
ctx.client_ca = self[:SSLClientCA] ctx.client_ca = self[:SSLClientCA]
ctx.ca_path = self[:SSLCACertificatePath] ctx.ca_path = self[:SSLCACertificatePath]
ctx.ca_file = self[:SSLCACertificateFile] ctx.ca_file = self[:SSLCACertificateFile]

Просмотреть файл

@ -23,6 +23,10 @@ class DRbSSLService < DRbService
config[:SSLVerifyCallback] = lambda{ |ok,x509_store| config[:SSLVerifyCallback] = lambda{ |ok,x509_store|
true true
} }
if RUBY_PLATFORM.match?(/openbsd/)
config[:SSLMinVersion] = OpenSSL::SSL::TLS1_2_VERSION
config[:SSLMaxVersion] = OpenSSL::SSL::TLS1_2_VERSION
end
begin begin
data = open("sample.key"){|io| io.read } data = open("sample.key"){|io| io.read }
config[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(data) config[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(data)

Просмотреть файл

@ -24,6 +24,10 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
config = Hash.new config = Hash.new
config[:SSLTmpDhCallback] = proc { DRbTests::TEST_KEY_DH1024 } config[:SSLTmpDhCallback] = proc { DRbTests::TEST_KEY_DH1024 }
if RUBY_PLATFORM.match?(/openbsd/)
config[:SSLMinVersion] = OpenSSL::SSL::TLS1_2_VERSION
config[:SSLMaxVersion] = OpenSSL::SSL::TLS1_2_VERSION
end
config[:SSLVerifyMode] = OpenSSL::SSL::VERIFY_PEER config[:SSLVerifyMode] = OpenSSL::SSL::VERIFY_PEER
config[:SSLVerifyCallback] = lambda{|ok,x509_store| config[:SSLVerifyCallback] = lambda{|ok,x509_store|
true true