| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|/ / /
| | |
| | |
| | |
| | |
| | |
| | | |
Allow the attribute value to contain ',', just as the openssl utility's
parse_name() function does.
Fixes: https://github.com/ruby/openssl/issues/39
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add methods that set the minimum and maximum supported protocol versions
for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}_proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags.
The new methods are meant to replace the deprecated #ssl_version= that
cannot support multiple protocol versions.
SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.
|
| | |
| | |
| | |
| | |
| | |
| | | |
The 'keylen' parameter of the tmp_dh_callback is only meaningful when
'is_export' is non-zero. Ignore them and just return the default
2048-bit DH group.
|
|/ /
| |
| |
| |
| |
| | |
Follow-up commit eaffc69e40ab ("ssl: move default DH parameters from
OpenSSL::PKey::DH", 2017-01-23). Those constants shouldn't be used
directly.
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
scrypt support is added.
* topic/kdf-module:
kdf: add scrypt
ossl.h: add NUM2UINT64T() macro
kdf: introduce OpenSSL::KDF module
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Introduce a new OpenSSL::KDF module as a namespace for to-be-added
KDFs. This makes it easier to add new KDFs in future.
We already have a stand-alone KDF, OpenSSL::PKCS5.pbkdf2_hmac. This is
migrated to the new namespace. The backwards compatibility is retained
by the method defined in the newly added lib/openssl/pkcs5.rb.
|
| | |
| | |
| | |
| | |
| | | |
Ruby core uses _str_ for emphasizing argument names and +str+ for codes.
Match with the rule for better rendering.
|
| | |
| | |
| | |
| | |
| | |
| | | |
https://github.com/ruby/ruby/pull/1527#issuecomment-281867551
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57694 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| | |
| | |
| | | |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57693 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| | |
| | |
| | | |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57692 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Update docs to reflect EOF behavior change of read_nonblock and
write_nonblock when using `exception: false`.
[Fix GH-1527]
Author: Russell Davis <russell-stripe@users.noreply.github.com>
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@57690 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| | |
| | |
| | |
| | |
| | | |
Prevent a comment in bn.rb from showing up in
the documentation for the core Integer class.
|
|\ \ \
| |/ /
|/| /
| |/
| |
| |
| |
| |
| |
| | |
* maint:
Ruby/OpenSSL 2.0.3
.travis.yml: test with Ruby 2.4
ruby-openssl-docker: update versions of Ruby and OpenSSL
x509: fix OpenSSL::X509::Name#eql?
test/envutil: fix assert_raise_with_message
buffering: fix typo in doc
|
| | |
|
|\ \
| | |
| | |
| | |
| | | |
* topic/ssl-move-default-dh-params:
ssl: move default DH parameters from OpenSSL::PKey::DH
|
| |/
| |
| |
| | |
They should belong to OpenSSL::SSL rather than OpenSSL::PKey::DH.
|
|/
|
|
|
|
|
|
|
|
| |
They are no longer receiving security updates from the OpenSSL
development team since 2015-12.
We have kept basic compatibility until now because RHEL 5 still uses an
(heavily modified) OpenSSL 0.9.8e. The RHEL 5 will reach EOL on 2017-03,
thus it is now safe to assume nobody is still using such old versions of
OpenSSL.
|
|
|
|
|
|
|
| |
* parse.y (parser_yylex): warn ambiguous parentheses after a space
in method definitions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56927 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
| |
* lib/openssl/buffering.rb
(read_nonblock, write_nonblock): document `exception: false'
[ruby-core:73882] [Feature #12085]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use rb_attr_get() instead of rb_iv_get() so that we can remove
SSLContext::INIT_VARS.
SSLContext::INIT_VARS contains the names of the instance variables used
in SSLContext. SSLContext#initialize sets nil for those variables. It
is necessary to suppress "instance variable @foo not initialized"
warnings emitted by rb_iv_get(). The warnings can be avoided by using
rb_attr_get() that does not check the existence of the variable. So use
it.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't set in SSLContext#set_params when built with OpenSSL 1.1.0 or
newer.
The list was added as a workaround to exclude known weak cipher suites
([Bug #9424]). In OpenSSL <= 1.0.2, the default list (DEFAULT) included
even cipher suites using MD5. Now, OpenSSL 1.1.0 has better DEFAULT. So
make SSLContext#set_params just use it.
