[ruby/openssl] ssl: do not enable OpenSSL::SSL::OP_ALL by default

Respect the SSL options set by default by SSL_CTX() and by the system-wide OpenSSL configuration file. OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL on top of the default SSL options. Let's stop doing it. OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior to workaround various TLS implementation bugs. Using it is considered usually safe, but is not completely harmless. https://github.com/ruby/openssl/commit/00bec0d905
2024-06-12 02:29:46 +09:00 · 2024-06-12 02:29:46 +09:00 · 510c190739
commit 510c190739
parent 33196b7ab0
2 changed files with 30 additions and 3 deletions
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@ -125,7 +125,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
      # that this form is deprecated. New applications should use #min_version=
      # and #max_version= as necessary.
      def initialize(version = nil)
-        self.options |= OpenSSL::SSL::OP_ALL
        self.ssl_version = version if version
        self.verify_mode = OpenSSL::SSL::VERIFY_NONE
        self.verify_hostname = false
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@ -15,11 +15,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    end
  end

+  def test_ctx_setup
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_equal true, ctx.setup
+    assert_predicate ctx, :frozen?
+    assert_equal nil, ctx.setup
+  end
+
  def test_ctx_options
    ctx = OpenSSL::SSL::SSLContext.new

-    assert (OpenSSL::SSL::OP_ALL & ctx.options) == OpenSSL::SSL::OP_ALL,
-           "OP_ALL is set by default"
    ctx.options = 4
    assert_equal 4, ctx.options & 4
    if ctx.options != 4
@ -33,6 +38,29 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
    assert_equal nil, ctx.setup
  end

+  def test_ctx_options_config
+    omit "LibreSSL does not support OPENSSL_CONF" if libressl?
+    omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1)
+
+    Tempfile.create("openssl.cnf") { |f|
+      f.puts(<<~EOF)
+        openssl_conf = default_conf
+        [default_conf]
+        ssl_conf = ssl_sect
+        [ssl_sect]
+        system_default = ssl_default_sect
+        [ssl_default_sect]
+        Options = -SessionTicket
+      EOF
+      f.close
+
+      assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;")
+        ctx = OpenSSL::SSL::SSLContext.new
+        assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
+      end;
+    }
+  end
+
  def test_ssl_with_server_cert
    ctx_proc = -> ctx {
      ctx.cert = @svr_cert