[前][次][番号順一覧][スレッド一覧]

ruby-changes:36017

From: nagachika <ko1@a...>
Date: Wed, 22 Oct 2014 23:15:03 +0900 (JST)
Subject: [ruby-changes:36017] nagachika:r48098 (ruby_2_1): merge revision(s) r45274, r45278, r45280, r48097: [Backport #9424] [Backport #9640]

nagachika	2014-10-22 23:14:52 +0900 (Wed, 22 Oct 2014)

  New Revision: 48098

  http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=48098

  Log:
    merge revision(s) r45274,r45278,r45280,r48097: [Backport #9424] [Backport #9640]
    
    * lib/openssl/ssl.rb: Explicitly whitelist the default
      SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
      compression by default.
      Reported by Jeff Hodges.
      [ruby-core:59829] [Bug #9424]
    
    * test/openssl/test_ssl.rb: Reuse TLS default options from
      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
    
    * ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
      options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
      this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]

  Modified directories:
    branches/ruby_2_1/
  Modified files:
    branches/ruby_2_1/ChangeLog
    branches/ruby_2_1/ext/openssl/lib/openssl/ssl.rb
    branches/ruby_2_1/test/openssl/test_ssl.rb
    branches/ruby_2_1/version.h
Index: ruby_2_1/ChangeLog
===================================================================
--- ruby_2_1/ChangeLog	(revision 48097)
+++ ruby_2_1/ChangeLog	(revision 48098)
@@ -1,3 +1,22 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ChangeLog#L1
+Wed Oct 22 23:02:49 2014  CHIKANAGA Tomoyuki  <nagachika@r...>
+
+	* ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
+	  options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
+	  this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]
+
+Wed Oct 22 23:02:49 2014  Martin Bosslet  <Martin.Bosslet@g...>
+
+	* test/openssl/test_ssl.rb: Reuse TLS default options from
+	  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
+
+Wed Oct 22 23:02:49 2014  Martin Bosslet  <Martin.Bosslet@g...>
+
+	* lib/openssl/ssl.rb: Explicitly whitelist the default
+	  SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
+	  compression by default.
+	  Reported by Jeff Hodges.
+	  [ruby-core:59829] [Bug #9424]
+
 Sun Oct 19 03:22:53 2014  Kazuki Tsujimoto  <kazuki@c...>
 
 	* vm_core.h, vm.c, proc.c: fix GC mark miss on bindings.
Index: ruby_2_1/ext/openssl/lib/openssl/ssl.rb
===================================================================
--- ruby_2_1/ext/openssl/lib/openssl/ssl.rb	(revision 48097)
+++ ruby_2_1/ext/openssl/lib/openssl/ssl.rb	(revision 48098)
@@ -23,10 +23,49 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/openssl/lib/openssl/ssl.rb#L23
       DEFAULT_PARAMS = {
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
-        :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
-          OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
-          OpenSSL::SSL::OP_ALL,
+        :ciphers => %w{
+          ECDHE-ECDSA-AES128-GCM-SHA256
+          ECDHE-RSA-AES128-GCM-SHA256
+          ECDHE-ECDSA-AES256-GCM-SHA384
+          ECDHE-RSA-AES256-GCM-SHA384
+          DHE-RSA-AES128-GCM-SHA256
+          DHE-DSS-AES128-GCM-SHA256
+          DHE-RSA-AES256-GCM-SHA384
+          DHE-DSS-AES256-GCM-SHA384
+          ECDHE-ECDSA-AES128-SHA256
+          ECDHE-RSA-AES128-SHA256
+          ECDHE-ECDSA-AES128-SHA
+          ECDHE-RSA-AES128-SHA
+          ECDHE-ECDSA-AES256-SHA384
+          ECDHE-RSA-AES256-SHA384
+          ECDHE-ECDSA-AES256-SHA
+          ECDHE-RSA-AES256-SHA
+          DHE-RSA-AES128-SHA256
+          DHE-RSA-AES256-SHA256
+          DHE-RSA-AES128-SHA
+          DHE-RSA-AES256-SHA
+          DHE-DSS-AES128-SHA256
+          DHE-DSS-AES256-SHA256
+          DHE-DSS-AES128-SHA
+          DHE-DSS-AES256-SHA
+          AES128-GCM-SHA256
+          AES256-GCM-SHA384
+          AES128-SHA256
+          AES256-SHA256
+          AES128-SHA
+          AES256-SHA
+          ECDHE-ECDSA-RC4-SHA
+          ECDHE-RSA-RC4-SHA
+          RC4-SHA
+        }.join(":"),
+        :options => -> {
+          opts = OpenSSL::SSL::OP_ALL
+          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+          opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+          opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+          opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+          opts
+        }.call
       }
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
Index: ruby_2_1/version.h
===================================================================
--- ruby_2_1/version.h	(revision 48097)
+++ ruby_2_1/version.h	(revision 48098)
@@ -1,10 +1,10 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/version.h#L1
 #define RUBY_VERSION "2.1.4"
-#define RUBY_RELEASE_DATE "2014-10-19"
-#define RUBY_PATCHLEVEL 261
+#define RUBY_RELEASE_DATE "2014-10-22"
+#define RUBY_PATCHLEVEL 262
 
 #define RUBY_RELEASE_YEAR 2014
 #define RUBY_RELEASE_MONTH 10
-#define RUBY_RELEASE_DAY 19
+#define RUBY_RELEASE_DAY 22
 
 #include "ruby/version.h"
 
Index: ruby_2_1/test/openssl/test_ssl.rb
===================================================================
--- ruby_2_1/test/openssl/test_ssl.rb	(revision 48097)
+++ ruby_2_1/test/openssl/test_ssl.rb	(revision 48098)
@@ -4,10 +4,6 @@ if defined?(OpenSSL) https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/test_ssl.rb#L4
 
 class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
-  TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
-                    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
-                    OpenSSL::SSL::OP_ALL
-
   def test_ctx_setup
     ctx = OpenSSL::SSL::SSLContext.new
     assert_equal(ctx.setup, true)
@@ -276,7 +272,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/test_ssl.rb#L272
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.set_params
       assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
-      assert_equal(TLS_DEFAULT_OPS, ctx.options)
+      assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options)
       ciphers = ctx.ciphers
       ciphers_versions = ciphers.collect{|_, v, _, _| v }
       ciphers_names = ciphers.collect{|v, _, _, _| v }

Property changes on: ruby_2_1
___________________________________________________________________
Modified: svn:mergeinfo
   Merged /trunk:r45274,45278,45280,48097


--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml/

[前][次][番号順一覧][スレッド一覧]