Bug #10046
closedOpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures
Description
I observe following test failures in Fedora 21 and Rawhide:
4) Error:
OpenSSL::TestSSLSession#test_ctx_server_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb'
5) Error:
OpenSSL::TestSSLSession#test_ctx_client_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'
I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:
* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
- disable SSLv2 and SSLv3 protocols by default (can be enabled
via appropriate SSL_CTX_clear_options() call)
According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?
Files
Updated by zzak (zzak _) over 10 years ago
Can we vendor openssl like we do libyaml?
Updated by vo.x (Vit Ondruch) over 10 years ago
There routines were disabled in OpenSSL for good reasons I suppose. I don't understand, why Ruby should be less secure. Not speaking about duplicated work.
Updated by normalperson (Eric Wong) over 10 years ago
e@zzak.io wrote:
Can we vendor openssl like we do libyaml?
Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.
Updated by vo.x (Vit Ondruch) about 10 years ago
- File 0001-Don-t-use-obsolete-SSLv3-for-tests.patch 0001-Don-t-use-obsolete-SSLv3-for-tests.patch added
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN to 2.0.0: UNKNOWN, 2.1: REQUIRED
This patch is fixing the issue for me.
Updated by vo.x (Vit Ondruch) about 10 years ago
Sorry, it fixes just one of the two issues :/
Updated by zzak (zzak _) about 10 years ago
- Status changed from Open to Assigned
I can't reproduce these test failures, but this patch looks ok to me
Updated by vo.x (Vit Ondruch) about 10 years ago
You would need to have OpenSSL built with this patch:
http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-disable-sslv2v3.patch
This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.
BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).
Updated by hsbt (Hiroshi SHIBATA) almost 10 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r49099.
- test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb):
fix test failure with OpenSSL disabled SSLv3 protocol.
[ruby-core:63772] [Bug #10046]
Updated by hsbt (Hiroshi SHIBATA) almost 10 years ago
- Status changed from Closed to Open
I committed patch of OpenSSL#test_ctx_client_session_cb
, but test_ctx_server_session_cb
fix is broken with my OSX environment(Mavericks).
Updated by vo.x (Vit Ondruch) over 9 years ago
- Related to Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported added
Updated by vo.x (Vit Ondruch) over 9 years ago
- Status changed from Open to Closed
Resolved by r51650
Updated by vo.x (Vit Ondruch) over 9 years ago
Actually r51649 is the fix. Sorry for the noise.
Updated by nagachika (Tomoyuki Chikanaga) about 9 years ago
- Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED to 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE
Backported into ruby_2_2
branch at r52413.
Updated by usa (Usaku NAKAMURA) about 9 years ago
- Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE to 2.0.0: UNKNOWN, 2.1: DONE, 2.2: DONE
ruby_2_1 r52637 merged revision(s) 49099.