diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2023-08-10 02:45:15 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2023-08-16 14:48:41 +0900 |
commit | 01d368e7b06ccf34f92c535a117a2856956d2bcb (patch) | |
tree | c0db2e2f8a590b768cb266d1b04ccfc184e52cb3 /ext/openssl/ossl_asn1.c | |
parent | 8dd5c20224771abacfcfba848d9465131f14f3fe (diff) | |
download | ruby-01d368e7b06ccf34f92c535a117a2856956d2bcb.tar.gz |
[ruby/openssl] ssl: raise SSLError if loading ca_file or ca_path fails
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup
does not raise an exception on an error return from
SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode
warning. This is not helpful since it very likely indicates an actual
error, such as the specified file not being readable.
Also, OpenSSL's error queue is not correctly cleared:
$ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors'
-e:1: warning: can't set verify locations
["error:02001002:system library:fopen:No such file or directory",
"error:2006D080:BIO routines:BIO_new_file:no such file",
"error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"]
The behavior is currently different when compiled with OpenSSL >= 3.0:
SSLError is raised if SSL_CTX_load_verify_file() or
SSL_CTX_load_verify_dir() fails.
This inconsistency was unintentionally introduced by commit https://github.com/ruby/openssl/commit/5375a55ffc35
("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22).
However, raising SSLError seems more appropriate in this situation.
Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way
as the OpenSSL >= 3.0 code currently does.
Fixes: https://github.com/ruby/openssl/issues/649
https://github.com/ruby/openssl/commit/7eb10f7b75
Diffstat (limited to 'ext/openssl/ossl_asn1.c')
0 files changed, 0 insertions, 0 deletions