Here is the diff between our current explicit list and DEFAULT of
OpenSSL 1.1.0-pre6 (with sorted):
$ list_ruby=$(openssl ciphers -v $(ruby -ropenssl -e'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]') | sort)
$ list_default=$(openssl ciphers -v 'DEAFULT:!PSK:!SRP' | sort)
$ diff <(echo "$list_ruby") <(echo "$list_default")
7,12c7
< DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
< DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
< DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
< DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
< DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
< DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
---
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
18a14,15
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
24a22,23
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
30a30,31
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
|
|\
| |
| |
| |
| |
| |
| | |
* topic/ssl-verify-hostname:
ssl: add verify_hostname option to SSLContext
test/test_ssl: avoid SSLContext#set_params where not required
Refactor common verify callback code
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a client sets this to true and enables SNI with SSLSocket#hostname=,
the hostname verification on the server certificate is performed
automatically during the handshake using
OpenSSL::SSL.verify_certificate_identity().
Currently an user who wants to do the hostname verification needs to
call SSLSocket#post_connection_check explicitly after the TLS connection
is established.
This commit also enables the option in SSLContext::DEFAULT_PARAMS.
Applications using SSLContext#set_params may be affected by this.
[GH ruby/openssl#8]
|
|/
|
|
| |
AES-GCM ciphers don't have upper-case sn.
|
|
|
|
|
|
| |
Mark OpenSSL::{Digest::Digest,Cipher::Cipher} as deprecated using
Module#deprecate_constant. They have been deprecated for years in the
documentation.
|
|\
| |
| |
| |
| | |
* topic/doc-ssl-sync-close:
Document OpenSSL::SSL::SSLSocket#sync_close
|
| |
| |
| |
| |
| | |
Add rdoc for OpenSSL::SSL::SSLSocket#sync_close, and mention it in the
example code in the rdoc for OpenSSL namespace. [GH ruby/openssl#11]
|
|\ \
| |/
|/| |
RC4 has insecure biases and both clients and servers should not be using it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
This commit removes insecure RC4 ciper suites [1] from being used by
default. If needed, users can still specify the usage of it by
specifying it explicitly.
[1]: https://tools.ietf.org/html/rfc7465
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes `make test-all TESTS=openssl` with OpenSSL master.
* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
reject an already existing OID. They were needed to run tests with
OpenSSL 0.9.6 which is now unsupported.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
[ruby-core:75225] [Feature #12324]
* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
SSL::Session before re-adding to the session store. OpenSSL 1.1.0
starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
is new in OpenSSL 1.1.0 but this is for key agreement and not for
signing.
* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
suites.
* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
* test/openssl/test_engine.rb: Run each test in separate process.
We can no longer cleanup engines explicitly as ENGINE_cleanup() was
removed.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
RDoc for Engine.cleanup.
* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
test unsupported hash functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
Currently this is delayed until ossl_ssl_setup(), which is called from
SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
illegal value. We expect an exception to be raised in #hostname= but
actually we get it in the later SSLSocket#connect. Because the SSL is
not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
is also delayed.
This also fixes: [ruby-dev:49376] [Bug #11724]
* ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
as the Ruby version but this instantiate the SSL object at the same
time.
(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.
(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().
(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.
(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.
(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().
(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.
* ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
should not be NULL because we now set it in #initialize.
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
to check if the SSL is NULL.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55191 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| | |
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct
here. Since some methods such as SSLSocket#connect releases GVL,
there is a chance of use after free if we free the SSL from another
thread. SSLSocket#stop was documented as "prepares it for another
connection" so this is a slightly incompatible change. However when
this sentence was added (r30090, Add toplevel documentation for
OpenSSL, 2010-12-06), it didn't actually. The current behavior is
from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15).
[ruby-core:74978] [Bug #12292]
* ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc.
* test/openssl/test_ssl.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55100 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|/
|
|
|
|
|
|
| |
* ext/openssl/lib/openssl/buffering.rb (read_nonblock, readpartial):
Remove impossible EOFError raise. Patch by Zach Anker
<zanker@squareup.com>. [GH ruby/openssl#23]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
|
|
|
|
|
| |
512-bit DH keys are severely weak and have been implicated in recent attacks:
https://weakdh.org/
|
| |
|
| |
|
|
|
|
|
|
| |
v1.1"
This reverts commit a504359950f86f96ef2477920b56027f5b7f4fb2.
|
|
|
|
| |
See ruby/ruby#873.
|
| |
|
|
|
|
| |
See also r50351 from ruby/ruby#876
|
|
|
|
| |
Thanks to @nahi for the tests and initial documentation.
|
| |
|
|
|
|
| |
Commit ruby/ruby@c1bad6040865d08a8f391b7e2beca6a6b66355e7
|