diff options
| author | Kazuki Yamaguchi <[email protected]> | 2024-06-12 02:29:46 +0900 |
|---|---|---|
| committer | git <[email protected]> | 2024-12-07 08:15:08 +0000 |
| commit | 510c190739b83cfa4fdb56e9d9c0578af25c9c6a (patch) | |
| tree | accbf0568cda3a1dfb4c2bfa9fc7fdfbb96cfed3 | |
| parent | 33196b7ab007c82ebd3fa3759850b1ddc10d50ef (diff) | |
[ruby/openssl] ssl: do not enable OpenSSL::SSL::OP_ALL by default
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.
OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.
OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.
https://github.com/ruby/openssl/commit/00bec0d905
| -rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 1 | ||||
| -rw-r--r-- | test/openssl/test_ssl.rb | 32 |
2 files changed, 30 insertions, 3 deletions
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index 2186f5f43a..f28239babd 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -125,7 +125,6 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== # that this form is deprecated. New applications should use #min_version= # and #max_version= as necessary. def initialize(version = nil) - self.options |= OpenSSL::SSL::OP_ALL self.ssl_version = version if version self.verify_mode = OpenSSL::SSL::VERIFY_NONE self.verify_hostname = false diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index f011e881e9..088bd602c0 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -15,11 +15,16 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_ctx_setup + ctx = OpenSSL::SSL::SSLContext.new + assert_equal true, ctx.setup + assert_predicate ctx, :frozen? + assert_equal nil, ctx.setup + end + def test_ctx_options ctx = OpenSSL::SSL::SSLContext.new - assert (OpenSSL::SSL::OP_ALL & ctx.options) == OpenSSL::SSL::OP_ALL, - "OP_ALL is set by default" ctx.options = 4 assert_equal 4, ctx.options & 4 if ctx.options != 4 @@ -33,6 +38,29 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase assert_equal nil, ctx.setup end + def test_ctx_options_config + omit "LibreSSL does not support OPENSSL_CONF" if libressl? + omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1) + + Tempfile.create("openssl.cnf") { |f| + f.puts(<<~EOF) + openssl_conf = default_conf + [default_conf] + ssl_conf = ssl_sect + [ssl_sect] + system_default = ssl_default_sect + [ssl_default_sect] + Options = -SessionTicket + EOF + f.close + + assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;") + ctx = OpenSSL::SSL::SSLContext.new + assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET + end; + } + end + def test_ssl_with_server_cert ctx_proc = -> ctx { ctx.cert = @svr_cert |