mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* lib/openssl/ssl.rb: Explicitly whitelist the default SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable compression by default. Reported by Jeff Hodges. [ruby-core:59829] [Bug #9424] * test/openssl/test_ssl.rb: Reuse TLS default options from OpenSSL::SSL::SSLContext::DEFAULT_PARAMS. * ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined. this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@48098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
3e6dbba4e2
commit
c8137d676a
4 changed files with 66 additions and 12 deletions
19
ChangeLog
19
ChangeLog
|
@ -1,3 +1,22 @@
|
||||||
|
Wed Oct 22 23:02:49 2014 CHIKANAGA Tomoyuki <nagachika@ruby-lang.org>
|
||||||
|
|
||||||
|
* ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
|
||||||
|
options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
|
||||||
|
this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]
|
||||||
|
|
||||||
|
Wed Oct 22 23:02:49 2014 Martin Bosslet <Martin.Bosslet@gmail.com>
|
||||||
|
|
||||||
|
* test/openssl/test_ssl.rb: Reuse TLS default options from
|
||||||
|
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
|
||||||
|
|
||||||
|
Wed Oct 22 23:02:49 2014 Martin Bosslet <Martin.Bosslet@gmail.com>
|
||||||
|
|
||||||
|
* lib/openssl/ssl.rb: Explicitly whitelist the default
|
||||||
|
SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
|
||||||
|
compression by default.
|
||||||
|
Reported by Jeff Hodges.
|
||||||
|
[ruby-core:59829] [Bug #9424]
|
||||||
|
|
||||||
Sun Oct 19 03:22:53 2014 Kazuki Tsujimoto <kazuki@callcc.net>
|
Sun Oct 19 03:22:53 2014 Kazuki Tsujimoto <kazuki@callcc.net>
|
||||||
|
|
||||||
* vm_core.h, vm.c, proc.c: fix GC mark miss on bindings.
|
* vm_core.h, vm.c, proc.c: fix GC mark miss on bindings.
|
||||||
|
|
|
@ -23,10 +23,49 @@ module OpenSSL
|
||||||
DEFAULT_PARAMS = {
|
DEFAULT_PARAMS = {
|
||||||
:ssl_version => "SSLv23",
|
:ssl_version => "SSLv23",
|
||||||
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
|
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
|
||||||
:ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
|
:ciphers => %w{
|
||||||
:options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
|
ECDHE-ECDSA-AES128-GCM-SHA256
|
||||||
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
|
ECDHE-RSA-AES128-GCM-SHA256
|
||||||
OpenSSL::SSL::OP_ALL,
|
ECDHE-ECDSA-AES256-GCM-SHA384
|
||||||
|
ECDHE-RSA-AES256-GCM-SHA384
|
||||||
|
DHE-RSA-AES128-GCM-SHA256
|
||||||
|
DHE-DSS-AES128-GCM-SHA256
|
||||||
|
DHE-RSA-AES256-GCM-SHA384
|
||||||
|
DHE-DSS-AES256-GCM-SHA384
|
||||||
|
ECDHE-ECDSA-AES128-SHA256
|
||||||
|
ECDHE-RSA-AES128-SHA256
|
||||||
|
ECDHE-ECDSA-AES128-SHA
|
||||||
|
ECDHE-RSA-AES128-SHA
|
||||||
|
ECDHE-ECDSA-AES256-SHA384
|
||||||
|
ECDHE-RSA-AES256-SHA384
|
||||||
|
ECDHE-ECDSA-AES256-SHA
|
||||||
|
ECDHE-RSA-AES256-SHA
|
||||||
|
DHE-RSA-AES128-SHA256
|
||||||
|
DHE-RSA-AES256-SHA256
|
||||||
|
DHE-RSA-AES128-SHA
|
||||||
|
DHE-RSA-AES256-SHA
|
||||||
|
DHE-DSS-AES128-SHA256
|
||||||
|
DHE-DSS-AES256-SHA256
|
||||||
|
DHE-DSS-AES128-SHA
|
||||||
|
DHE-DSS-AES256-SHA
|
||||||
|
AES128-GCM-SHA256
|
||||||
|
AES256-GCM-SHA384
|
||||||
|
AES128-SHA256
|
||||||
|
AES256-SHA256
|
||||||
|
AES128-SHA
|
||||||
|
AES256-SHA
|
||||||
|
ECDHE-ECDSA-RC4-SHA
|
||||||
|
ECDHE-RSA-RC4-SHA
|
||||||
|
RC4-SHA
|
||||||
|
}.join(":"),
|
||||||
|
:options => -> {
|
||||||
|
opts = OpenSSL::SSL::OP_ALL
|
||||||
|
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
|
||||||
|
opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
|
||||||
|
opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
|
||||||
|
opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
|
||||||
|
opts
|
||||||
|
}.call
|
||||||
}
|
}
|
||||||
|
|
||||||
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
|
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
|
||||||
|
|
|
@ -4,10 +4,6 @@ if defined?(OpenSSL)
|
||||||
|
|
||||||
class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
||||||
|
|
||||||
TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
|
|
||||||
OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
|
|
||||||
OpenSSL::SSL::OP_ALL
|
|
||||||
|
|
||||||
def test_ctx_setup
|
def test_ctx_setup
|
||||||
ctx = OpenSSL::SSL::SSLContext.new
|
ctx = OpenSSL::SSL::SSLContext.new
|
||||||
assert_equal(ctx.setup, true)
|
assert_equal(ctx.setup, true)
|
||||||
|
@ -276,7 +272,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
||||||
ctx = OpenSSL::SSL::SSLContext.new
|
ctx = OpenSSL::SSL::SSLContext.new
|
||||||
ctx.set_params
|
ctx.set_params
|
||||||
assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
|
assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
|
||||||
assert_equal(TLS_DEFAULT_OPS, ctx.options)
|
assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options)
|
||||||
ciphers = ctx.ciphers
|
ciphers = ctx.ciphers
|
||||||
ciphers_versions = ciphers.collect{|_, v, _, _| v }
|
ciphers_versions = ciphers.collect{|_, v, _, _| v }
|
||||||
ciphers_names = ciphers.collect{|v, _, _, _| v }
|
ciphers_names = ciphers.collect{|v, _, _, _| v }
|
||||||
|
|
|
@ -1,10 +1,10 @@
|
||||||
#define RUBY_VERSION "2.1.4"
|
#define RUBY_VERSION "2.1.4"
|
||||||
#define RUBY_RELEASE_DATE "2014-10-19"
|
#define RUBY_RELEASE_DATE "2014-10-22"
|
||||||
#define RUBY_PATCHLEVEL 261
|
#define RUBY_PATCHLEVEL 262
|
||||||
|
|
||||||
#define RUBY_RELEASE_YEAR 2014
|
#define RUBY_RELEASE_YEAR 2014
|
||||||
#define RUBY_RELEASE_MONTH 10
|
#define RUBY_RELEASE_MONTH 10
|
||||||
#define RUBY_RELEASE_DAY 19
|
#define RUBY_RELEASE_DAY 22
|
||||||
|
|
||||||
#include "ruby/version.h"
|
#include "ruby/version.h"
|
||||||
|
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue