ruby-changes:26382
From: emboss <ko1@a...>
Date: Tue, 18 Dec 2012 11:02:56 +0900 (JST)
Subject: [ruby-changes:26382] emboss:r38433 (trunk): * ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a
emboss 2012-12-18 11:02:43 +0900 (Tue, 18 Dec 2012) New Revision: 38433 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=38433 Log: * ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a countermeasure for the BEAST attack by default. The default options of OpenSSL::SSL:SSLContext are now: OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS [Bug #5353] [ruby-core:39673] * test/openssl/test_ssl.rb: Adapt tests to new SSLContext default. * NEWS: Announce the new default. Modified files: trunk/ChangeLog trunk/NEWS trunk/ext/openssl/lib/openssl/ssl.rb trunk/test/openssl/test_ssl.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 38432) +++ ChangeLog (revision 38433) @@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Dec 18 11:52:34 2012 Martin Bosslet <Martin.Bosslet@g...> + + * ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a + countermeasure for the BEAST attack by default. The default options + of OpenSSL::SSL:SSLContext are now: + OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS + [Bug #5353] [ruby-core:39673] + + * test/openssl/test_ssl.rb: Adapt tests to new SSLContext default. + + * NEWS: Announce the new default. + Tue Dec 18 06:36:12 2012 Koichi Sasada <ko1@a...> * method.h: remove `VM_METHOD_TYPE_CFUNC_FRAMELESS' method type. Index: ext/openssl/lib/openssl/ssl.rb =================================================================== --- ext/openssl/lib/openssl/ssl.rb (revision 38432) +++ ext/openssl/lib/openssl/ssl.rb (revision 38433) @@ -24,7 +24,9 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L24 :ssl_version => "SSLv23", :verify_mode => OpenSSL::SSL::VERIFY_PEER, :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", - :options => OpenSSL::SSL::OP_ALL, + :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? + OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : + OpenSSL::SSL::OP_ALL, } DEFAULT_CERT_STORE = OpenSSL::X509::Store.new Index: NEWS =================================================================== --- NEWS (revision 38432) +++ NEWS (revision 38433) @@ -256,7 +256,11 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L256 with OpenSSL 1.0.1 and higher. * OpenSSL::OPENSSL_FIPS allows client applications to detect whether OpenSSL is running in FIPS mode and to react to the special requirements this - might impy. + might imply. + * The default options for OpenSSL::SSL::SSLContext have changed to + OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS + instead of OpenSSL::SSL::OP_ALL only. This enables the countermeasure for + the BEAST attack by default. * ostruct * new methods: Index: test/openssl/test_ssl.rb =================================================================== --- test/openssl/test_ssl.rb (revision 38432) +++ test/openssl/test_ssl.rb (revision 38433) @@ -3,6 +3,11 @@ require_relative "utils" https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L3 if defined?(OpenSSL) class OpenSSL::TestSSL < OpenSSL::SSLTestCase + + TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? + OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : + OpenSSL::SSL::OP_ALL + def test_ctx_setup ctx = OpenSSL::SSL::SSLContext.new assert_equal(ctx.setup, true) @@ -257,7 +262,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L262 ctx = OpenSSL::SSL::SSLContext.new ctx.set_params assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) - assert_equal(OpenSSL::SSL::OP_ALL, ctx.options) + assert_equal(TLS_DEFAULT_OPS, ctx.options) ciphers = ctx.ciphers ciphers_versions = ciphers.collect{|_, v, _, _| v } ciphers_names = ciphers.collect{|v, _, _, _| v } @@ -398,7 +403,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L403 def test_unset_OP_ALL ctx_proc = Proc.new { |ctx| - ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS + # If OP_DONT_INSERT_EMPTY_FRAGMENTS is not defined, this test is + # redundant because the default options already are equal to OP_ALL. + # But it also degrades gracefully, so keep it + ctx.options = OpenSSL::SSL::OP_ALL } start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port| server_connect(port) { |ssl| -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/