mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
helpful exception when verifying the peer connection and an anonymous cipher has been selected. [ruby-core:68330] [Bug #10910] Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch. * test/openssl/test_ssl.rb (class OpenSSL): test for change git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
6d98fba257
commit
dc9ca079bb
4 changed files with 41 additions and 0 deletions
|
@ -1,3 +1,12 @@
|
||||||
|
Tue Jul 28 03:26:15 2015 Aaron Patterson <tenderlove@ruby-lang.org>
|
||||||
|
|
||||||
|
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
|
||||||
|
helpful exception when verifying the peer connection and an
|
||||||
|
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
|
||||||
|
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
|
||||||
|
|
||||||
|
* test/openssl/test_ssl.rb (class OpenSSL): test for change
|
||||||
|
|
||||||
Mon Jul 27 13:24:11 2015 Koichi Sasada <ko1@atdot.net>
|
Mon Jul 27 13:24:11 2015 Koichi Sasada <ko1@atdot.net>
|
||||||
|
|
||||||
* template/id.h.tmpl (ID2ATTRSET): remove an unused macro.
|
* template/id.h.tmpl (ID2ATTRSET): remove an unused macro.
|
||||||
|
|
|
@ -252,6 +252,14 @@ module OpenSSL
|
||||||
# This method MUST be called after calling #connect to ensure that the
|
# This method MUST be called after calling #connect to ensure that the
|
||||||
# hostname of a remote peer has been verified.
|
# hostname of a remote peer has been verified.
|
||||||
def post_connection_check(hostname)
|
def post_connection_check(hostname)
|
||||||
|
if peer_cert.nil?
|
||||||
|
msg = "Peer verification enabled, but no certificate received."
|
||||||
|
if using_anon_cipher?
|
||||||
|
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
|
||||||
|
end
|
||||||
|
raise SSLError, msg
|
||||||
|
end
|
||||||
|
|
||||||
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
|
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
|
||||||
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
|
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
|
||||||
end
|
end
|
||||||
|
@ -263,6 +271,14 @@ module OpenSSL
|
||||||
rescue SSL::Session::SessionError
|
rescue SSL::Session::SessionError
|
||||||
nil
|
nil
|
||||||
end
|
end
|
||||||
|
|
||||||
|
private
|
||||||
|
|
||||||
|
def using_anon_cipher?
|
||||||
|
ctx = OpenSSL::SSL::SSLContext.new
|
||||||
|
ctx.ciphers = "aNULL"
|
||||||
|
ctx.ciphers.include?(cipher)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
##
|
##
|
||||||
|
|
|
@ -365,6 +365,20 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase
|
||||||
}
|
}
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def test_post_connect_check_with_anon_ciphers
|
||||||
|
sslerr = OpenSSL::SSL::SSLError
|
||||||
|
|
||||||
|
start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
|
||||||
|
ctx = OpenSSL::SSL::SSLContext.new
|
||||||
|
ctx.ciphers = "aNULL"
|
||||||
|
server_connect(port, ctx) { |ssl|
|
||||||
|
msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
|
||||||
|
"ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
|
||||||
|
assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
end
|
||||||
|
|
||||||
def test_post_connection_check
|
def test_post_connection_check
|
||||||
sslerr = OpenSSL::SSL::SSLError
|
sslerr = OpenSSL::SSL::SSLError
|
||||||
|
|
||||||
|
|
|
@ -270,12 +270,14 @@ AQjjxMXhwULlmuR/K+WwlaZPiLIBYalLAZQ7ZbOPeVkJ8ePao0eLAgEC
|
||||||
ctx_proc = args[:ctx_proc]
|
ctx_proc = args[:ctx_proc]
|
||||||
server_proc = args[:server_proc]
|
server_proc = args[:server_proc]
|
||||||
ignore_listener_error = args.fetch(:ignore_listener_error, false)
|
ignore_listener_error = args.fetch(:ignore_listener_error, false)
|
||||||
|
use_anon_cipher = args.fetch(:use_anon_cipher, false)
|
||||||
server_proc ||= method(:readwrite_loop)
|
server_proc ||= method(:readwrite_loop)
|
||||||
|
|
||||||
store = OpenSSL::X509::Store.new
|
store = OpenSSL::X509::Store.new
|
||||||
store.add_cert(@ca_cert)
|
store.add_cert(@ca_cert)
|
||||||
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
||||||
ctx = OpenSSL::SSL::SSLContext.new
|
ctx = OpenSSL::SSL::SSLContext.new
|
||||||
|
ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
|
||||||
ctx.cert_store = store
|
ctx.cert_store = store
|
||||||
#ctx.extra_chain_cert = [ ca_cert ]
|
#ctx.extra_chain_cert = [ ca_cert ]
|
||||||
ctx.cert = @svr_cert
|
ctx.cert = @svr_cert
|
||||||
|
|
Loading…
Reference in a new issue