1berry/ruby
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

[ruby/openssl] ssl: do not enable OpenSSL::SSL::OP_ALL by default

Browse Source 
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.

OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.

OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.

https://github.com/ruby/openssl/commit/00bec0d905
This commit is contained in:
Kazuki Yamaguchi 2024-06-12 02:29:46 +09:00 committed by git
parent 33196b7ab0
commit 510c190739
2 changed files with 30 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
ext/openssl/lib/openssl/ssl.rb
View File

@ -125,7 +125,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
# that this form is deprecated. New applications should use #min_version= # that this form is deprecated. New applications should use #min_version=
# and #max_version= as necessary. # and #max_version= as necessary.
def initialize(version = nil) def initialize(version = nil)
self.options |= OpenSSL::SSL::OP_ALL
self.ssl_version = version if version self.ssl_version = version if version
self.verify_mode = OpenSSL::SSL::VERIFY_NONE self.verify_mode = OpenSSL::SSL::VERIFY_NONE
self.verify_hostname = false self.verify_hostname = false

32
test/openssl/test_ssl.rb
View File

@ -15,11 +15,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
end end
end end
def test_ctx_setup
ctx = OpenSSL::SSL::SSLContext.new
assert_equal true, ctx.setup
assert_predicate ctx, :frozen?
assert_equal nil, ctx.setup
end
def test_ctx_options def test_ctx_options
ctx = OpenSSL::SSL::SSLContext.new ctx = OpenSSL::SSL::SSLContext.new
assert (OpenSSL::SSL::OP_ALL & ctx.options) == OpenSSL::SSL::OP_ALL,
"OP_ALL is set by default"
ctx.options = 4 ctx.options = 4
assert_equal 4, ctx.options & 4 assert_equal 4, ctx.options & 4
if ctx.options != 4 if ctx.options != 4
@ -33,6 +38,29 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
assert_equal nil, ctx.setup assert_equal nil, ctx.setup
end end
def test_ctx_options_config
omit "LibreSSL does not support OPENSSL_CONF" if libressl?
omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1)
Tempfile.create("openssl.cnf") { |f|
f.puts(<<~EOF)
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
Options = -SessionTicket
EOF
f.close
assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;")
ctx = OpenSSL::SSL::SSLContext.new
assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
end;
}
end
def test_ssl_with_server_cert def test_ssl_with_server_cert
ctx_proc = -> ctx { ctx_proc = -> ctx {
ctx.cert = @svr_cert ctx.cert = @svr_cert