diff options
author | emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-12-18 02:02:43 +0000 |
---|---|---|
committer | emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-12-18 02:02:43 +0000 |
commit | 84f1dae9d637a2038d1b395bcc2f22404770d2d7 (patch) | |
tree | 81b323155d26e9eeb2cd8cd4241bbe642dc49ff2 /test/openssl | |
parent | f5a32acb97dec5c798001f2eb6d31bb78fda0113 (diff) | |
download | ruby-84f1dae9d637a2038d1b395bcc2f22404770d2d7.tar.gz |
* ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a
countermeasure for the BEAST attack by default. The default options
of OpenSSL::SSL:SSLContext are now:
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
[Bug #5353] [ruby-core:39673]
* test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.
* NEWS: Announce the new default.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/openssl')
-rw-r--r-- | test/openssl/test_ssl.rb | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 98ed8ca927..bbfebce4f6 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -3,6 +3,11 @@ require_relative "utils" if defined?(OpenSSL) class OpenSSL::TestSSL < OpenSSL::SSLTestCase + + TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ? + OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS : + OpenSSL::SSL::OP_ALL + def test_ctx_setup ctx = OpenSSL::SSL::SSLContext.new assert_equal(ctx.setup, true) @@ -257,7 +262,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase ctx = OpenSSL::SSL::SSLContext.new ctx.set_params assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode) - assert_equal(OpenSSL::SSL::OP_ALL, ctx.options) + assert_equal(TLS_DEFAULT_OPS, ctx.options) ciphers = ctx.ciphers ciphers_versions = ciphers.collect{|_, v, _, _| v } ciphers_names = ciphers.collect{|v, _, _, _| v } @@ -398,7 +403,10 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase def test_unset_OP_ALL ctx_proc = Proc.new { |ctx| - ctx.options = OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS + # If OP_DONT_INSERT_EMPTY_FRAGMENTS is not defined, this test is + # redundant because the default options already are equal to OP_ALL. + # But it also degrades gracefully, so keep it + ctx.options = OpenSSL::SSL::OP_ALL } start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_proc){|server, port| server_connect(port) { |ssl| |