ruby-changes:36017
From: nagachika <ko1@a...>
Date: Wed, 22 Oct 2014 23:15:03 +0900 (JST)
Subject: [ruby-changes:36017] nagachika:r48098 (ruby_2_1): merge revision(s) r45274, r45278, r45280, r48097: [Backport #9424] [Backport #9640]
nagachika 2014-10-22 23:14:52 +0900 (Wed, 22 Oct 2014) New Revision: 48098 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48098 Log: merge revision(s) r45274,r45278,r45280,r48097: [Backport #9424] [Backport #9640] * lib/openssl/ssl.rb: Explicitly whitelist the default SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable compression by default. Reported by Jeff Hodges. [ruby-core:59829] [Bug #9424] * test/openssl/test_ssl.rb: Reuse TLS default options from OpenSSL::SSL::SSLContext::DEFAULT_PARAMS. * ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined. this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424] Modified directories: branches/ruby_2_1/ Modified files: branches/ruby_2_1/ChangeLog branches/ruby_2_1/ext/openssl/lib/openssl/ssl.rb branches/ruby_2_1/test/openssl/test_ssl.rb branches/ruby_2_1/version.h Index: ruby_2_1/ChangeLog =================================================================== --- ruby_2_1/ChangeLog (revision 48097) +++ ruby_2_1/ChangeLog (revision 48098) @@ -1,3 +1,22 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ChangeLog#L1 +Wed Oct 22 23:02:49 2014 CHIKANAGA Tomoyuki <nagachika@r...> + + * ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override + options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined. + this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424] + +Wed Oct 22 23:02:49 2014 Martin Bosslet <Martin.Bosslet@g...> + + * test/openssl/test_ssl.rb: Reuse TLS default options from + OpenSSL::SSL::SSLContext::DEFAULT_PARAMS. + +Wed Oct 22 23:02:49 2014 Martin Bosslet <Martin.Bosslet@g...> + + * lib/openssl/ssl.rb: Explicitly whitelist the default + SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable + compression by default. + Reported by Jeff Hodges. + [ruby-core:59829] [Bug #9424] + Sun Oct 19 03:22:53 2014 Kazuki Tsujimoto <kazuki@c...> * vm_core.h, vm.c, proc.c: fix GC mark miss on bindings. Index: ruby_2_1/ext/openssl/lib/openssl/ssl.rb =================================================================== --- ruby_2_1/ext/openssl/lib/openssl/ssl.rb (revision 48097) +++ ruby_2_1/ext/openssl/lib/openssl/ssl.rb (revision 48098) @@ -23,10 +23,49 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/openssl/lib/openssl/ssl.rb#L23 DEFAULT_PARAMS = { :ssl_version => "SSLv23", :verify_mode => OpenSSL::SSL::VERIFY_PEER, - :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", - :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? - OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : - OpenSSL::SSL::OP_ALL, + :ciphers => %w{ + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 + ECDHE-ECDSA-AES256-GCM-SHA384 + ECDHE-RSA-AES256-GCM-SHA384 + DHE-RSA-AES128-GCM-SHA256 + DHE-DSS-AES128-GCM-SHA256 + DHE-RSA-AES256-GCM-SHA384 + DHE-DSS-AES256-GCM-SHA384 + ECDHE-ECDSA-AES128-SHA256 + ECDHE-RSA-AES128-SHA256 + ECDHE-ECDSA-AES128-SHA + ECDHE-RSA-AES128-SHA + ECDHE-ECDSA-AES256-SHA384 + ECDHE-RSA-AES256-SHA384 + ECDHE-ECDSA-AES256-SHA + ECDHE-RSA-AES256-SHA + DHE-RSA-AES128-SHA256 + DHE-RSA-AES256-SHA256 + DHE-RSA-AES128-SHA + DHE-RSA-AES256-SHA + DHE-DSS-AES128-SHA256 + DHE-DSS-AES256-SHA256 + DHE-DSS-AES128-SHA + DHE-DSS-AES256-SHA + AES128-GCM-SHA256 + AES256-GCM-SHA384 + AES128-SHA256 + AES256-SHA256 + AES128-SHA + AES256-SHA + ECDHE-ECDSA-RC4-SHA + ECDHE-RSA-RC4-SHA + RC4-SHA + }.join(":"), + :options => -> { + opts = OpenSSL::SSL::OP_ALL + opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) + opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) + opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) + opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) + opts + }.call } DEFAULT_CERT_STORE = OpenSSL::X509::Store.new Index: ruby_2_1/version.h =================================================================== --- ruby_2_1/version.h (revision 48097) +++ ruby_2_1/version.h (revision 48098) @@ -1,10 +1,10 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/version.h#L1 #define RUBY_VERSION "2.1.4" -#define RUBY_RELEASE_DATE "2014-10-19" -#define RUBY_PATCHLEVEL 261 +#define RUBY_RELEASE_DATE "2014-10-22" +#define RUBY_PATCHLEVEL 262 #define RUBY_RELEASE_YEAR 2014 #define RUBY_RELEASE_MONTH 10 -#define RUBY_RELEASE_DAY 19 +#define RUBY_RELEASE_DAY 22 #include "ruby/version.h" Index: ruby_2_1/test/openssl/test_ssl.rb =================================================================== --- ruby_2_1/test/openssl/test_ssl.rb (revision 48097) +++ ruby_2_1/test/openssl/test_ssl.rb (revision 48098) @@ -4,10 +4,6 @@ if defined?(OpenSSL) https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/test_ssl.rb#L4 class OpenSSL::TestSSL < OpenSSL::SSLTestCase - TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? - OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : - OpenSSL::SSL::OP_ALL - def test_ctx_setup ctx = OpenSSL::SSL::SSLContext.new assert_equal(ctx.setup, true) @@ -276,7 +272,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/test_ssl.rb#L272 ctx = OpenSSL::SSL::SSLContext.new ctx.set_params assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) - assert_equal(TLS_DEFAULT_OPS, ctx.options) + assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options) ciphers = ctx.ciphers ciphers_versions = ciphers.collect{|_, v, _, _| v } ciphers_names = ciphers.collect{|v, _, _, _| v } Property changes on: ruby_2_1 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r45274,45278,45280,48097 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/