aboutsummaryrefslogtreecommitdiffstats
path: root/lib
Commit message (Collapse)AuthorAgeFilesLines
* ssl: add verify_hostname option to SSLContexttopic/ssl-verify-hostnameKazuki Yamaguchi2016-07-231-3/+8
| | | | | | | | | | | | | | | | If a client sets this to true and enables SNI with SSLSocket#hostname=, the hostname verification on the server certificate is performed automatically during the handshake using OpenSSL::SSL.verify_certificate_identity(). Currently an user who wants to do the hostname verification needs to call SSLSocket#post_connection_check explicitly after the TLS connection is established. This commit also enables the option in SSLContext::DEFAULT_PARAMS. Applications using SSLContext#set_params may be affected by this. [GH ruby/openssl#8]
* Deprecate constant OpenSSL::Digest::Digest and OpenSSL::Cipher::CipherKazuki Yamaguchi2016-07-092-13/+9
| | | | | | Mark OpenSSL::{Digest::Digest,Cipher::Cipher} as deprecated using Module#deprecate_constant. They have been deprecated for years in the documentation.
* Merge branch 'topic/doc-ssl-sync-close'Kazuki Yamaguchi2016-07-091-0/+4
|\ | | | | | | | | * topic/doc-ssl-sync-close: Document OpenSSL::SSL::SSLSocket#sync_close
| * Document OpenSSL::SSL::SSLSocket#sync_closetopic/doc-ssl-sync-closeKazuki Yamaguchi2016-07-091-0/+4
| | | | | | | | | | Add rdoc for OpenSSL::SSL::SSLSocket#sync_close, and mention it in the example code in the rdoc for OpenSSL namespace. [GH ruby/openssl#11]
* | Merge pull request #50 from jsyeo/jsyeo-remove-rc4Kazuki Yamaguchi2016-07-051-3/+0
|\ \ | |/ |/| RC4 has insecure biases and both clients and servers should not be using it.
| * Remove RC4 cipher suites from SSLContext::DEFAULT_PARAMSJason Yeo2016-07-041-3/+0
| | | | | | | | | | | | | | | | This commit removes insecure RC4 ciper suites [1] from being used by default. If needed, users can still specify the usage of it by specifying it explicitly. [1]: https://tools.ietf.org/html/rfc7465
* | openssl: adjust tests for OpenSSL 1.1.0rhe2016-06-091-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This fixes `make test-all TESTS=openssl` with OpenSSL master. * test/openssl/test_x509name.rb: Don't register OID for 'emailAddress' and 'serialNumber'. A recent change in OpenSSL made OBJ_create() reject an already existing OID. They were needed to run tests with OpenSSL 0.9.6 which is now unsupported. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=52832e470f5fe8c222249ae5b539aeb3c74cdb25 [ruby-core:75225] [Feature #12324] * test/openssl/test_ssl_session.rb (test_server_session): Duplicate SSL::Session before re-adding to the session store. OpenSSL 1.1.0 starts rejecting SSL_SESSION once removed by SSL_CTX_remove_session(). https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=7c2d4fee2547650102cd16d23f8125b76112ae75 * test/openssl/test_pkey_ec.rb (setup): Remove X25519 from @keys. X25519 is new in OpenSSL 1.1.0 but this is for key agreement and not for signing. * test/openssl/test_pair.rb, test/openssl/test_ssl.rb, test/openssl/utils.rb: Set security level to 0 when using aNULL cipher suites. * test/openssl/utils.rb: Use 1024 bits DSA key for client certificates. * test/openssl/test_engine.rb: Run each test in separate process. We can no longer cleanup engines explicitly as ENGINE_cleanup() was removed. https://git.openssl.org/gitweb/?p=openssl.git;a=commit;h=6d4fb1d59e61aacefa25edc4fe5acfe1ac93f743 * ext/openssl/ossl_engine.c (ossl_engine_s_cleanup): Add a note to the RDoc for Engine.cleanup. * ext/openssl/lib/openssl/digest.rb: Don't define constants for DSS, DSS1 and SHA(-0) when using with OpenSSL 1.1.0. They are removed. * test/openssl/test_digest.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_pkey_dsa.rb, test/openssl/test_ssl.rb, test/openssl/test_x509cert.rb, test/openssl/test_x509req.rb: Don't test unsupported hash functions. