JRuby SSL POODLE update

Default SSLv3 to disabled in response to the POODLE vulnerability.

ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -1,6 +1,7 @@
 package org.jruby.puma;
 
 import org.jruby.Ruby;
+import org.jruby.RubyBoolean;
 import org.jruby.RubyClass;
 import org.jruby.RubyModule;
 import org.jruby.RubyObject;
@@ -151,6 +152,15 @@ public class MiniSSL extends RubyObject {
 
     sslCtx.init(kmf.getKeyManagers(), null, null);
     engine = sslCtx.createSSLEngine();
+
+    IRubyObject enableSSLv3 = miniSSLContext.callMethod(threadContext, "enable_SSLv3");
+    String[] protocols;
+    if (enableSSLv3 instanceof RubyBoolean && enableSSLv3.isTrue()) {
+      protocols = new String[] { "SSLv2Hello", "SSLv3", "TLSv1", "TLSv1.1", "TLSv1.2" };
+    } else {
+      protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
+    }
+    engine.setEnabledProtocols(protocols);
     engine.setUseClientMode(false);
 
     SSLSession session = engine.getSession();

lib/puma/minissl.rb

@@ -95,6 +95,11 @@ module Puma
         # jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair
         attr_reader :keystore
         attr_accessor :keystore_pass
+        attr_accessor :enable_SSLv3
+
+        def initialize
+          @enable_SSLv3 = false
+        end
 
         def keystore=(keystore)
           raise ArgumentError, "No such keystore file '#{keystore}'" unless File.exist? keystore

test/test_puma_server_ssl.rb

@@ -16,21 +16,21 @@ class TestPumaServerSSL < Test::Unit::TestCase
 
     @app = lambda { |env| [200, {}, [env['rack.url_scheme']]] }
 
-    ctx = Puma::MiniSSL::Context.new
+    @ctx = Puma::MiniSSL::Context.new
 
     if defined?(JRUBY_VERSION)
-      ctx.keystore =  File.expand_path "../../examples/puma/keystore.jks", __FILE__
-      ctx.keystore_pass = 'blahblah'
+      @ctx.keystore =  File.expand_path "../../examples/puma/keystore.jks", __FILE__
+      @ctx.keystore_pass = 'blahblah'
     else
-      ctx.key =  File.expand_path "../../examples/puma/puma_keypair.pem", __FILE__
-      ctx.cert = File.expand_path "../../examples/puma/cert_puma.pem", __FILE__
+      @ctx.key =  File.expand_path "../../examples/puma/puma_keypair.pem", __FILE__
+      @ctx.cert = File.expand_path "../../examples/puma/cert_puma.pem", __FILE__
     end
 
-    ctx.verify_mode = Puma::MiniSSL::VERIFY_NONE
+    @ctx.verify_mode = Puma::MiniSSL::VERIFY_NONE
 
     @events = Puma::Events.new STDOUT, STDERR
     @server = Puma::Server.new @app, @events
-    @server.add_ssl_listener @host, @port, ctx
+    @server.add_ssl_listener @host, @port, @ctx
     @server.run
 
     @http = Net::HTTP.new @host, @port
@@ -88,4 +88,50 @@ class TestPumaServerSSL < Test::Unit::TestCase
     assert_equal "https", body
   end
 
+  if defined?(JRUBY_VERSION)
+    def test_ssl_v3_support_disabled_by_default
+      @http.ssl_version='SSLv3'
+      assert_raises(OpenSSL::SSL::SSLError) do
+        @http.start do
+          Net::HTTP::Get.new '/'
+        end
+      end
+    end
+
+    def test_enabling_ssl_v3_support
+      @server.stop(true)
+      @ctx.enable_SSLv3 = true
+      @server = Puma::Server.new @app, @events
+      @server.add_ssl_listener @host, @port, @ctx
+      @server.run
+      @http.ssl_version='SSLv3'
+
+      body = nil
+      @http.start do
+        req = Net::HTTP::Get.new "/", {}
+
+        @http.request(req) do |rep|
+          body = rep.body
+        end
+      end
+
+      assert_equal "https", body
+    end
+
+    def test_enabling_ssl_v3_support_requires_true
+      @server.stop(true)
+      @ctx.enable_SSLv3 = "truthy but not true"
+      @server = Puma::Server.new @app, @events
+      @server.add_ssl_listener @host, @port, @ctx
+      @server.run
+      @http.ssl_version='SSLv3'
+
+      assert_raises(OpenSSL::SSL::SSLError) do
+        @http.start do
+          Net::HTTP::Get.new '/'
+        end
+      end
+    end
+  end
+
 end