| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
|
|
| |
LibreSSL 2.2.2 introduced TLS_method(), but with different semantics
from OpenSSL: TLS_method() enabled TLS >= 1.0 while SSLv23_method()
enabled all available versions, which included SSL 3.0 in addition.
However, LibreSSL 2.3.0 removed SSL 3.0 support completely and now
TLS_method() and SSLv23_method() are equivalent.
|
|
|
|
|
|
|
| |
SSL_CTX_set_ecdh_auto() exists in OpenSSL 1.1.0 and LibreSSL 2.6.1, but
it is made no-op and the automatic curve selection cannot be disabled.
Wrap it with ifdef to make it clear that it is safe to remove it
completely when we drop support for OpenSSL 1.0.2.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Clean up old version guards in preparation for the upcoming OpenSSL 3.0
support.
OpenSSL 1.0.1 reached its EOL on 2016-12-31. At that time, we decided
to keep 1.0.1 support because many major Linux distributions were still
shipped with 1.0.1. Now, nearly 4 years later, most Linux distributions
are reaching their EOL and it should be safe to assume nobody uses them
anymore. Major ones that were using 1.0.1:
- Ubuntu 14.04 is EOL since 2019-04-30
- RHEL 6 will reach EOL on 2020-11-30
LibreSSL 3.0 and older versions are no longer supported by the LibreSSL
team as of October 2020.
Note that OpenSSL 1.0.2 also reached EOL on 2019-12-31 and 1.1.0 also
did on 2018-08-31.
|
|\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint-2.2:
.github/workflows: update Ruby and OpenSSL/LibreSSL versions
bn: check -1 return from BIGNUM functions
.github/workflows: disable pkg-config on Windows tests
ssl: retry write on EPROTOTYPE on macOS
x509store: fix memory leak in X509::StoreContext.new
.github/workflows/test.yml: use GitHub Actions
Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.1:
.github/workflows: update Ruby and OpenSSL/LibreSSL versions
bn: check -1 return from BIGNUM functions
.github/workflows: disable pkg-config on Windows tests
ssl: retry write on EPROTOTYPE on macOS
x509store: fix memory leak in X509::StoreContext.new
.github/workflows/test.yml: use GitHub Actions
Skip one assertion for OpenSSL::PKey::EC::Point#mul on LibreSSL
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Errno::EPROTOTYPE is not supposed to be raised by SSLSocket#write.
However, on macOS, send(2) which is called via SSL_write() can
occasionally return EPROTOTYPE. Retry SSL_write() so that we get a
proper error, just as ext/socket does.
Reference: https://bugs.ruby-lang.org/issues/14713
Reference: https://github.com/ruby/openssl/issues/227
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This defines TLS1_3_VERSION when using LibreSSL 3.2+. LibreSSL 3.2/3.3
doesn't advertise this by default, even though it will use TLS 1.3
in both client and server modes.
Changes between LibreSSL 3.1 and 3.2/3.3 broke a few tests, Defining
TLS1_3_VERSION by itself fixes 1 test failure. A few tests now
fail on LibreSSL 3.2/3.3 unless TLS 1.2 is set as the maximum version,
and this adjusts those tests. The client CA test doesn't work in
LibreSSL 3.2+, so I've marked that as pending.
For the hostname verification, LibreSSL 3.2.2+ has a new stricter
hostname verifier that doesn't like subjectAltName such as
c*.example.com and d.*.example.com, so adjust the related tests.
With these changes, the tests pass on LibreSSL 3.2/3.3.
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The underlying API SSL_CTX_set_tmp_ecdh_callback() was removed by
LibreSSL >= 2.6.1 and OpenSSL >= 1.1.0, in other words, it is not
supported by any non-EOL versions of OpenSSL.
The wrapper was initially implemented in Ruby 2.3 and has been
deprecated since Ruby/OpenSSL 2.0 (bundled with Ruby 2.4) with explicit
warning with rb_warn().
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Let's revert the changes for now, as it cannot be included in the 2.2.0
release.
My comment on #257:
> A blocker is OpenSSL::SSL::SSLContext#add_certificate_chain_file. It
> has a pending change and I don't want to include it in an incomplete
> state.
>
> The initial implementation in commit 46e4bdba40c5 was not really
> useful. The issue is described in #305. #309 extended it
> to take the corresponding private key together. However, the new
> implementation was incompatible on Windows and was reverted by #320 to
> the initial one.
>
> (The prerequisite to implement it in) an alternative way is #288, and
> it's still cooking.
This effectively reverts the following commits:
- dacd08937ccd ("ssl: suppress test failure with SSLContext#add_certificate_chain_file", 2020-03-09)
- 46e4bdba40c5 ("Add support for SSL_CTX_use_certificate_chain_file. Fixes #254.", 2019-06-13)
|
| |
| |
| |
| | |
[ Cherry-picked from ruby.git commit d8720eb7de9c. ]
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* maint-2.0:
ssl: set verify error code in the case of verify_hostname failure
x509: add error code and verify flags constants
Remove taint support
Restore compatibility with older versions of Ruby.
Fix keyword argument separation issues in OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
config: support .include directive
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When the verify_hostname option is enabled, the hostname verification is
done before calling verify_callback provided by the user.
The callback should be notified of the hostname verification failure.
OpenSSL::X509::StoreContext's error code must be set to an appropriate
value rather than OpenSSL::X509::V_OK.
If the constant X509_V_ERR_HOSTNAME_MISMATCH is available (OpenSSL >=
1.0.2), use it. Otherwise use the generic X509_V_ERR_CERT_REJECTED.
Reference: https://github.com/ruby/openssl/issues/244
Fixes: 028e495734e9 ("ssl: add verify_hostname option to SSLContext", 2016-06-27)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ This is a backport to the 2.0 branch. ]
Ruby 2.7 deprecates taint and it no longer has an effect.
The lack of taint support should not cause a problem in
previous Ruby versions.
(cherry picked from commit e7ed01b580a139ad0fb320ad5f29bbb40ef2ddc2)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
[ Originally landed on as commit b4e96fc4abc3. This is a backport to the
2.0 branch. ]
`RB_PASS_KEYWORDS` is not always available.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
OpenSSL::SSL::SSLSocket#sys{read,write}_nonblock
[ Originally landed on ruby.git as commit 3959469f240e, then was merged
into ruby/openssl.git as commit b4e96fc4abc3. This is a backport to
the 2.0 branch. ]
It's unlikely anyone would actually hit these. The methods are
private, you only hit this code path if calling these methods
before performing the SSL connection, and there is already a
verbose warning issued.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The feature is currently premature and will be rewritten. However, it
is causing test failures on RubyCI. Make it happy for now.
Reference: https://github.com/ruby/openssl/issues/334
|
| | |
| | |
| | |
| | |
| | |
| | | |
We cannot use C99 features yet, as we still support Ruby 2.6 and older.
Fixes: debaca25604c ("Adds support for the 'get_finished' and 'get_peer_finished' functions", 2019-06-25)
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Revert SSLContext#add_certificate_chain_file changes
* 0da0dfaf09f549b2b2cd984627b321b7908d1186.
* 8d12f0f6ca944212cb8000e689469d7aaa8190d7.
* 49f42ad5f82f8b61f51a16e3a6df1ab0d5307d5f.
* 5ee295ab8e37c8ffc6eb8c1b7b79ec024f3253e4.
* 8b4fa5e336c7544ea677ccee160ec6d221559e10.
* 443d13e9b2c127230fde2733959eaa4d41eb355d.
* 5d866038920edf2729865653d6dc9309589f089a.
* f18559acf97a6f6aaf3d253417eb0100b262cbc6.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Zero-size arrays not playing nicely with visual studio / mingw,
see: https://github.com/ruby/ruby/pull/2693
Also see related discussion pertaining to using NULL pointer
here: https://github.com/ruby/openssl/pull/315
|
| | | |
|
| | | |
|
| | | |
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
self
add test_add_certificate_chain_file_multiple_certs
|
| | |
| | |
| | |
| | | |
ssl.peer_cert_chain
|
| | | |
|
| | |
| | |
| | |
| | | |
`RB_PASS_KEYWORDS` is not always available.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Diff was generated:
git diff --output openssl.patch 93bc10272734cbbb9197470ca629cc4ea019f6f0 ext/openssl/*.c ext/openssl/*.h ext/openssl/**/*.rb
Appled using `patch -p1 < openssl.patch`.
|
| | |
| | |
| | |
| | | |
Closes #256
|
| | |
| | |
| | |
| | |
| | |
| | | |
Ruby 2.7 deprecates taint and it no longer has an effect.
