ext/openssl/ossl.c: Expose OpenSSL::OPENSSL_FIPS constant to
indicate whether OpenSSL runs in FIPS mode.
test/openssl/test_pkey_dh.rb: Generate 256 bit keys for
non-FIPS installations to improve test performance (e.g. for
rubyci).
test/openssl/utils.rb: Replace DSS1 as certificate signature
digest with SHA1 for FIPS installations when using DSA by
introducing TestUtils::DSA_SIGNATURE_DIGEST.
test/openssl/test_x509cert.rb:
test/openssl/test_x509crl.rb:
test/openssl/test_x509req.rb: Use DSA_SIGNATURE_DIGEST
NEWS: Introduce OpenSSL::OPENSSL_FIPS
These changes allow running the OpenSSL tests in FIPS mode
while keeping a high performance for non-FIPS installations.
Introduction of OpenSSL::OPENSSL_FIPS allows for applications
to react to special requirements when using OpenSSL in FIPS mode.
[Feature #6946] [ruby-core:47345]
- Diese und die folgenden Zeilen werden ignoriert --
M ext/openssl/extconf.rb
M ext/openssl/ossl.c
M NEWS
M ChangeLog
M test/openssl/utils.rb
M test/openssl/test_x509crl.rb
M test/openssl/test_x509req.rb
M test/openssl/test_x509cert.rb
M test/openssl/test_pkey_dh.rb
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36884 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
test/openssl/test_digest.rb: Add Digest module function to OpenSSL
module and test it. Patch provided by Eric Hodel.
[ruby-core:46908][Feature #6819]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36592 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
of an aggregate type is a C99ism.
* ext/openssl/ossl_pkey_ec.c (ossl_ec_point_mul): get rid of VC++
warnings.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36364 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* io.c (sysopen_func, rb_sysopen_internal): cast through VALUE to get
rid of warnings. fixup of r36355.
* process.c (rb_waitpid_blocking, rb_waitpid): ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36361 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
session id. MD5, as was used before, causes problems when
using a FIPS version of OpenSSL. Issue was found by Jared
Jennings, thank you!
[ruby-trunk - Bug #6137]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36005 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/openssl/ossl_pkey_rsa.c
ext/openssl/ossl_pkey_dsa.c
ext/openssl/ossl_pkey_ec.c: Forbid export passwords that are less
than four characters long, as OpenSSL itself does not allow this.
Issue found by Eric Hodel.
* ext/openssl/ossl_pkey_ec.c: Add export as an alias of to_pem,
following the PKey interface contract.
* test/openssl/test_pkey_dsa.rb
test/openssl/test_pkey_rsa.rb
test/openssl/test_pkey_ec.rb: Add tests that assert correct
behaviour when dealing with passwords that are less than four
characters long.
[ruby-core: 42281][ruby-trunk - Bug #5951]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36001 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Handle ECONNRESET in code instead to avoid
the test failing in Ruby CI [1]
[1] 20120507T190102Z.log.html.gz#test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* ext/openssl/extconf.rb: Use exception raising instead of message
and/or abort. We want to display error message to console _and_
logging into mkmf.log.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35685 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
before ossl_raise. this cause a test failure on Linux.
20120507T190102Z.log.html.gz
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35583 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::OP_NO_TLSv1_1
OpenSSL::SSL::OP_NO_TLSv1_2
to allow blocking specific TLS versions. Thanks to Justin Guyett for
pointing this out to me.
* test/openssl/test_ssl.rb: add tests to assert correct behavior when
blocking certain versions of TLS/SSL both on server and client side.
Also refactored tests to reduce boilerplate code a little.
* test/openssl/utils.rb: rescue Errno::ECONNRESET for tests where
client rejects the connection because a forbidden protocol version
was used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLContext#version to inspect the version that was negotiated for
a given connection.
* ext/openssl/extconf.rb: detect TLS 1.1 & 1.2 support.
* test/openssl/test_ssl.rb: add tests for TLS 1.1 & 1.2 given they
are supported by the native OpenSSL being used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35549 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_pkcs7.rb: assert correct behavior for it.
Thanks to Matt Venables for reporting the issue.
[ruby-core:43250][Bug #6134]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35167 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
values for Primitive instances.
* test/openssl/test_asn1.rb: Assert consistent behavior when
encoding nil values: Primitives raise TypeError, Constructives
raise NoMethodError.
Fixes [ruby-core:43009][Bug #6102]
-This line, and those below, will be ignored--
M test/openssl/test_asn1.rb
M ext/openssl/ossl_asn1.c
M ChangeLog
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35159 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This reverts commit r35102.
It breaks tests on FreeBSD.
6) Failure:
test_new_with_exponent(OpenSSL::TestPKeyRSA)
[/usr/home/chkbuild/build/ruby-trunk/20120323T010301Z/ruby/test/openssl/test_pkey_rsa.rb:59]:
<3> expected but was
<12884901891>.
7) Failure:
test_new_exponent_default(OpenSSL::TestPKeyRSA)
[/usr/home/chkbuild/build/ruby-trunk/20120323T010301Z/ruby/test/openssl/test_pkey_rsa.rb:52]:
<65537> expected but was
<281479271743489>.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35116 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
unrecognized OIDs instead of the sn "UNDEF".
* test/openssl/test_x509name.rb: Add tests for the fixed behavior.
Patch provided by Paul Kehrer, thanḱ you!
[ruby-core:41769] [Feature #5787]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34481 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Thanks to Mantas Mikulenas for noticing and providing a patch!
[ruby-core:42358] [Bug #5972]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34469 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
