Make these methods simple wrappers around
SSL_CTX_set_{min,max}_proto_version().
When we introduced these methods in commit 18603949d3 [1], which went
to v2.1.0, we added a private method to SSLContext that set both the
minimum and maximum protocol versions at the same time. This was to
allow emulating the behavior using SSL options on older OpenSSL versions
that lack SSL_CTX_set_{min,max}_proto_version(). Since we no longer
support OpenSSL 1.0.2, the related code has already been removed.
In OpenSSL 1.1.1 or later, setting the minimum or maximum version to 0
is not equivalent to leaving it unset. Similar to SSL options, which we
avoid overwriting as of commit 00bec0d905 and commit 77c3db2d65 [2],
a system-wide configuration file may define a default protocol version
bounds. Setting the minimum version should not unset the maximum
version, and vice versa.
[1] https://github.com/ruby/openssl/pull/142
[2] https://github.com/ruby/openssl/pull/7675766386321
The returned Hash from these methods contain 0 in place of a missing
parameter in the key, for example:
pkey = OpenSSL::PKey.read(OpenSSL::PKey::RSA.new(2048).public_to_pem)
pp pkey.params
#=>
# {"n"=>#<OpenSSL::BN 2869346734[...snip]>,
# "e"=>#<OpenSSL::BN 65537>,
# "d"=>#<OpenSSL::BN 0>,
# "p"=>#<OpenSSL::BN 0>,
# "q"=>#<OpenSSL::BN 0>,
# "dmp1"=>#<OpenSSL::BN 0>,
# "dmq1"=>#<OpenSSL::BN 0>,
# "iqmp"=>#<OpenSSL::BN 0>}
Let's use nil instead, which is more appropriate for indicating a
missing value.
f247ec3dec
Move the definitions to lib/openssl/pkey.rb. They need not to be in the
extension and can be implemented using existing methods.
This reduces direct usage of the now-deprecated OpenSSL APIs around the
low-level structs such as DH, DSA, or RSA.
c14178f387
Drop support for OpenSSL 1.0.2. It has reached upstream EOL in 2019-12.
Most distributions that shipped with OpenSSL 1.0.2 have also reached
EOL, or provide a newer version in the package repository:
- RHEL 7 (EOL 2024-06)
- Ubuntu 16.04 LTS (EOL 2021-04)
- Amazon Linux 2 (EOL 2026-06, but OpenSSL 1.1.1 can be installed via
the openssl11{,-devel} package)
38ec6fd50e
[Bug #20972]
The `rb_str_new_freeze` was added in https://github.com/ruby/openssl/issues/452
to better handle concurrent use of a Socket, but SSL sockets can't be used
concurrently AFAIK, so we might as well just error cleanly.
By using `rb_str_locktmp` we can ensure attempts at concurrent write
will raise an error, be we avoid causing a copy of the bytes.
We also use the newer `String#append_as_bytes` method when available
to save on some more copies.
0d8c17aa85
Co-Authored-By: luke.gru@gmail.com
Apply SSL options set in DEFAULT_PARAMS without clearing existing
options.
It currently clears options in order to avoid setting one of the
options included in OpenSSL::SSL::OP_ALL unless explicitly specified,
namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that
OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is
no longer necessary.
77c3db2d65
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.
OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.
OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.
00bec0d905
The implementation of OpenSSL::X509::Certificate#crl_uris makes the
assumption that each DistributionPoint in the CRL distribution points
extension contains a single general name of type URI. This is not
guaranteed by RFC 5280. A DistributionPoint may contain zero or more
than one URIs.
Let's include all URIs found in the extension. If only non-URI pointers
are found, return nil.
Fixes: https://github.com/ruby/openssl/issues/77571f4fef2fa
Update the references to the file "LICENCE" with "COPYING".
The file LICENCE doesn't exist in ruby/ruby nor ruby/openssl. This has
been always the case since OpenSSL for Ruby 2 was merged to the ruby
tree as a standard library in 2003.