The lack of taint support should not cause a problem in
previous Ruby versions.
|
| | | |
|
|\ \ \
| | | |
| | | | |
Support client certificates with TLS 1.3
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Enable post-handshake authentication with OpenSSL 1.1.1
Fixes #237
|
|/ / / |
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
[Fix GH-1958]
From: Jun Aruga <jaruga@redhat.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64806 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* expand tabs.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64807 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Suppress more -Wparentheses warnings
[Fix GH-1958]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@64808 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
[ky: this is a combined patch of r64806-r64808.]
Sync-with-trunk: r64808
|
|\|
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.7
asn1: fix docs
ssl: remove unreachable code
|
| |
| |
| |
| | |
GetSSLCTX() never returns NULL.
|
| |
| |
| |
| |
| |
| |
| |
| | |
The function ossl_sslctx_session_get_cb(), which is passed to
SSL_CTX_sess_set_get_cb(), will never be called on the client-side since
it is for the server-side session caching.
Reference: https://github.com/ruby/openssl/issues/170
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
History.md: fix a typo
x509cert, x509crl, x509req, ns_spki: check sanity of public key
pkey: make pkey_check_public_key() non-static
test/test_cipher: fix test_non_aead_cipher_set_auth_data failure
cipher: disallow setting AAD for non-AEAD ciphers
test/test_ssl_session: skip tests for session_remove_cb
appveyor.yml: remove 'openssl version' line
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
In OpenSSL < 1.1.0, the session_remove_cb callback is called inside the
global lock for CRYPTO_LOCK_SSL_CTX which is shared across the entire
process, not just for the specific SSL_CTX object. It is possible that
the callback releases GVL while the lock for CRYPTO_LOCK_SSL_CTX is
held, causing another thread calling an OpenSSL function that tries to
acquire the same lock stuck forever.
Add a note about the possible deadlock to the docs for
SSLContext#session_remove_cb=, and skip the relevant test cases unless
the OSSL_TEST_ALL environment variable is set to 1.
A deadlock due to this issue is observed:
http://ci.rvm.jp/results/trunk-test@frontier/104428
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Merge GitHub Pull Request #167.
* ky/ssl-add-certificate:
test/test_ssl: fix test_security_level
ssl: add SSLContext#add_certificate
test/utils: remove a pointless .public_key call in issue_cert
test/envutil: port assert_warning from Ruby trunk
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a new method to add a certificate, a corresponding private key, and
extra CA certificates at once.
This has two advantages over the existing {cert,key,extra_cert_chain}
attributes:
1. We can notice the problem with the certificate and/or the private
key. Since the existing attributes are simple instance variables,
they aren't set to the SSL_CTX until #setup which usually happens
on the first connection.
2. For the same reason, existing attributes allowed only one
certificate for a context, even though OpenSSL itself is capable of
handling multiple certificates and selecting the most appropriate
one according to the cipher suite selected.
The documentation for the existing attributes are updated to recommend
using #add_certificate.
|
| | |
| | |
| | |
| | | |
Thanks rhenium for the code review and fixes.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Support for fallback SCSV [RFC 7507](https://tools.ietf.org/html/rfc7507).
Expected behaviour is to refuse connection if the client signals a protocol with
the fallback flag but the server supports a better one (downgrade attack detection).
|
|/ / |
|
|\|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.6
test/test_engine: check if RC4 is supported
test/test_engine: suppress stderr
ossl.c: make legacy locking callbacks reentrant
ossl.c: use struct CRYPTO_dynlock_value for non-dynamic locks
ssl: prevent SSLSocket#sysread* from leaking uninitialized data
test/test_pair: replace sleep with IO.select
tool/ruby-openssl-docker: update
test/test_ssl: do not run NPN tests for LibreSSL >= 2.6.1
test/test_ssl: skip tmp_ecdh_callback test for LibreSSL >= 2.6.1
test/test_pair: disable compression
test/test_ssl: suppress warning in test_alpn_protocol_selection_cancel
ruby.h: unnormalized Fixnum value
test/test_pair: fix test_write_nonblock{,_no_exceptions}
|