* [jruby] support setting TLS protocols + rename ssl_cipher_list
follow Java naming as we already do with keystore/truststore ...
Context now does the string split and accepts an Array
* [test] cipher_suites and protocols behavior
* [jruby] support new TLS settings in DSL
* [fix] jruby hang with TLS due not executing task
basically the use of Java SSL API was incorrect and reproduced when verification is enabled - the engine needs to execute a task but the handling code was not reached
* Revert "[fix] jruby hang with TLS due not executing task"
This reverts commit d1731a5607.
* [chore] re-generate certs with a subjectAltName ext
* [test] more ssl test with server verify peer
* [test] a proper reproducer for the TLS hang in JRuby
* [test] cleanup and better naming
* Revert "[chore] re-generate certs with a subjectAltName ext"
This reverts commit a1b01a187e.
* Revert "Revert "[fix] jruby hang with TLS due not executing task""
This reverts commit 3c5727f9e3.
* [test] restore ssl run - hangs with peer on MRI
* [jruby] refactor - only keep peer cert around
* [jruby] make miss an error not to be caught!
* [test] follow-up proper testing of GH-2849
* [jruby] support truststore = :default
* [jruby] sync dsl/context-builder with new props
* [jruby] support a truststore option
which might be a completely different file than keystore ...
due backwards compatibility we assume `truststore = keystore`
(`truststore_pass = keystore_pass`)
* [jruby] actually use truststore on initialize
* [jruby] add keystore_type and truststore_type
* [jruby] dry and simplify native bits
* [jruby] setup SSLError in native (like C part)
* [jruby] map to SSLError from native exception
* [jruby] provide peercert even if hand-shake fails
initialization. This avoids reading the keystore file twice on every
ssl request, and also fixes a filehandle leak from reading the keystore
file without closing it properly.
1. Fix the conversion of a nil verify_mode to integer (was throwing 'no
implicit conversion of nil into Integer')
2. Use the correct keystore password.
3. Use cipher suites that are supported in Java 8.
Many organizations run their applications using in environments that fall into
scope of PCI-DSS compliance audits. One of the requirements set out by standard
is to migrate to more secure protocols if possible.
PCI Security Standards council has advised to migrate away from TLSv1.0 over
last few years and recently set a migration deadline of 30 June 2018 (see [1]
for more details).
Change proposed in this commit gives an user option to disable `TLSv1.0` during
bind, while still leaving the `TLSv1.1` and `TLSv1.2` enabled. `SSLv2` and
`SSLv3` are permanently disabled (as they should).
Default behaviour is not changed if the `no_tls` option is not defined.
[1]: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls
Adds support for `verify_mode` to configure client authentication when running under JRuby.
Things to note:
- Assumes the CA used to verify client certs is in the same java
keystore file that is used when setting up the HTTPS TLS listener. We
could split this out, but not sure if it's necessary.
- Friendly/helpful error messages explaining why the verification failed
are not present in the same way they are in the CRuby/OpenSSL code
path. I'm not sure how to make them available.
- I did not include any code to create the `keystore.jks` file in the
`examples/puma/client-certs` directory because I didn't see any
existing code to create the `examples/puma/keystore.jks` file. The
commands to create this keystore would be:
```
cd examples/puma/client-certs
openssl pkcs12 -chain -CAfile ./ca.crt -export -password pass:blahblah -inkey server.key -in server.crt -name server -out server.p12
keytool -importkeystore -srckeystore server.p12 -srcstoretype pkcs12 -srcstorepass blahblah -destkeystore keystore.jks -deststoretype JKS -storepass blahblah
keytool -importcert -alias ca -noprompt -trustcacerts -file ca.crt -keystore keystore.jks -storepass blahblah
```
Previously, even when not debugging, we were doing work to compose the
log messages. Delete these diagnostic messages to keep things as fast
and lean as possible.
Both the C and JRuby SSL implementations would hang on a bad handshake
because they were not producing the EOF expected in that case.
Update their error handling to behave correctly here (note:
`test_ssl_v3_rejection` covers this).
- Implement MiniSSL for JRuby
- Modify `Binder` and `MiniSSL::Context` to to accommodate the fact
that Java SSL demands a java keystore rather than a key/cert pair
- Change the MiniSSL native extension interface to take a
`MiniSSL::Context` rather than a key/cert pair so that each extension
can grab keys off the context as appropriate
Karol Bucek