aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKazuki Yamaguchi <k@rhe.jp>2016-05-04 22:41:49 +0900
committerKazuki Yamaguchi <k@rhe.jp>2016-05-14 20:00:57 +0900
commitfe41d4091a9ea9c5d823cda52205e1daab316aaf (patch)
treed940730be9e6b08874895fd799f16999edff32c0
parent8b5f03e697510176d9a03e18ca058217221d7c46 (diff)
downloadruby-fe41d4091a9ea9c5d823cda52205e1daab316aaf.tar.gz
ext/openssl: avoid using deprecated protocol version specific methods
They emit warnings with OpenSSL 1.1.0. Instead use SSL_CTX_set_{min,max}_proto_version().
-rw-r--r--ext/openssl/extconf.rb1
-rw-r--r--ext/openssl/ossl_ssl.c77
2 files changed, 43 insertions, 35 deletions
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
index 9aeb3de9a6..c0d1e841d6 100644
--- a/ext/openssl/extconf.rb
+++ b/ext/openssl/extconf.rb
@@ -109,6 +109,7 @@ OpenSSL.check_func_or_macro("SSL_get_server_tmp_key", "openssl/ssl.h")
OpenSSL.check_func("RAND_pseudo_bytes", "openssl/rand.h") # deprecated
have_func("X509_STORE_get_ex_data")
have_func("X509_STORE_set_ex_data")
+OpenSSL.check_func_or_macro("SSL_CTX_set_min_proto_version", "openssl/ssl.h")
have_struct_member("X509_ATTRIBUTE", "single", "openssl/x509.h")
Logging::message "=== Checking done. ===\n"
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
index b80e037a3c..4377f4045f 100644
--- a/ext/openssl/ossl_ssl.c
+++ b/ext/openssl/ossl_ssl.c
@@ -84,35 +84,35 @@ static VALUE sym_exception, sym_wait_readable, sym_wait_writable;
*/
static const struct {
const char *name;
- SSL_METHOD *(*func)(void);
+ SSL_METHOD *(*func)(void); /* FIXME: constify when dropping 0.9.8 */
+ int version;
} ossl_ssl_method_tab[] = {
-#define OSSL_SSL_METHOD_ENTRY(name) { #name, (SSL_METHOD *(*)(void))name##_method }
- OSSL_SSL_METHOD_ENTRY(TLSv1),
- OSSL_SSL_METHOD_ENTRY(TLSv1_server),
- OSSL_SSL_METHOD_ENTRY(TLSv1_client),
-#if defined(HAVE_TLSV1_2_METHOD)
- OSSL_SSL_METHOD_ENTRY(TLSv1_2),
- OSSL_SSL_METHOD_ENTRY(TLSv1_2_server),
- OSSL_SSL_METHOD_ENTRY(TLSv1_2_client),
-#endif
-#if defined(HAVE_TLSV1_1_METHOD)
- OSSL_SSL_METHOD_ENTRY(TLSv1_1),
- OSSL_SSL_METHOD_ENTRY(TLSv1_1_server),
- OSSL_SSL_METHOD_ENTRY(TLSv1_1_client),
+#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
+/* OpenSSL 1.1.0; version specific method is deprecated */
+#define OSSL_SSL_METHOD_ENTRY(name, version) \
+ { #name, (SSL_METHOD *(*)(void))TLS_method, version }, \
+ { #name"_server", (SSL_METHOD *(*)(void))TLS_server_method, version }, \
+ { #name"_client", (SSL_METHOD *(*)(void))TLS_client_method, version }
+#else
+#define OSSL_SSL_METHOD_ENTRY(name, version) \
+ { #name, (SSL_METHOD *(*)(void))name##_method, version }, \
+ { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \
+ { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version }
#endif
#if defined(HAVE_SSLV2_METHOD)
- OSSL_SSL_METHOD_ENTRY(SSLv2),
- OSSL_SSL_METHOD_ENTRY(SSLv2_server),
- OSSL_SSL_METHOD_ENTRY(SSLv2_client),
+ OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION),
#endif
#if defined(HAVE_SSLV3_METHOD)
- OSSL_SSL_METHOD_ENTRY(SSLv3),
- OSSL_SSL_METHOD_ENTRY(SSLv3_server),
- OSSL_SSL_METHOD_ENTRY(SSLv3_client),
+ OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION),
+#endif
+ OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION),
+#if defined(HAVE_TLSV1_1_METHOD)
+ OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION),
+#endif
+#if defined(HAVE_TLSV1_2_METHOD)
+ OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION),
#endif
- OSSL_SSL_METHOD_ENTRY(SSLv23),
- OSSL_SSL_METHOD_ENTRY(SSLv23_server),
- OSSL_SSL_METHOD_ENTRY(SSLv23_client),
+ OSSL_SSL_METHOD_ENTRY(SSLv23, 0),
#undef OSSL_SSL_METHOD_ENTRY
};
@@ -171,30 +171,37 @@ ossl_sslctx_s_alloc(VALUE klass)
static VALUE
ossl_sslctx_set_ssl_version(VALUE self, VALUE ssl_method)
{
- SSL_METHOD *method = NULL;
+ SSL_CTX *ctx;
const char *s;
VALUE m = ssl_method;
int i;
- SSL_CTX *ctx;
+ GetSSLCTX(self, ctx);
if (RB_TYPE_P(ssl_method, T_SYMBOL))
m = rb_sym2str(ssl_method);
s = StringValueCStr(m);
for (i = 0; i < numberof(ossl_ssl_method_tab); i++) {
if (strcmp(ossl_ssl_method_tab[i].name, s) == 0) {
- method = ossl_ssl_method_tab[i].func();
- break;
+ SSL_METHOD *method = ossl_ssl_method_tab[i].func();
+#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
+ int version = ossl_ssl_method_tab[i].version;
+#endif
+
+ if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
+ ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
+ }
+#if defined(HAVE_SSL_CTX_SET_MIN_PROTO_VERSION)
+ /* having SSL_CTX_set_min_proto_version() means versions specific methods is deprecated */
+ if (!SSL_CTX_set_min_proto_version(ctx, version) ||
+ !SSL_CTX_set_max_proto_version(ctx, version)) {
+ ossl_raise(eSSLError, "SSL_CTX_set_{min,max}_proto_version");
+ }
+#endif
+ return ssl_method;
}
}
- if (!method) {
- ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m);
- }
- GetSSLCTX(self, ctx);
- if (SSL_CTX_set_ssl_version(ctx, method) != 1) {
- ossl_raise(eSSLError, "SSL_CTX_set_ssl_version");
- }
- return ssl_method;
+ ossl_raise(rb_eArgError, "unknown SSL method `%"PRIsVALUE"'.", m);
}
static VALUE