ruby-changes:39527
From: usa <ko1@a...>
Date: Mon, 17 Aug 2015 17:30:32 +0900 (JST)
Subject: [ruby-changes:39527] usa:r51608 (ruby_2_1): merge revision(s) 51409, 51453: [Backport #10910]
usa 2015-08-17 17:30:08 +0900 (Mon, 17 Aug 2015) New Revision: 51608 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=51608 Log: merge revision(s) 51409,51453: [Backport #10910] * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more helpful exception when verifying the peer connection and an anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] Thanks to Chris Sinjakli <chris@s...> for the patch. * test/openssl/test_ssl.rb (class OpenSSL): test for change * .travis.yml: update libssl before running tests. Thanks to Chris Sinjakli <chris@s...> for figuring out the travis settings! Modified directories: branches/ruby_2_1/ Modified files: branches/ruby_2_1/.travis.yml branches/ruby_2_1/ChangeLog branches/ruby_2_1/ext/openssl/lib/openssl/ssl.rb branches/ruby_2_1/test/openssl/test_ssl.rb branches/ruby_2_1/test/openssl/utils.rb branches/ruby_2_1/version.h Index: ruby_2_1/ChangeLog =================================================================== --- ruby_2_1/ChangeLog (revision 51607) +++ ruby_2_1/ChangeLog (revision 51608) @@ -1,3 +1,18 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ChangeLog#L1 +Mon Aug 17 17:16:22 2015 Aaron Patterson <tenderlove@r...> + + * .travis.yml: update libssl before running tests. + Thanks to Chris Sinjakli <chris@s...> for figuring out the + travis settings! + +Mon Aug 17 17:16:22 2015 Aaron Patterson <tenderlove@r...> + + * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more + helpful exception when verifying the peer connection and an + anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] + Thanks to Chris Sinjakli <chris@s...> for the patch. + + * test/openssl/test_ssl.rb (class OpenSSL): test for change + Mon Aug 17 17:12:46 2015 NAKAMURA Usaku <usa@r...> * win32/win32.c (waitpid): return immediately if interrupted. Index: ruby_2_1/ext/openssl/lib/openssl/ssl.rb =================================================================== --- ruby_2_1/ext/openssl/lib/openssl/ssl.rb (revision 51607) +++ ruby_2_1/ext/openssl/lib/openssl/ssl.rb (revision 51608) @@ -228,6 +228,14 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/openssl/lib/openssl/ssl.rb#L228 # This method MUST be called after calling #connect to ensure that the # hostname of a remote peer has been verified. def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -239,6 +247,14 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ruby_2_1/ext/openssl/lib/openssl/ssl.rb#L247 rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end end ## Index: ruby_2_1/version.h =================================================================== --- ruby_2_1/version.h (revision 51607) +++ ruby_2_1/version.h (revision 51608) @@ -1,6 +1,6 @@ https://github.com/ruby/ruby/blob/trunk/ruby_2_1/version.h#L1 #define RUBY_VERSION "2.1.7" #define RUBY_RELEASE_DATE "2015-08-17" -#define RUBY_PATCHLEVEL 390 +#define RUBY_PATCHLEVEL 391 #define RUBY_RELEASE_YEAR 2015 #define RUBY_RELEASE_MONTH 8 Index: ruby_2_1/test/openssl/utils.rb =================================================================== --- ruby_2_1/test/openssl/utils.rb (revision 51607) +++ ruby_2_1/test/openssl/utils.rb (revision 51608) @@ -259,6 +259,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOP https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/utils.rb#L259 def start_server(port0, verify_mode, start_immediately, args = {}, &block) ctx_proc = args[:ctx_proc] + use_anon_cipher = args.fetch(:use_anon_cipher, false) server_proc = args[:server_proc] server_proc ||= method(:readwrite_loop) @@ -266,6 +267,7 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOP https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/utils.rb#L267 store.add_cert(@ca_cert) store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher ctx.cert_store = store #ctx.extra_chain_cert = [ ca_cert ] ctx.cert = @svr_cert Index: ruby_2_1/test/openssl/test_ssl.rb =================================================================== --- ruby_2_1/test/openssl/test_ssl.rb (revision 51607) +++ ruby_2_1/test/openssl/test_ssl.rb (revision 51608) @@ -284,6 +284,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTes https://github.com/ruby/ruby/blob/trunk/ruby_2_1/test/openssl/test_ssl.rb#L284 } end + def test_post_connect_check_with_anon_ciphers + sslerr = OpenSSL::SSL::SSLError + + start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port| + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + server_connect(port, ctx) { |ssl| + msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \ + "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification." + assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")} + } + } + end + def test_post_connection_check sslerr = OpenSSL::SSL::SSLError Index: ruby_2_1/.travis.yml =================================================================== --- ruby_2_1/.travis.yml (revision 51607) +++ ruby_2_1/.travis.yml (revision 51608) @@ -31,6 +31,8 @@ compiler: https://github.com/ruby/ruby/blob/trunk/ruby_2_1/.travis.yml#L31 # far since the 1.9.1 release. before_install: - "sudo apt-get -qq update" + # Travis ships an outdated, broken version of libssl by default + - "sudo apt-get -qq --only-upgrade install '^libssl.*'" - "sudo apt-get -qq install $CC" # upgrade if any install: "sudo apt-get -qq build-dep ruby1.9.1 2>/dev/null" Property changes on: ruby_2_1 ___________________________________________________________________ Modified: svn:mergeinfo Merged /trunk:r51409,51453 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/