defined(OPENSSL_NO_SOCK).
This fixes a linkage error on platforms which do not have socket.
OpenSSL itself is still useful as a set of cryptographic functions
even on such platforms.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40680 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
subclasses that include WaitReadable or WaitWritable rather than
extending them into the exception object each time.
* error.c: Capture EGAIN, EWOULDBLOCK, EINPROGRESS exceptions and
export them for use in WaitReadable/Writable exceptions.
* io.c: Create versions of EAGAIN, EWOULDBLOCK, EINPROGRESS that
include WaitReadable and WaitWritable. Add rb_readwrite_sys_fail
for nonblocking failures using those exceptions. Use that
function in io_getpartial and io_write_nonblock instead of
rb_mod_sys_fail
* ext/openssl/ossl_ssl.c: Add new SSLError subclasses that include
WaitReadable and WaitWritable. Use those classes for
write_would_block and read_would_block instead of rb_mod_sys_fail.
* ext/socket/ancdata.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in bsock_sendmsg_internal and
bsock_recvmsg_internal.
* ext/socket/init.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in rsock_s_recvfrom_nonblock and
rsock_s_connect_nonblock.
* ext/socket/socket.c: Use rb_readwrite_sys_fail instead of
rb_mod_sys_fail in sock_connect_nonblock.
* include/ruby/ruby.h: Export rb_readwrite_sys_fail for use instead
of rb_mod_sys_fail. Introduce new constants RB_IO_WAIT_READABLE and
RB_IO_WAIT_WRITABLE for first arg to rb_readwrite_sys_fail.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@40195 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
ext/ossl_ssl.c: Support Next Protocol Negotiation. Protocols to be
advertised by the server can be set in the SSLContext by using
SSLContext#npn_protocols=, protocol selection on the client is
supported by providing a selection callback with
SSLContext#npn_select_cb. The protocol that was finally negotiated
is available through SSL#npn_protocol.
test/openssl/test_ssl.rb: Add tests for Next Protocol Negotiation.
NEWS: add news about NPN support.
[Feature #6503] [ruby-core:45272]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@36871 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
remove SSLContext#disable_client_renegotiation and related
functionality introduced in r35797. The new callback approach
gives clients maximum flexibility to decide on their own what to
do on renegotiation attempts.
Add documentation for SSL module and SSLError.
* test/openssl/test_ssl.rb: Add a test for
SSLContext#renegotiation_cb.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35994 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Simple tests for this.
Client-side renegotiation is still considered problematic, even
when used in the context of secure renegotiation (RI, RFC 5746).
The changes allow users to either completely disable client
renegotiation on the server, or to specify a maximum number of
handshakes allowed in total. The number of total handshakes is
counted in a callback set as SSL_set_info_callback. If the
maximum number of handshakes is exceeded an error will be raised
We do not support renegotiation in the OpenSSL extension, therefore
this feature can only be tested externally.
The feature is opt-in, the default setting will be to allow
unlimited client renegotiation, as was the case before.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Handle ECONNRESET in code instead to avoid
the test failing in Ruby CI [1]
[1] 20120507T190102Z.log.html.gz#test-all
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35795 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
before ossl_raise. this cause a test failure on Linux.
20120507T190102Z.log.html.gz
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35583 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::OP_NO_TLSv1_1
OpenSSL::SSL::OP_NO_TLSv1_2
to allow blocking specific TLS versions. Thanks to Justin Guyett for
pointing this out to me.
* test/openssl/test_ssl.rb: add tests to assert correct behavior when
blocking certain versions of TLS/SSL both on server and client side.
Also refactored tests to reduce boilerplate code a little.
* test/openssl/utils.rb: rescue Errno::ECONNRESET for tests where
client rejects the connection because a forbidden protocol version
was used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35567 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLContext#version to inspect the version that was negotiated for
a given connection.
* ext/openssl/extconf.rb: detect TLS 1.1 & 1.2 support.
* test/openssl/test_ssl.rb: add tests for TLS 1.1 & 1.2 given they
are supported by the native OpenSSL being used.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35549 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@34482 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
* test/openssl/test_ssl.rb: Add a test for it.
Thanks to Eric Wong for the patch.
[Ruby 1.9 - Feature #5183] [ruby-core:38911]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32973 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
SSLError from SSLSocket just after invoking SSLSocket#close.
OpenSSL's SSL_shutdown could try to send alert packet and it might
set SSLerr(global error stack) as the result. It causes the next
SSL read/write operation to fail by unrelated reason.
By design, we're ignoring any error at SSL_shutdown() so we clear
global error stack after SSL_shutdown is called. See #5039.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32658 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
connection more gracefully. Call SSL_shutdown() max 4 times until it
returns 1 (success). Bi-directional SSL close has several states but
SSL_shutdown() kicks only 1 transition per call. Max 4 is from
mod_ssl.c of Apache httpd that says 'max 2x pending * 2x data = 4'.
See #4237.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32219 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL from the callback for SSL_CTX_sess_set_get_cb().
Returning 0 means to OpenSSL that the the session is still valid
(since we created Ruby Session object) and was not freed by us with
SSL_SESSION_free(). Call SSLContext#remove_session(sess) in
session_get_cb block if you don't want OpenSSL to cache the session
internally.
This potential issue was pointed by Ippei Obayashi. See #4416.
* test/openssl/test_ssl_session.rb (test_ctx_server_session_cb): Test
it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32204 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
OpenSSL::SSL::SSLContext#session_remove_cb was broken. It wrongly
tried to call the session_*new*_cb callback.
* test/openssl/test_ssl_session.rb (class OpenSSL): Test it.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@32200 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
However, the problem is not revised in this.
This adds the control of using function of SSLv2 in made macro by function check.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@31528 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Add additional documentation for OpenSSL::SSL::SSLContext and
OpenSSL::SSL::SSLSocket.
Move "let rdoc know about mOSSL" comments so they don't show up in output.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@30090 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
blocked on Windows while blocking call for SSLSocket. Need to
convert errno for letting rb_io_wait_readable detect EWOULDBLOCK.
Patch by arton. ref #3794.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@29197 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
use sk_SSL_CIPHER_num and sk_SSL_CIPHER_value instead of cast.
patched by Takahiro Kambe [ruby-dev:41530]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@28282 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
which allows net/https to specify timeout. [ruby-core:24812]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@27282 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
