ruby-changes:39328
From: tenderlove <ko1@a...>
Date: Tue, 28 Jul 2015 03:29:41 +0900 (JST)
Subject: [ruby-changes:39328] tenderlove:r51409 (trunk): * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
tenderlove 2015-07-28 03:29:17 +0900 (Tue, 28 Jul 2015) New Revision: 51409 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51409 Log: * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more helpful exception when verifying the peer connection and an anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] Thanks to Chris Sinjakli <chris@s...> for the patch. * test/openssl/test_ssl.rb (class OpenSSL): test for change Modified files: trunk/ChangeLog trunk/ext/openssl/lib/openssl/ssl.rb trunk/test/openssl/test_ssl.rb trunk/test/openssl/utils.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 51408) +++ ChangeLog (revision 51409) @@ -1,3 +1,12 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Jul 28 03:26:15 2015 Aaron Patterson <tenderlove@r...> + + * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more + helpful exception when verifying the peer connection and an + anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] + Thanks to Chris Sinjakli <chris@s...> for the patch. + + * test/openssl/test_ssl.rb (class OpenSSL): test for change + Mon Jul 27 13:24:11 2015 Koichi Sasada <ko1@a...> * template/id.h.tmpl (ID2ATTRSET): remove an unused macro. Index: ext/openssl/lib/openssl/ssl.rb =================================================================== --- ext/openssl/lib/openssl/ssl.rb (revision 51408) +++ ext/openssl/lib/openssl/ssl.rb (revision 51409) @@ -252,6 +252,14 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L252 # This method MUST be called after calling #connect to ensure that the # hostname of a remote peer has been verified. def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -263,6 +271,14 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L271 rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end end ## Index: test/openssl/utils.rb =================================================================== --- test/openssl/utils.rb (revision 51408) +++ test/openssl/utils.rb (revision 51409) @@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOP https://github.com/ruby/ruby/blob/trunk/test/openssl/utils.rb#L270 ctx_proc = args[:ctx_proc] server_proc = args[:server_proc] ignore_listener_error = args.fetch(:ignore_listener_error, false) + use_anon_cipher = args.fetch(:use_anon_cipher, false) server_proc ||= method(:readwrite_loop) store = OpenSSL::X509::Store.new store.add_cert(@ca_cert) store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher ctx.cert_store = store #ctx.extra_chain_cert = [ ca_cert ] ctx.cert = @svr_cert Index: test/openssl/test_ssl.rb =================================================================== --- test/openssl/test_ssl.rb (revision 51408) +++ test/openssl/test_ssl.rb (revision 51409) @@ -365,6 +365,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L365 } end + def test_post_connect_check_with_anon_ciphers + sslerr = OpenSSL::SSL::SSLError + + start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + server_connect(port, ctx) { |ssl| + msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \ + "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification." + assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")} + } + } + end + def test_post_connection_check sslerr = OpenSSL::SSL::SSLError -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/