mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
85fd9aadd1
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL option to prevent BEAST attack. See [Bug #5353]. In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent TLS-CBC-IV vulunerability described at http://www.openssl.org/~bodo/tls-cbc.txt It's known issue of TLSv1/SSLv3 but it attracts lots of attention these days as BEAST attack. (CVE-2011-3389) Until now ossl sets OP_ALL at SSLContext allocation and call SSL_CTX_set_options at connection. SSL_CTX_set_options updates the value by using |= so bits set by OP_ALL cannot be unset afterwards. This commit changes to call SSL_CTX_set_options only 1 time for each SSLContext. It sets the specified value if SSLContext#options= are called and sets OP_ALL if not. To help users to unset bits in OP_ALL, this commit also adds several constant to SSL such as OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were not exposed in Ruby because there's no way to unset bits in OP_ALL before. Following is an example to enable 0/n split for BEAST prevention. ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS * test/openssl/test_ssl.rb: Test above option exists. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_1_9_2@34525 b2dd03c8-39d4-4d8f-98ff-823fe69b080e |
||
|---|---|---|
| .. | ||
| -test- | ||
| bigdecimal | ||
| continuation | ||
| coverage | ||
| curses | ||
| dbm | ||
| digest | ||
| dl | ||
| etc | ||
| fcntl | ||
| fiber | ||
| fiddle | ||
| gdbm | ||
| iconv | ||
| io | ||
| json | ||
| mathn | ||
| nkf | ||
| objspace | ||
| openssl | ||
| psych | ||
| pty | ||
| racc/cparse | ||
| readline | ||
| ripper | ||
| sdbm | ||
| socket | ||
| stringio | ||
| strscan | ||
| syck | ||
| syslog | ||
| tk | ||
| win32ole | ||
| zlib | ||
| .cvsignore | ||
| .document | ||
| extmk.rb | ||
| purelib.rb | ||
| Setup | ||
| Setup.atheos | ||
| Setup.emx | ||
| Setup.nt | ||