In OpenSSL for Ruby 2's CVS repository[1], the LICENCE file contained
an old version of the Ruby License, identical to the COPYING file that
was in Ruby's tree at that time (r4128[2]).
[1] http://cvs.savannah.gnu.org/viewvc/rubypki/ossl2/LICENCE?revision=1.1.1.1&view=markup
[2] 231247c010/COPYING5bccf07d04
This causes significant performance issues when using large (>10meg) writes
Fix by adjusting the buffer write function to clear the buffer once, rather than
piece by piece, avoiding a case where a large write (in our case, around
70mbytes) will consume 100% of CPU. This takes a webrick GET request via SSL
from around 200kbyts/sec and consuming 100% of a core, to line speed on gigabit
ethernet and 6% cpu utlization.
d4389b425d
Both Red Hat and Debian-like systems configure the minimum TLS version
to be 1.2 by default, but allow users to change this via configs.
On Red Hat and derivatives this happens via crypto-policies[1], which in
writes settings in /etc/crypto-policies/back-ends/opensslcnf.config.
Most notably, it sets TLS.MinProtocol there. For Debian there's
MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is
considered a secure default.
In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION
for min_version. TLS 1.0 and 1.1 are considered insecure. By always
setting this in the default parameters, the system wide default can't be
respected, even if a developer wants to.
This takes the approach that's also done for ciphers: it's only set for
OpenSSL < 1.1.0.
[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardeningae215a47ae
(https://github.com/ruby/openssl/pull/586)
String#unpack1 avoids the intermediate array created by String#unpack
for single elements, while also making a call to Array#first/[0]
unnecessary.
8eb0715a42
In TLS 1.2 or before, if DH group parameters for DHE are not supplied
with SSLContext#tmp_dh= or #tmp_dh_callback=, we currently use the
self-generated parameters added in commit bb3399a61c ("support 2048
bit length DH-key", 2016-01-15) as the fallback.
While there is no known weakness in the current parameters, it would be
a good idea to switch to pre-defined, more well audited parameters.
This also allows the fallback to work in the FIPS mode.
The PEM encoding was derived with:
# RFC 7919 Appendix A.1. ffdhe2048
print OpenSSL::PKey.read(OpenSSL::ASN1::Sequence([OpenSSL::ASN1::Integer((<<-END).split.join.to_i(16)), OpenSSL::ASN1::Integer(2)]).to_der).to_pem
FFFFFFFF FFFFFFFF ADF85458 A2BB4A9A AFDC5620 273D3CF1
D8B9C583 CE2D3695 A9E13641 146433FB CC939DCE 249B3EF9
7D2FE363 630C75D8 F681B202 AEC4617A D3DF1ED5 D5FD6561
2433F51F 5F066ED0 85636555 3DED1AF3 B557135E 7F57C935
984F0C70 E0E68B77 E2A689DA F3EFE872 1DF158A1 36ADE735
30ACCA4F 483A797A BC0AB182 B324FB61 D108A94B B2C8E3FB
B96ADAB7 60D7F468 1D4F42A3 DE394DF4 AE56EDE7 6372BB19
0B07A7C8 EE0A6D70 9E02FCE1 CDF7E2EC C03404CD 28342F61
9172FE9C E98583FF 8E4F1232 EEF28183 C3FE3B1B 4C6FAD73
3BB5FCBC 2EC22005 C58EF183 7D1683B2 C6F34A26 C1B2EFFA
886B4238 61285C97 FFFFFFFF FFFFFFFF
END
a5527cb4f4
This fixes a linkage error about `ossl_ssl_type` on platforms which do
not have socket, like WASI.
Even before this patch, some items are disabled under `OPENSSL_NO_SOCK` since
ee22fad45d
However, due to some new use of OpenSSL::SSL::Socket over the past few years,
the build under `OPENSSL_NO_SOCK` had been broken.
This patch guards whole `OpenSSL::SSL` items by `OPENSSL_NO_SOCK`.
