Import Ruby/OpenSSL 2.0.0. The full commit history since 2.0.0 beta.2
(imported at r56098) can be found at:
https://github.com/ruby/openssl/compare/v2.0.0.beta.2...v2.0.0
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56946 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb (test_ctx_options): Fix test failure on
Ubuntu 16.04. The fix in r56147 was incomplete. This is a cherry-pick
of the commit b039f3e268c2 at ruby/openssl.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56178 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb (test_ctx_options): Add a workaround for
patched OpenSSL to fix the Ruby CI failure on Ubuntu 16.04.
http://rubyci.s3.amazonaws.com/ubuntu/ruby-trunk/log/20160913T033003Z.fail.html.gz
This commit is a cherry-pick of the following commit at ruby/openssl:
f9c04779a8
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56147 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* {ext,test}/openssl: Import Ruby/OpenSSL 2.0.0.beta.2. The full commit
history since v2.0.0.beta.1 can be found at:
https://github.com/ruby/openssl/compare/v2.0.0.beta.1...v2.0.0.beta.2
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* NEWS, {ext,test,sample}/openssl: Import Ruby/OpenSSL 2.0.0.beta.1.
ext/openssl is now converted into a default gem. The full commit
history since r55538 can be found at:
https://github.com/ruby/openssl/compare/08e1881f5663...v2.0.0.beta.1
[Feature #9612]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56027 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This fixes `make test-all TESTS=openssl` with OpenSSL master.
* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
reject an already existing OID. They were needed to run tests with
OpenSSL 0.9.6 which is now unsupported.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
[ruby-core:75225] [Feature #12324]
* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
SSL::Session before re-adding to the session store. OpenSSL 1.1.0
starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
is new in OpenSSL 1.1.0 but this is for key agreement and not for
signing.
* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
suites.
* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
* test/openssl/test_engine.rb: Run each test in separate process.
We can no longer cleanup engines explicitly as ENGINE_cleanup() was
removed.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
RDoc for Engine.cleanup.
* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
test unsupported hash functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/extconf.rb: Check for SSL_CTX_get_security_level().
OpenSSL 1.1.0 introduced "security level".
[ruby-core:75225] [Feature #12324]
* ext/openssl/ossl_ssl.c (ossl_sslctx_{get,set}_security_level): Add
SSLContext#security_level and #security_level=.
* test/openssl/test_ssl.rb (test_security_level): Add test. ...but this
doesn't actually test it. Because #security_level= is necessary in
order to run other tests on OpenSSL 1.1.0, go without tests for now.
Will fix after converting SSLContext#key= and #cert= to normal methods.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55309 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct
here. Since some methods such as SSLSocket#connect releases GVL,
there is a chance of use after free if we free the SSL from another
thread. SSLSocket#stop was documented as "prepares it for another
connection" so this is a slightly incompatible change. However when
this sentence was added (r30090, Add toplevel documentation for
OpenSSL, 2010-12-06), it didn't actually. The current behavior is
from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15).
[ruby-core:74978] [Bug #12292]
* ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc.
* test/openssl/test_ssl.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55100 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb (test_get_ephemeral_key): should use
assert_instance_of instead of comparison of classes.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54487 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_ssl_tmp_key): Access to ephemeral
TLS session key in case of forward secrecy cipher. Only
available since OpenSSL 1.0.2. [Fix GH-1318]
* ext/openssl/extconf.rb: Check for SSL_get_server_tmp_key.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/extconf.rb: check SSL_CTX_set_next_proto_select_cb
function rather than OPENSSL_NPN_NEGOTIATED macro. it exists
even if it is disabled by OpenSSL configuration.
[ruby-core:74384] [Bug #12182]
* ext/openssl/ossl_ssl.c: update #ifdef(s) as above.
* test/openssl/test_ssl.rb: skip NPN tests if NPN is disabled.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@54258 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
When you change this to true, you may need to add more tests.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@53141 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
I was worried r52750 would break IO.copy_stream with things like
OpenSSL sockets which wrap IOs, but require data to be run through
through encryption/decryption filters. Apparently my worry
was unfounded, but perhaps this test will ensure this case continues
to work.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52751 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
if the SSL library supports it. Thanks Kurt Roeckx <kurt@roeckx.be>
[Bug #11376]
* ext/openssl/extconf.rb: check for SSLv3 support in the SSL
implementation.
* test/openssl/test_ssl.rb (class OpenSSL): Skip tests that need SSLv3
if there is no support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51722 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
existing options rather than just setting it. Some vendors apply
custom patches to their versions of OpenSSL that set default values
for options. This commit respects the custom patches they've
applied.
* test/openssl/test_ssl.rb (class OpenSSL): check that OP_ALL has been
added to the options.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51642 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version): SSL method
name must not contain NUL. preserve the encoding of message.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51588 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: use assert_raise instead of a
deprecated method.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51587 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLContext#options and options= using SSL_CTX_set_options and
SSL_CTX_get_options. This reduces the number of ivars we need and
simplifies `ossl_sslctx_setup`.
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): Default `options`
to SSL_OP_ALL
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51462 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
helpful exception when verifying the peer connection and an
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
* test/openssl/test_ssl.rb (class OpenSSL): test for change
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
object returned by the servername callback on to the socket as an
instance variable. If the callback allocated a new context object
and didn't keep a reference to it, it could be GC'd out from under
the socket object.
* test/openssl/test_ssl.rb (class OpenSSL): test for change.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51387 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/extconf.rb: detect ALPN support in OpenSSL
* test/openssl/test_ssl.rb: test for ALPN
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51347 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::SSLSocket#sysread does not accept kwargs in blocking
mode, inform users if they make an error.
