| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
| |
The OpenSSL::VERSION constant is now defined by lib/openssl/version.rb
instead of by the extension. Add missing require statement.
Fixes: 0cddb0b736c8 ("Simplify handling of version constant.", 2019-10-31)
Reference: https://github.com/ruby/openssl/issues/347
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OpenSSL::Config is currently implemented in Ruby, but we plan to revert
back to use OpenSSL API, just as it did before r28632 (in ruby_1_8;
r29048 in trunk). It's not clear what was the issue with Windows, but
the CONF library should work on Windows too.
Modifying a CONF object is not possible in OpenSSL API. Actually, it
was possible in previous versions of OpenSSL, but we used their
internal functions that are not exposed in shared libraries anymore.
Accordingly, OpenSSL::Config#add_value and #[]= have to be removed. As
a first step towards the change, let's deprecate those methods.
|
| |
|
| |
|
| |
|
|
|
|
| |
It breaks when compiled in ruby source tree.
|
| |
|
| |
|
|
|
|
| |
add ca_issuer_uris and ocsp_uris description to the changelog
|
|
|
|
| |
add helper to access information and services for the issuer of the Certificate
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
| |
This allows for example to use Rails' cache to store these objects. Without this patch you'd get errors like "TypeError (no _dump_data is defined for class OpenSSL::X509::Certificate)"
Note that the X509::Revoked class doesn't need the newly introduced modules as the DER output of X509::CRL already includes these.
|
|
|
|
| |
secure_compare is for user input, fixed_length_secure_compare for already processed data that is known to have the same length
|
| |
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
At the moment OpenSSL::Buffering#do_write allocates some additional
strings, and in my profiling writing 5MB of data allocates additional
7.7MB of strings.
This patch greatly reduces memory allocations, and now writing 5MB of
data allocates only additional 0.2MB of strings. This means that large
file uploads would effectively not allocate additional memory anymore.
Reference: https://bugs.ruby-lang.org/issues/14426
Reference: https://github.com/ruby/ruby/pull/1924
|
|
|
|
|
|
|
|
| |
* ext/openssl/lib/openssl/buffering.rb (do_write, puts): output
methods should not be affected by the input record separator.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@62038 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Sync-with-trunk: r62038
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPv6 SAN-verification accommodates
["zero-compression"](https://tools.ietf.org/html/rfc5952#section-2.2).
It also accommodates non-compressed addresses.
Previously the verification of IPv6 addresses would fail unless the
address syntax matched a specific format (no zero-compression, no
leading zeroes).
As an example, the IPv6 loopback address, if represented as `::1`, would
not verify. Nor would it verify if represented as
`0000:0000:0000:0000:0000:0000:0000:0001`; however, both representations
are valid, RFC-compliant representations. The library would only accept
a very specific representation (i.e. `0:0:0:0:0:0:0:1`).
This commit addresses that shortcoming, and ensures that any valid IPv6
representation will correctly verify.
|
|\
| |
| | |
pkey/ec: add support for octet string encoding of EC point
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add a new method named PKey::EC#to_octet_string that returns the octet
string representation of the curve point. PKey::EC::Point#to_bn, which
have already existed and is similar except that an instance of
OpenSSL::BN is returned, is rewritten in Ruby.
PKey::EC::Point#initialize now takes String as the second argument in
the PKey::EC::Point.new(group, encoded_point) form.
Also, update the tests to use #to_octet_string instead of #to_bn for
better readability.
|
|\ \
| | |
| | | |
buffering: let #write accept multiple arguments
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
As of Ruby 2.5, IO#write accepts multiple input strings and writes them
at once[1]. Follow that.
[1] https://bugs.ruby-lang.org/issues/9323
|
|\ \ \
| | | |
| | | | |
x509*: implement ==
|
| | | | |
|
| | | | |
|
| | | | |
|
| |/ / |
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | | |
* ky/ssl-version-min-max:
ssl: fix conflict of options in SSLContext#set_params
Use caller with length to reduce unused strings
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make SSLContext#set_params call #options= first.
SSLContext#set_params by default disables SSL 2.0 and SSL 3.0 by calling
SSLContext#min_version=. After that, it sets the SSL option flags by
calling SSLContext#options=.
This is problematic when built with OpenSSL before 1.1.0 because
SSLContext#min_version= achieves its goal using the SSL_OP_NO_{SSL,TLS}*
options. Since the subsequent SSLContext#options= call replaces the
flags rather than OR together, this results in effectively disabling
min_version setting in SSLContext::DEFAULT_PARAMS.
The issue was first fixed in Ruby trunk tree, as part of r60310 ("fix
OpenSSL::SSL::SSLContext#min_version doesn't work", 2017-10-21).
|
| | |
| | |
| | |
| | | |
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@60288 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
|
|/ /
| |
| |
| |
| |
| |
| | |
Allow the attribute value to contain ',', just as the openssl utility's
parse_name() function does.
Fixes: https://github.com/ruby/openssl/issues/39
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Add methods that set the minimum and maximum supported protocol versions
for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}_proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags.
The new methods are meant to replace the deprecated #ssl_version= that
cannot support multiple protocol versions.
SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.
|
| |
| |
| |
| |
| |
| | |
The 'keylen' parameter of the tmp_dh_callback is only meaningful when
'is_export' is non-zero. Ignore them and just return the default
2048-bit DH group.
|
|/
|
|
|
|
| |
Follow-up commit eaffc69e40ab ("ssl: move default DH parameters from
OpenSSL::PKey::DH", 2017-01-23). Those constants shouldn't be used
directly.
|