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55314 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: move SSLSocket#initialize to C extensionrhe2016-05-311-35/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it. Currently this is delayed until ossl_ssl_setup(), which is called from SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an illegal value. We expect an exception to be raised in #hostname= but actually we get it in the later SSLSocket#connect. Because the SSL is not ready at #hostname=, the actual call of SSL_set_tlsext_host_name() is also delayed. This also fixes: [ruby-dev:49376] [Bug #11724] * ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same as the Ruby version but this instantiate the SSL object at the same time. (ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to the SSL. (ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not yet set by SSL_set_fd(). (ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL exists. (ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the SSL is already instantiated in #initialize. (ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal, ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert, ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain, ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state, ossl_ssl_pending, ossl_ssl_session_reused, ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list, ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started(). (Init_ossl_ssl): Add method declarations of SSLSocket#{initialize, hostname=}. * ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It should not be NULL because we now set it in #initialize. * ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need to check if the SSL is NULL. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55191 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: drop OpenSSL 0.9.6/0.9.7 supportrhe2016-05-311-6/+3
| | | | | | | | | | | | * ext/openssl, test/openssl: Drop OpenSSL < 0.9.8 support. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55162 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: fix possible SEGV on race between SSLSocket#stop and #connectrhe2016-05-311-1/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * ext/openssl/ossl_ssl.c (ossl_ssl_stop): Don't free the SSL struct here. Since some methods such as SSLSocket#connect releases GVL, there is a chance of use after free if we free the SSL from another thread. SSLSocket#stop was documented as "prepares it for another connection" so this is a slightly incompatible change. However when this sentence was added (r30090, Add toplevel documentation for OpenSSL, 2010-12-06), it didn't actually. The current behavior is from r40304 (Correct shutdown behavior w.r.t GC., 2013-04-15). [ruby-core:74978] [Bug #12292] * ext/openssl/lib/openssl/ssl.rb (sysclose): Update doc. * test/openssl/test_ssl.rb: Test this. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55100 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* | openssl: remove impossible EOFError raise in OpenSSL::Bufferingrhe2016-05-311-2/+0
|/ | | | | | | | * ext/openssl/lib/openssl/buffering.rb (read_nonblock, readpartial): Remove impossible EOFError raise. Patch by Zach Anker <zanker@squareup.com>. [GH ruby/openssl#23] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55097 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* support 2048 bit length DH-keySHIBATA Hiroshi2016-01-151-0/+12
|
* Remove 512-bit DH groupTony Arcieri2016-01-071-8/+0
| | | | | | 512-bit DH keys are severely weak and have been implicated in recent attacks: https://weakdh.org/
* sync code from upstreamSHIBATA Hiroshi2015-12-309-1/+10
|
* Merge trunk upstreamZachary Scott2015-11-131-3/+3
|
* Revert "Prefer TLS v1.2 to follow "secure defaults" and disable TLS v1.0 and ↵Zachary Scott2015-10-131-2/+1
| | | | | | v1.1" This reverts commit a504359950f86f96ef2477920b56027f5b7f4fb2.
* Prefer TLS v1.2 to follow "secure defaults" and disable TLS v1.0 and v1.1Zachary Scott2015-10-081-1/+2
| | | | See ruby/ruby#873.
* Sync with ruby trunkZachary Scott2015-09-238-56/+164
|
* Apply ruby/ruby@325a50fc572516a171d640765d6ddf9b20be14dc to fix typosZachary Scott2015-05-048-8/+8
| | | | See also r50351 from ruby/ruby#876
* Stricter hostname verification following RFC 6125.Tony Arcieri2015-04-091-4/+58
| | | | Thanks to @nahi for the tests and initial documentation.
* OpenSSL::VERSION is already definedZachary Scott2014-11-211-3/+0
|
* Sync with ruby trunkZachary Scott2014-11-211-1/+1
| | | | Commit ruby/ruby@c1bad6040865d08a8f391b7e2beca6a6b66355e7
* Start at 1.0.0Zachary Scott2014-10-281-1/+1
|
* added dummy version fileSHIBATA Hiroshi2014-10-271-0/+3
|
* import ruby trunkSHIBATA Hiroshi2014-10-279-7/+1586
|
* bundle gem opensslSHIBATA Hiroshi2014-10-272-0/+8
generated by cgit v1.2.3 (git 2.39.1) at 2024-08-07 16:39:06 +0000