mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
helpful exception when verifying the peer connection and an anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch. * test/openssl/test_ssl.rb (class OpenSSL): test for change git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
6d98fba257
commit
dc9ca079bb
4 changed files with 41 additions and 0 deletions
|
@ -1,3 +1,12 @@
|
|||
Tue Jul 28 03:26:15 2015 Aaron Patterson <tenderlove@ruby-lang.org>
|
||||
|
||||
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
|
||||
helpful exception when verifying the peer connection and an
|
||||
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
|
||||
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
|
||||
|
||||
* test/openssl/test_ssl.rb (class OpenSSL): test for change
|
||||
|
||||
Mon Jul 27 13:24:11 2015 Koichi Sasada <ko1@atdot.net>
|
||||
|
||||
* template/id.h.tmpl (ID2ATTRSET): remove an unused macro.
|
||||
|
|
|
@ -252,6 +252,14 @@ module OpenSSL
|
|||
# This method MUST be called after calling #connect to ensure that the
|
||||
# hostname of a remote peer has been verified.
|
||||
def post_connection_check(hostname)
|
||||
if peer_cert.nil?
|
||||
msg = "Peer verification enabled, but no certificate received."
|
||||
if using_anon_cipher?
|
||||
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
|
||||
end
|
||||
raise SSLError, msg
|
||||
end
|
||||
|
||||
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
|
||||
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
|
||||
end
|
||||
|
@ -263,6 +271,14 @@ module OpenSSL
|
|||
rescue SSL::Session::SessionError
|
||||
nil
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def using_anon_cipher?
|
||||
ctx = OpenSSL::SSL::SSLContext.new
|
||||
ctx.ciphers = "aNULL"
|
||||
ctx.ciphers.include?(cipher)
|
||||
end
|
||||
end
|
||||
|
||||
##
|
||||
|
|
|
@ -365,6 +365,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
|||
}
|
||||
end
|
||||
|
||||
def test_post_connect_check_with_anon_ciphers
|
||||
sslerr = OpenSSL::SSL::SSLError
|
||||
|
||||
start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
|
||||
ctx = OpenSSL::SSL::SSLContext.new
|
||||
ctx.ciphers = "aNULL"
|
||||
server_connect(port, ctx) { |ssl|
|
||||
msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
|
||||
"ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
|
||||
assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def test_post_connection_check
|
||||
sslerr = OpenSSL::SSL::SSLError
|
||||
|
||||
|
|
|
@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
|
|||
ctx_proc = args[:ctx_proc]
|
||||
server_proc = args[:server_proc]
|
||||
ignore_listener_error = args.fetch(:ignore_listener_error, false)
|
||||
use_anon_cipher = args.fetch(:use_anon_cipher, false)
|
||||
server_proc ||= method(:readwrite_loop)
|
||||
|
||||
store = OpenSSL::X509::Store.new
|
||||
store.add_cert(@ca_cert)
|
||||
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
||||
ctx = OpenSSL::SSL::SSLContext.new
|
||||
ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
|
||||
ctx.cert_store = store
|
||||
#ctx.extra_chain_cert = [ ca_cert ]
|
||||
ctx.cert = @svr_cert
|
||||
|
|
Loading…
Reference in a new issue