mirror of
https://github.com/puma/puma.git
synced 2022-11-09 13:48:40 -05:00
Updates for OpenSSL 3 (#2800)
This commit is contained in:
MSP-Greg
GitHub
parent
ca2128f179
commit
aa732fda73
2 changed files with 22 additions and 5 deletions
|
|
@ -33,11 +33,14 @@ unless ENV["DISABLE_SSL"]
|
|||
have_func "SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h"
|
||||
|
||||
have_func "X509_STORE_up_ref"
|
||||
have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
|
||||
have_func "SSL_CTX_set_ecdh_auto(NULL, 0)" , "openssl/ssl.h"
|
||||
|
||||
# below are yes for 3.0.0 & later, use for OpenSSL 3 detection
|
||||
have_func "SSL_get1_peer_certificate" , "openssl/ssl.h"
|
||||
|
||||
# Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
|
||||
if Random.respond_to?(:bytes)
|
||||
$defs.push("-DHAVE_RANDOM_BYTES")
|
||||
$defs.push "-DHAVE_RANDOM_BYTES"
|
||||
puts "checking for Random.bytes... yes"
|
||||
else
|
||||
puts "checking for Random.bytes... no"
|
||||
|
|
|
|||
|
|
@ -49,6 +49,7 @@ const rb_data_type_t engine_data_type = {
|
|||
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
|
||||
};
|
||||
|
||||
#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
|
||||
DH *get_dh2048() {
|
||||
/* `openssl dhparam -C 2048`
|
||||
* -----BEGIN DH PARAMETERS-----
|
||||
|
|
@ -119,6 +120,7 @@ DH *get_dh2048() {
|
|||
|
||||
return dh;
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
sslctx_free(void *ptr) {
|
||||
|
|
@ -209,7 +211,9 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
|
|||
int ssl_options;
|
||||
VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
|
||||
verification_flags, session_id_bytes, cert_pem, key_pem;
|
||||
#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
|
||||
DH *dh;
|
||||
#endif
|
||||
BIO *bio;
|
||||
X509 *x509;
|
||||
EVP_PKEY *pkey;
|
||||
|
|
@ -317,9 +321,6 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
|
|||
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
|
||||
}
|
||||
|
||||
dh = get_dh2048();
|
||||
SSL_CTX_set_tmp_dh(ctx, dh);
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER < 0x10002000L
|
||||
// Remove this case if OpenSSL 1.0.1 (now EOL) support is no
|
||||
// longer needed.
|
||||
|
|
@ -353,6 +354,15 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
|
|||
SSL_MAX_SSL_SESSION_ID_LENGTH);
|
||||
|
||||
// printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));
|
||||
|
||||
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
|
||||
// https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
|
||||
SSL_CTX_set_dh_auto(ctx, 1);
|
||||
#else
|
||||
dh = get_dh2048();
|
||||
SSL_CTX_set_tmp_dh(ctx, dh);
|
||||
#endif
|
||||
|
||||
rb_obj_freeze(self);
|
||||
return self;
|
||||
}
|
||||
|
|
@ -551,7 +561,11 @@ VALUE engine_peercert(VALUE self) {
|
|||
|
||||
TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);
|
||||
|
||||
#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
|
||||
cert = SSL_get1_peer_certificate(conn->ssl);
|
||||
#else
|
||||
cert = SSL_get_peer_certificate(conn->ssl);
|
||||
#endif
|
||||
if(!cert) {
|
||||
/*
|
||||
* See if there was a failed certificate associated with this client.
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue