ruby-changes:43230
From: rhe <ko1@a...>
Date: Tue, 7 Jun 2016 14:57:30 +0900 (JST)
Subject: [ruby-changes:43230] rhe:r55304 (trunk): openssl: avoid deprecated version-specific ssl methods if necessary
rhe 2016-06-07 14:57:25 +0900 (Tue, 07 Jun 2016) New Revision: 55304 https://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=55304 Log: openssl: avoid deprecated version-specific ssl methods if necessary * ext/openssl/extconf.rb: Check for SSL_CTX_set_min_proto_version() macro added in OpenSSL 1.1.0. Version-specific methods, such as TLSv1_method(), are deprecated in OpenSSL 1.1.0. We need to use version-flexible methods (TLS_*method() or SSLv23_*method()) and disable other protocol versions as necessary. [ruby-core:75225] [Feature #12324] * ext/openssl/ossl_ssl.c: Use SSL_CTX_set_{min,max}_proto_version() to fix the protocol version. Modified files: trunk/ChangeLog trunk/ext/openssl/extconf.rb trunk/ext/openssl/ossl_ssl.c Index: ChangeLog =================================================================== --- ChangeLog (revision 55303) +++ ChangeLog (revision 55304) @@ -1,3 +1,15 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Tue Jun 7 14:57:09 2016 Kazuki Yamaguchi <k@r...> + + * ext/openssl/extconf.rb: Check for SSL_CTX_set_min_proto_version() + macro added in OpenSSL 1.1.0. Version-specific methods, such as + TLSv1_method(), are deprecated in OpenSSL 1.1.0. We need to use + version-flexible methods (TLS_*method() or SSLv23_*method()) and + disable other protocol versions as necessary. + [ruby-core:75225] [Feature #12324] + + * ext/openssl/ossl_ssl.c: Use SSL_CTX_set_{min,max}_proto_version() to + fix the protocol version. + Tue Jun 7 12:55:34 2016 Martin Duerst <duerst@i...> * regenc.c (onigenc_not_support_case_map): Move to end of file; Index: ext/openssl/extconf.rb =================================================================== --- ext/openssl/extconf.rb (revision 55303) +++ ext/openssl/extconf.rb (revision 55304) @@ -145,6 +145,7 @@ have_func("X509_STORE_up_ref") https://github.com/ruby/ruby/blob/trunk/ext/openssl/extconf.rb#L145 have_func("SSL_SESSION_up_ref") have_func("EVP_PKEY_up_ref") OpenSSL.check_func_or_macro("SSL_CTX_set_tmp_ecdh_callback", "openssl/ssl.h") # removed +OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h") Logging::message "=== Checking done. ===\n" Index: ext/openssl/ossl_ssl.c =================================================================== --- ext/openssl/ossl_ssl.c (revision 55303) +++ ext/openssl/ossl_ssl.c (revision 55304) @@ -88,35 +88,34 @@ static VALUE sym_exception, sym_wait_rea https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L88 */ static const struct { const char *name; - SSL_METHOD *(*func)(void); + SSL_METHOD *(*func)(void); /* FIXME: constify when dropping 0.9.8 */ + int version; } ossl_ssl_method_tab[] = { -#define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method } - OSSL_SSL_METHOD_ENTRY(TLSv1), - OSSL_SSL_METHOD_ENTRY(TLSv1_server), - OSSL_SSL_METHOD_ENTRY(TLSv1_client), -#if defined(HAVE_TLSV1_2_METHOD) - OSSL_SSL_METHOD_ENTRY(TLSv1_2), - OSSL_SSL_METHOD_ENTRY(TLSv1_2_server), - OSSL_SSL_METHOD_ENTRY(TLSv1_2_client), -#endif -#if defined(HAVE_TLSV1_1_METHOD) - OSSL_SSL_METHOD_ENTRY(TLSv1_1), - OSSL_SSL_METHOD_ENTRY(TLSv1_1_server), - OSSL_SSL_METHOD_ENTRY(TLSv1_1_client), +#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) +#define OSSL_SSL_METHOD_ENTRY(name, version) \ + { #name, (SSL_METHOD *(*)(void))TLS_method, version }, \ + { #name"_server", (SSL_METHOD *(*)(void))TLS_server_method, version }, \ + { #name"_client", (SSL_METHOD *(*)(void))TLS_client_method, version } +#else +#define OSSL_SSL_METHOD_ENTRY(name, version) \ + { #name, (SSL_METHOD *(*)(void))name##_method, version }, \ + { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \ + { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version } #endif #if defined(HAVE_SSLV2_METHOD) - OSSL_SSL_METHOD_ENTRY(SSLv2), - OSSL_SSL_METHOD_ENTRY(SSLv2_server), - OSSL_SSL_METHOD_ENTRY(SSLv2_client), + OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION), #endif #if defined(HAVE_SSLV3_METHOD) - OSSL_SSL_METHOD_ENTRY(SSLv3), - OSSL_SSL_METHOD_ENTRY(SSLv3_server), - OSSL_SSL_METHOD_ENTRY(SSLv3_client), -#endif - OSSL_SSL_METHOD_ENTRY(SSLv23), - OSSL_SSL_METHOD_ENTRY(SSLv23_server), - OSSL_SSL_METHOD_ENTRY(SSLv23_client), + OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION), +#endif + OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION), +#if defined(HAVE_TLSV1_1_METHOD) + OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION), +#endif +#if defined(HAVE_TLSV1_2_METHOD) + OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION), +#endif + OSSL_SSL_METHOD_ENTRY(SSLv23, 0), #undef OSSL_SSL_METHOD_ENTRY }; @@ -189,30 +188,36 @@ ossl_sslctx_s_alloc(VALUE klass) https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L188 static VALUE ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method) { - SSL_METHOD *method = NULL; + SSL_CTX *ctx; const char *s; VALUE m = ssl_method; int i; - SSL_CTX *ctx; + GetSSLCTX(self, ctx); if (RB_TYPE_P(ssl_method, T_SYMBOL)) m = rb_sym2str(ssl_method); s = StringValueCStr(m); for (i = 0; i < numberof(ossl_ssl_method_tab); i++) { if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) { - method = ossl_ssl_method_tab[i].func(); - break; +#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) + int version = ossl_ssl_method_tab[i].version; +#endif + SSL_METHOD *method = ossl_ssl_method_tab[i].func(); + + if (SSL_CTX_set_ssl_version(ctx, method) != 1) + ossl_raise(eSSLError, "SSL_CTX_set_ssl_version"); + +#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION) + if (!SSL_CTX_set_min_proto_version(ctx, version)) + ossl_raise(eSSLError, "SSL_CTX_set_min_proto_version"); + if (!SSL_CTX_set_max_proto_version(ctx, version)) + ossl_raise(eSSLError, "SSL_CTX_set_max_proto_version"); +#endif + return ssl_method; } } - if (!method) { - ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m); - } - GetSSLCTX(self, ctx); - if (SSL_CTX_set_ssl_version(ctx, method) != 1) { - ossl_raise(eSSLError, "SSL_CTX_set_ssl_version"); - } - return ssl_method; + ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m); } static VALUE -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/