[ky: adjusted to apply on top of my previous commit that removed the
OpenSSL::ExtConfig, and added a guard to lib/openssl/ssl.rb.]
b0cfac6a96
DSA parameters generation via EVP_PKEY_paramgen() will not automatically
adjust the size of q value but uses 224 bits by default unless specified
explicitly. This behavior is different from the now-deprecated
DSA_generate_parameters_ex(), which PKey::DSA.generate used to call.
Fixes https://github.com/ruby/openssl/issues/483
Fixes: 1800a8d5eb ("pkey/dsa: use high level EVP interface to generate parameters and keys", 2020-05-17)
0105975a0b
OpenSSL::PKey::DH#generate_key! will not work on OpenSSL 3.0 because
keys are made immutable. Users should use OpenSSL::PKey.generate_key
instead.
8ee6a582c7
Similarly to DH#compute_key, work around it by constructing a
SubjectPublicKeyInfo. This should be considered as a temporary
implementation.
fc9aabc18d
DH#set_key will not work on OpenSSL 3.0 because keys are immutable.
For now, let's reimplement DH#compute_key by manually constructing a
DER-encoded SubjectPublicKeyInfo structure and feeding it to
OpenSSL::PKey.read.
Eventually, we should implement a new method around EVP_PKEY_fromdata()
and use it instead.
46ca47060c
Add docs for X509::Name.parse_openssl and X509::Name.parse_rfc2253,
which are currently undocumented despite being widely used.
Small changes are also made to #to_s and the class description to
recommend using RFC 2253-based methods.
Fixes: https://github.com/ruby/openssl/issues/47074041a35d4
Drop support for Ruby 2.3, 2.4, and 2.5.
As of 2021-10, Ruby 2.6 is the oldest version that still receives
security fixes from the Ruby core team, so it doesn't make much sense
to keep code for those ancient versions.
3436bd040d
Provide a wrapper of SSL_set0_tmp_dh_pkey()/SSL_CTX_set_tmp_dh(), which
sets the DH parameters used for ephemeral DH key exchange.
SSLContext#tmp_dh_callback= already exists for this purpose, as a
wrapper around SSL_CTX_set_tmp_dh_callback(), but it is considered
obsolete and the OpenSSL API is deprecated for future removal. There is
no practical use case where an application needs to use different DH
parameters nowadays. This was originally introduced to support export
grade ciphers.
RDoc for #tmp_dh_callback= is updated to recommend the new #tmp_dh=.
Note that current versions of OpenSSL support automatic ECDHE curve
selection which is enabled by default. SSLContext#tmp_dh= should only be
necessary if you must allow ancient clients which don't support ECDHE.
aa43da4f04
With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw,
OpenSSL::PKey::DSA's low level signing operation methods can be
implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
ce805adf0c
With the newly added OpenSSL::PKey::PKey#{sign,verify}_raw,
OpenSSL::PKey::EC's low level signing operation methods can be
implemented in Ruby. The definitions are now in lib/openssl/pkey.rb.
1f9da0cd9d
Implement these methods using the new OpenSSL::PKey::PKey#{encrypt,sign}
family. The definitions are now in lib/openssl/pkey.rb.
Also, recommend using those generic methods in the documentation.
2dfc1779d3
Normal sockets respond to `getbyte`, so we should make SSLSocket respond
to `getbyte` as well. This way we can substitute SSLSockets for regular
sockets.
ac1490b7c9
The low-level API that is used to implement #public_key is deprecated
in OpenSSL 3.0. It is actually very simple to implement in another way,
using existing methods only, in much shorter code. Let's do it.
While we are at it, the documentation is updated to recommend against
using #public_key. Now that OpenSSL::PKey::PKey implements public_to_der
method, there is no real use case for #public_key in newly written Ruby
programs.
48a6c391ef
Implement PKey::DSA.new(size) and PKey::DSA.generate using
OpenSSL::PKey.generate_parameters and .generate_key instead of the low
level DSA functions.
1800a8d5eb
