ruby-changes:52018
From: rhe <ko1@a...>
Date: Wed, 8 Aug 2018 23:14:02 +0900 (JST)
Subject: [ruby-changes:52018] rhe:r64234 (trunk): net/http, net/ftp: fix session resumption with TLS 1.3
rhe 2018-08-08 23:13:55 +0900 (Wed, 08 Aug 2018) New Revision: 64234 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=64234 Log: net/http, net/ftp: fix session resumption with TLS 1.3 When TLS 1.3 is in use, the session ticket may not have been sent yet even though a handshake has finished. Also, the ticket could change if multiple session ticket messages are sent by the server. Use SSLContext#session_new_cb instead of calling SSLSocket#session immediately after a handshake. This way also works with earlier protocol versions. Modified files: trunk/lib/net/ftp.rb trunk/lib/net/http.rb trunk/test/net/http/test_https.rb Index: lib/net/http.rb =================================================================== --- lib/net/http.rb (revision 64233) +++ lib/net/http.rb (revision 64234) @@ -983,6 +983,10 @@ module Net #:nodoc: https://github.com/ruby/ruby/blob/trunk/lib/net/http.rb#L983 end @ssl_context = OpenSSL::SSL::SSLContext.new @ssl_context.set_params(ssl_parameters) + @ssl_context.session_cache_mode = + OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT | + OpenSSL::SSL::SSLContext::SESSION_CACHE_NO_INTERNAL_STORE + @ssl_context.session_new_cb = proc {|sock, sess| @ssl_session = sess } D "starting SSL for #{conn_address}:#{conn_port}..." s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context) s.sync_close = true @@ -990,13 +994,12 @@ module Net #:nodoc: https://github.com/ruby/ruby/blob/trunk/lib/net/http.rb#L994 s.hostname = @address if s.respond_to? :hostname= if @ssl_session and Process.clock_gettime(Process::CLOCK_REALTIME) < @ssl_session.time.to_f + @ssl_session.timeout - s.session = @ssl_session if @ssl_session + s.session = @ssl_session end ssl_socket_connect(s, @open_timeout) if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE s.post_connection_check(@address) end - @ssl_session = s.session D "SSL established" end @socket = BufferedIO.new(s, read_timeout: @read_timeout, Index: lib/net/ftp.rb =================================================================== --- lib/net/ftp.rb (revision 64233) +++ lib/net/ftp.rb (revision 64234) @@ -230,6 +230,10 @@ module Net https://github.com/ruby/ruby/blob/trunk/lib/net/ftp.rb#L230 if defined?(VerifyCallbackProc) @ssl_context.verify_callback = VerifyCallbackProc end + @ssl_context.session_cache_mode = + OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT | + OpenSSL::SSL::SSLContext::SESSION_CACHE_NO_INTERNAL_STORE + @ssl_context.session_new_cb = proc {|sock, sess| @ssl_session = sess } @ssl_session = nil if options[:private_data_connection].nil? @private_data_connection = true @@ -349,7 +353,6 @@ module Net https://github.com/ruby/ruby/blob/trunk/lib/net/ftp.rb#L353 if @ssl_context.verify_mode != VERIFY_NONE ssl_sock.post_connection_check(@host) end - @ssl_session = ssl_sock.session return ssl_sock end private :start_tls_session Index: test/net/http/test_https.rb =================================================================== --- test/net/http/test_https.rb (revision 64233) +++ test/net/http/test_https.rb (revision 64234) @@ -73,18 +73,9 @@ class TestNetHTTPS < Test::Unit::TestCas https://github.com/ruby/ruby/blob/trunk/test/net/http/test_https.rb#L73 http.start http.get("/") - http.finish # three times due to possible bug in OpenSSL 0.9.8 - - sid = http.instance_variable_get(:@ssl_session).id - - http.start - http.get("/") socket = http.instance_variable_get(:@socket).io - - assert socket.session_reused? - - assert_equal sid, http.instance_variable_get(:@ssl_session).id + assert_equal true, socket.session_reused? http.finish rescue SystemCallError @@ -101,16 +92,12 @@ class TestNetHTTPS < Test::Unit::TestCas https://github.com/ruby/ruby/blob/trunk/test/net/http/test_https.rb#L92 http.get("/") http.finish - sid = http.instance_variable_get(:@ssl_session).id - http.start http.get("/") socket = http.instance_variable_get(:@socket).io assert_equal false, socket.session_reused? - assert_not_equal sid, http.instance_variable_get(:@ssl_session).id - http.finish rescue SystemCallError skip $! @@ -160,15 +147,16 @@ class TestNetHTTPS < Test::Unit::TestCas https://github.com/ruby/ruby/blob/trunk/test/net/http/test_https.rb#L147 end def test_identity_verify_failure + # the certificate's subject has CN=localhost http = Net::HTTP.new("127.0.0.1", config("port")) http.use_ssl = true - http.verify_callback = Proc.new do |preverify_ok, store_ctx| - true - end + http.cert_store = TEST_STORE + @log_tester = lambda {|_| } ex = assert_raise(OpenSSL::SSL::SSLError){ http.request_get("/") {|res| } } - assert_match(/hostname \"127.0.0.1\" does not match/, ex.message) + re_msg = /certificate verify failed|hostname \"127.0.0.1\" does not match/ + assert_match(re_msg, ex.message) end def test_timeout_during_SSL_handshake @@ -193,16 +181,13 @@ class TestNetHTTPS < Test::Unit::TestCas https://github.com/ruby/ruby/blob/trunk/test/net/http/test_https.rb#L181 end def test_min_version - http = Net::HTTP.new("127.0.0.1", config("port")) + http = Net::HTTP.new("localhost", config("port")) http.use_ssl = true http.min_version = :TLS1 - http.verify_callback = Proc.new do |preverify_ok, store_ctx| - true - end - ex = assert_raise(OpenSSL::SSL::SSLError){ - http.request_get("/") {|res| } + http.cert_store = TEST_STORE + http.request_get("/") {|res| + assert_equal($test_net_http_data, res.body) } - assert_match(/hostname \"127.0.0.1\" does not match/, ex.message) end def test_max_version -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/