* ext/openssl/ossl_ssl.c (ossl_ssl_read_internal):
do not process kwargs in blocking mode
* test/openssl/test_ssl.rb: test sysread
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51016 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
following RFC 6125. with the patch provided by Tony Arcieri and
Hiroshi Nakamura [ruby-core:61545] [Bug #9644]
* test/openssl/test_ssl.rb: add tests for above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@50292 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
as much as possible.
* test/openssl/test_ssl_session.rb: Ditto.
* test/openssl/test_partial_record_read.rb: Ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@48232 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
shouldn't use same server for respective tests, because the 1st
test sometimes kills the server main loop silently.
[Bug #9881] [ruby-dev:48266]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46325 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
when SSL is not started.
This fix the fd leak by test_https_proxy_authentication in
test/net/http/test_https_proxy.rb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@46209 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
when SSL session has not been started.
* test/openssl/test_ssl.rb: test for change.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@44732 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLSocket methods. [ruby-trunk - Bug #9028]
* test/openssl/test_ssl.rb: Test for the above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@43964 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
critical.
The patch for CVE-2013-4073 caused SSL crash when a SSL server returns
the certificate that has critical SAN value. X509 extension could
include 2 or 3 elements in it:
[id, criticality, octet_string] if critical,
[id, octet_string] if not.
Making sure to pick the last element of X509 extension and use it as
SAN value.
[ruby-core:55685] [Bug #8575]
Thank you @nahi for providing the patch!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41805 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
hostname verification. Patched by nahi.
* test/openssl/test_ssl.rb (test_verify_certificate_identity): test for
above.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@41671 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
countermeasure for the BEAST attack by default. The default options
of OpenSSL::SSL:SSLContext are now:
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
[Bug #5353] [ruby-core:39673]
* test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.
* NEWS: Announce the new default.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
expected. Two errors are possible when connection is refused due
to a protocol version that was explicitly disallowed,
OpenSSL::SSL::SSLError or Errno::ECONNRESET, depending on the
OpenSSL version in use.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35796 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb (test_forbid_tls_v1_{1,2}_{for_client,from_server}):
test only if necessary option is available.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35570 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::OP_NO_TLSv1_1
OpenSSL::SSL::OP_NO_TLSv1_2
to allow blocking specific TLS versions. Thanks to Justin Guyett for
pointing this out to me.
* test/openssl/test_ssl.rb: add tests to assert correct behavior when
blocking certain versions of TLS/SSL both on server and client side.
Also refactored tests to reduce boilerplate code a little.
* test/openssl/utils.rb: rescue Errno::ECONNRESET for tests where
client rejects the connection because a forbidden protocol version
was used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLContext#version to inspect the version that was negotiated for
a given connection.
* ext/openssl/extconf.rb: detect TLS 1.1 & 1.2 support.
* test/openssl/test_ssl.rb: add tests for TLS 1.1 & 1.2 given they
are supported by the native OpenSSL being used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35549 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
binary data.
* test/openssl/test_ssl.rb: Add test for it.
Thanks to Niklas Baumstark for reporting the issue!
[Ruby 1.9 - Bug #5233] [ruby-core:39120]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33485 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Without this, the connection will be alive without GC after exit
the block and the test will fail as "TCPServer was closed and SSLServer
is still alive" on 64bit Unix: at least CentOS, Ubuntu, and FreeBSD.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@33300 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32973 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
verify callback of SSLContext and X509Store and make the
verification fail normally. Raising exception directly from callback
causes orphan resouces in OpenSSL stack. Patched by Ippei Obayashi.
See #4445.
* test/openssl/test_ssl.rb
(test_exception_in_verify_callback_is_ignored): test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32537 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
variable.
* test/openssl/*: less warnings while test running with -w.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29217 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::SSLSocket should implement read_nonblock. a patch
from Aaron Patterson in [ruby-core:20277]. fix: #814 [ruby-core:20241]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@20493 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
when use default SSLContext. [ruby-dev:36167]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@19268 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Add a null check for ssl; submitted by akira yamada
in [ruby-dev:34950].
* ext/openssl/ossl_ssl.c (Init_ossl_ssl): Define OP_NO_TICKET if
SSL_OP_NO_TICKET is present; submitted by akira yamada
in [ruby-dev:34944].
* test/openssl/test_ssl.rb (OpenSSL#test_server_session): Add a
workaround for the case where OpenSSL is configured with
--enable-tlsext; submitted by akira yamada in [ruby-dev:34944].
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@16842 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
New method SSLContext#setup to aid C extension writers.
* test/openssl/test_ssl.rb: Add tests for new method and sessions.
Use threads for ssl server instead of forking.
* ext/openssl/ossl_version.h: Bump version.
* ext/openssl/ossl_x509ext.c: Fix warnings.
* test/openssl/utils.rb: Fix warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@16111 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
new method OpenSSL::SSL::SSLContext#ssl_version to wrap
SSL_CTX_set_ssl_version.
* ext/openssl/ossl_ssl.c (ossl_ssl_get_verify_result):
new method OpenSSL::SSL::SSLSocket#verify_result to wrap
SSL_get_verrify_result.
* ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLContext.build):
new method to build OpenSSL::SSL::SSLContext with Hash parameters.
this method provides safety default parameters than SSLContext.new.
* ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL.verify_cetificate_identity):
new module function: pull out identity verification process
from OpenSSL::SSL::SSLSocket#post_connection_check.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@14270 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
rhe
nobu
naruse
normal
zzak
tenderlove
hsbt
usa
nagachika
akr
headius
emboss
drbrain
charliesome
nahi
technorama
matz
kazu
mame
knu
gotoyuzo