Updates for OpenSSL 3 (#2800)

2022-11-09 13:48:40 -05:00 · 2022-01-22 09:05:41 -06:00 · 2022-01-22 09:05:41 -06:00 · aa732fda73
commit aa732fda73
parent ca2128f179
2 changed files with 22 additions and 5 deletions
--- a/ext/puma_http11/extconf.rb
+++ b/ext/puma_http11/extconf.rb
@ -33,11 +33,14 @@ unless ENV["DISABLE_SSL"]
    have_func  "SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h"

    have_func  "X509_STORE_up_ref"
-    have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
+    have_func "SSL_CTX_set_ecdh_auto(NULL, 0)"         , "openssl/ssl.h"
+
+    # below are yes for 3.0.0 & later, use for OpenSSL 3 detection
+    have_func "SSL_get1_peer_certificate"              , "openssl/ssl.h"

    # Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
    if Random.respond_to?(:bytes)
-      $defs.push("-DHAVE_RANDOM_BYTES")
+      $defs.push "-DHAVE_RANDOM_BYTES"
      puts "checking for Random.bytes... yes"
    else
      puts "checking for Random.bytes... no"
--- a/ext/puma_http11/mini_ssl.c
+++ b/ext/puma_http11/mini_ssl.c
@ -49,6 +49,7 @@ const rb_data_type_t engine_data_type = {
    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };

+#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
 DH *get_dh2048() {
  /* `openssl dhparam -C 2048`
   * -----BEGIN DH PARAMETERS-----
@ -119,6 +120,7 @@ DH *get_dh2048() {

  return dh;
 }
+#endif

 static void
 sslctx_free(void *ptr) {
@ -209,7 +211,9 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
  int ssl_options;
  VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
    verification_flags, session_id_bytes, cert_pem, key_pem;
+#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
  DH *dh;
+#endif
  BIO *bio;
  X509 *x509;
  EVP_PKEY *pkey;
@ -317,9 +321,6 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
    SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
  }

-  dh = get_dh2048();
-  SSL_CTX_set_tmp_dh(ctx, dh);
-
 #if OPENSSL_VERSION_NUMBER < 0x10002000L
  // Remove this case if OpenSSL 1.0.1 (now EOL) support is no
  // longer needed.
@ -353,6 +354,15 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
                                 SSL_MAX_SSL_SESSION_ID_LENGTH);

  // printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
+
+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+  // https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
+  SSL_CTX_set_dh_auto(ctx, 1);
+#else
+  dh = get_dh2048();
+  SSL_CTX_set_tmp_dh(ctx, dh);
+#endif
+
  rb_obj_freeze(self);
  return self;
 }
@ -551,7 +561,11 @@ VALUE engine_peercert(VALUE self) {

  TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);

+#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
+  cert = SSL_get1_peer_certificate(conn->ssl);
+#else
  cert = SSL_get_peer_certificate(conn->ssl);
+#endif
  if(!cert) {
    /*
     * See if there was a failed certificate associated with this client.