| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
* parse.y (parser_yylex): warn ambiguous parentheses after a space
in method definitions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@56927 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|
|
|
|
|
| |
* lib/openssl/buffering.rb
(read_nonblock, write_nonblock): document `exception: false'
[ruby-core:73882] [Feature #12085]
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Use rb_attr_get() instead of rb_iv_get() so that we can remove
SSLContext::INIT_VARS.
SSLContext::INIT_VARS contains the names of the instance variables used
in SSLContext. SSLContext#initialize sets nil for those variables. It
is necessary to suppress "instance variable @foo not initialized"
warnings emitted by rb_iv_get(). The warnings can be avoided by using
rb_attr_get() that does not check the existence of the variable. So use
it.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Don't set in SSLContext#set_params when built with OpenSSL 1.1.0 or
newer.
The list was added as a workaround to exclude known weak cipher suites
([Bug #9424]). In OpenSSL <= 1.0.2, the default list (DEFAULT) included
even cipher suites using MD5. Now, OpenSSL 1.1.0 has better DEFAULT. So
make SSLContext#set_params just use it.
Here is the diff between our current explicit list and DEFAULT of
OpenSSL 1.1.0-pre6 (with sorted):
$ list_ruby=$(openssl ciphers -v $(ruby -ropenssl -e'puts OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]') | sort)
$ list_default=$(openssl ciphers -v 'DEAFULT:!PSK:!SRP' | sort)
$ diff <(echo "$list_ruby") <(echo "$list_default")
7,12c7
< DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(128) Mac=AEAD
< DHE-DSS-AES128-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(128) Mac=SHA256
< DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
< DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH Au=DSS Enc=AESGCM(256) Mac=AEAD
< DHE-DSS-AES256-SHA256 TLSv1.2 Kx=DH Au=DSS Enc=AES(256) Mac=SHA256
< DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
---
> DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
18a14,15
> DHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=DH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> DHE-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
24a22,23
> ECDHE-ECDSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
30a30,31
> ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 Kx=ECDH Au=RSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
> ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
|
|\
| |
| |
| |
| |
| |
| | |
* topic/ssl-verify-hostname:
ssl: add verify_hostname option to SSLContext
test/test_ssl: avoid SSLContext#set_params where not required
Refactor common verify callback code
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If a client sets this to true and enables SNI with SSLSocket#hostname=,
the hostname verification on the server certificate is performed
automatically during the handshake using
OpenSSL::SSL.verify_certificate_identity().
Currently an user who wants to do the hostname verification needs to
call SSLSocket#post_connection_check explicitly after the TLS connection
is established.
This commit also enables the option in SSLContext::DEFAULT_PARAMS.
Applications using SSLContext#set_params may be affected by this.
[GH ruby/openssl#8]
|
|/
|
|
| |
AES-GCM ciphers don't have upper-case sn.
|
|
|
|
|
|
| |
Mark OpenSSL::{Digest::Digest,Cipher::Cipher} as deprecated using
Module#deprecate_constant. They have been deprecated for years in the
documentation.
|
|\
| |
| |
| |
| | |
* topic/doc-ssl-sync-close:
Document OpenSSL::SSL::SSLSocket#sync_close
|
| |
| |
| |
| |
| | |
Add rdoc for OpenSSL::SSL::SSLSocket#sync_close, and mention it in the
example code in the rdoc for OpenSSL namespace. [GH ruby/openssl#11]
|
|\ \
| |/
|/| |
RC4 has insecure biases and both clients and servers should not be using it.
|
| |
| |
| |
| |
| |
| |
| |
| | |
This commit removes insecure RC4 ciper suites [1] from being used by
default. If needed, users can still specify the usage of it by
specifying it explicitly.
[1]: https://tools.ietf.org/html/rfc7465
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This fixes `make test-all TESTS=openssl` with OpenSSL master.
* test/openssl/test_x509name.rb: Don't register OID for 'emailAddress'
and 'serialNumber'. A recent change in OpenSSL made OBJ_create()
reject an already existing OID. They were needed to run tests with
OpenSSL 0.9.6 which is now unsupported.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25
[ruby-core:75225] [Feature #12324]
* test/openssl/test_ssl_session.rb (test_server_session): Duplicate
SSL::Session before re-adding to the session store. OpenSSL 1.1.0
starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session().
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75
* test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519
is new in OpenSSL 1.1.0 but this is for key agreement and not for
signing.
* test/openssl/test_pair.rb, test/openssl/test_ssl.rb,
test/openssl/utils.rb: Set security level to 0 when using aNULL cipher
suites.
* test/openssl/utils.rb: Use 1024 bits DSA key for client certificates.
* test/openssl/test_engine.rb: Run each test in separate process.
We can no longer cleanup engines explicitly as ENGINE_cleanup() was
removed.
https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743
* ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the
RDoc for Engine.cleanup.
* ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS,
DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed.
* test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb,
test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb,
test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't
test unsupported hash functions.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
Currently this is delayed until ossl_ssl_setup(), which is called from
SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
illegal value. We expect an exception to be raised in #hostname= but
actually we get it in the later SSLSocket#connect. Because the SSL is
not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
is also delayed.
This also fixes: [ruby-dev:49376] [Bug #11724]
* ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
as the Ruby version but this instantiate the SSL object at the same
time.
(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.
(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().
(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.
(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.
(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().
(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.
* ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
should not be NULL because we now set it in #initialize.
* ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
to check if the SSL is NULL.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55191 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| | |
* ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
* ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct
here. Since some methods such as SSLSocket#connect releases GVL,
there is a chance of use after free if we free the SSL from another
thread. SSLSocket#stop was documented as "prepares it for another
connection" so this is a slightly incompatible change. However when
this sentence was added (r30090, Add toplevel documentation for
OpenSSL, 2010-12-06), it didn't actually. The current behavior is
from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15).
[ruby-core:74978] [Bug #12292]
* ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc.
* test/openssl/test_ssl.rb: Test this.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55100 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|/
|
|
|
|
|
|
| |
* ext/openssl/lib/openssl/buffering.rb (read_nonblock, readpartial):
Remove impossible EOFError raise. Patch by Zach Anker
<zanker@squareup.com>. [GH ruby/openssl#23]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
| |
|
|
|
|
|
|
| |
512-bit DH keys are severely weak and have been implicated in recent attacks:
https://weakdh.org/
|
| |
|
| |
|
|
|
|
|
|
| |
v1.1"
This reverts commit a504359950f86f96ef2477920b56027f5b7f4fb2.
|
|
|
|
| |
See ruby/ruby#873.
|
| |
|
|
|
|
| |
See also r50351 from ruby/ruby#876
|
|
|
|
| |
Thanks to @nahi for the tests and initial documentation.
|
| |
|
|
|
|
| |
Commit ruby/ruby@c1bad6040865d08a8f391b7e2beca6a6b66355e7
|
| |
|
| |
|
| |
|
|
|