1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more

helpful exception when verifying the peer connection and an
  anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
  Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.

* test/openssl/test_ssl.rb (class OpenSSL): test for change

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
tenderlove 2015-07-27 18:29:17 +00:00
parent 6d98fba257
commit dc9ca079bb
4 changed files with 41 additions and 0 deletions

View file

@ -1,3 +1,12 @@
Tue Jul 28 03:26:15 2015 Aaron Patterson <tenderlove@ruby-lang.org>
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
helpful exception when verifying the peer connection and an
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
* test/openssl/test_ssl.rb (class OpenSSL): test for change
Mon Jul 27 13:24:11 2015 Koichi Sasada <ko1@atdot.net>
* template/id.h.tmpl (ID2ATTRSET): remove an unused macro.

View file

@ -252,6 +252,14 @@ module OpenSSL
# This method MUST be called after calling #connect to ensure that the
# hostname of a remote peer has been verified.
def post_connection_check(hostname)
if peer_cert.nil?
msg = "Peer verification enabled, but no certificate received."
if using_anon_cipher?
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
end
raise SSLError, msg
end
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
end
@ -263,6 +271,14 @@ module OpenSSL
rescue SSL::Session::SessionError
nil
end
private
def using_anon_cipher?
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
ctx.ciphers.include?(cipher)
end
end
##

View file

@ -365,6 +365,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
}
end
def test_post_connect_check_with_anon_ciphers
sslerr = OpenSSL::SSL::SSLError
start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "aNULL"
server_connect(port, ctx) { |ssl|
msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
"ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
}
}
end
def test_post_connection_check
sslerr = OpenSSL::SSL::SSLError

View file

@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
ctx_proc = args[:ctx_proc]
server_proc = args[:server_proc]
ignore_listener_error = args.fetch(:ignore_listener_error, false)
use_anon_cipher = args.fetch(:use_anon_cipher, false)
server_proc ||= method(:readwrite_loop)
store = OpenSSL::X509::Store.new
store.add_cert(@ca_cert)
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
ctx = OpenSSL::SSL::SSLContext.new
ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
ctx.cert_store = store
#ctx.extra_chain_cert = [ ca_cert ]
ctx.cert = @svr_cert