ruby-changes:23954
From: emboss <ko1@a...>
Date: Sun, 10 Jun 2012 10:54:09 +0900 (JST)
Subject: [ruby-changes:23954] emboss:r36005 (trunk): * lib/openssl/ssl.rb: Use a simple random number to generate the
emboss 2012-06-10 10:53:20 +0900 (Sun, 10 Jun 2012) New Revision: 36005 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=36005 Log: * lib/openssl/ssl.rb: Use a simple random number to generate the session id. MD5, as was used before, causes problems when using a FIPS version of OpenSSL. Issue was found by Jared Jennings, thank you! [ruby-trunk - Bug #6137] Modified files: trunk/ChangeLog trunk/ext/openssl/lib/openssl/ssl.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 36004) +++ ChangeLog (revision 36005) @@ -1,3 +1,11 @@ +Sun Jun 10 10:48:15 2012 Martin Bosslet <Martin.Bosslet@g...> + + * lib/openssl/ssl.rb: Use a simple random number to generate the + session id. MD5, as was used before, causes problems when + using a FIPS version of OpenSSL. Issue was found by Jared + Jennings, thank you! + [ruby-trunk - Bug #6137] + Sun Jun 10 10:27:34 2012 Martin Bosslet <Martin.Bosslet@g...> * NEWS: Add note about the new private key export behavior. Index: ext/openssl/lib/openssl/ssl.rb =================================================================== --- ext/openssl/lib/openssl/ssl.rb (revision 36004) +++ ext/openssl/lib/openssl/ssl.rb (revision 36005) @@ -146,7 +146,9 @@ @svr = svr @ctx = ctx unless ctx.session_id_context - session_id = OpenSSL::Digest::MD5.hexdigest($0) + # see #6137 - session id may not exceed 32 bytes + prng = ::Random.new($0.hash) + session_id = prng.bytes(16).unpack('H*')[0] @ctx.session_id_context = session_id end @start_immediately = true -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/