Project

General

Profile

Bug #10046

OpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures

Added by Vit Ondruch about 2 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
ruby -v:
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]
[ruby-core:63772]

Description

I observe following test failures in Fedora 21 and Rawhide:

  4) Error:
OpenSSL::TestSSLSession#test_ctx_server_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb'
  5) Error:
OpenSSL::TestSSLSession#test_ctx_client_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'

I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:

* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
- disable SSLv2 and SSLv3 protocols by default (can be enabled
  via appropriate SSL_CTX_clear_options() call)

According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?

0001-Don-t-use-obsolete-SSLv3-for-tests.patch View (1.33 KB) Vit Ondruch, 11/21/2014 03:15 PM


Related issues

Related to Ruby trunk - Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported Closed

Associated revisions

Revision 49099
Added by Hiroshi SHIBATA over 1 year ago

  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb): fix test failure with OpenSSL disabled SSLv3 protocol. [Bug #10046]

Revision 49099
Added by Hiroshi SHIBATA over 1 year ago

  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb): fix test failure with OpenSSL disabled SSLv3 protocol. [Bug #10046]

Revision 52413
Added by Tomoyuki Chikanaga 10 months ago

merge revision(s) 49099: [Backport #10046]

* test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb):
  fix test failure with OpenSSL disabled SSLv3 protocol.
   [Bug #10046]

Revision 52637
Added by Usaku NAKAMURA 9 months ago

merge revision(s) 49099: [Backport #10046]

* test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb):
  fix test failure with OpenSSL disabled SSLv3 protocol.
   [Bug #10046]

History

#1 [ruby-core:64312] Updated by Zachary Scott about 2 years ago

Can we vendor openssl like we do libyaml?

#2 [ruby-core:64313] Updated by Vit Ondruch about 2 years ago

There routines were disabled in OpenSSL for good reasons I suppose. I don't understand, why Ruby should be less secure. Not speaking about duplicated work.

#3 [ruby-core:64314] Updated by Eric Wong about 2 years ago

e@zzak.io wrote:

Can we vendor openssl like we do libyaml?

Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.

#4 [ruby-core:66393] Updated by Vit Ondruch almost 2 years ago

This patch is fixing the issue for me.

#5 [ruby-core:66394] Updated by Vit Ondruch almost 2 years ago

Sorry, it fixes just one of the two issues :/

#6 [ruby-core:66406] Updated by Zachary Scott almost 2 years ago

  • Status changed from Open to Assigned

I can't reproduce these test failures, but this patch looks ok to me

#7 [ruby-core:66413] Updated by Vit Ondruch almost 2 years ago

You would need to have OpenSSL built with this patch:

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-disable-sslv2v3.patch

This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.

BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).

#8 [ruby-core:67291] Updated by Hiroshi SHIBATA over 1 year ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r49099.


  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb): fix test failure with OpenSSL disabled SSLv3 protocol. [Bug #10046]

#9 [ruby-core:67292] Updated by Hiroshi SHIBATA over 1 year ago

  • Status changed from Closed to Open

I committed patch of OpenSSL#test_ctx_client_session_cb, but test_ctx_server_session_cb fix is broken with my OSX environment(Mavericks).

#10 Updated by Vit Ondruch about 1 year ago

  • Related to Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported added

#11 Updated by Vit Ondruch about 1 year ago

  • Status changed from Open to Closed

Resolved by r51650

#12 Updated by Vit Ondruch about 1 year ago

Actually r51649 is the fix. Sorry for the noise.

#13 [ruby-core:71286] Updated by Tomoyuki Chikanaga 10 months ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED to 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE

Backported into ruby_2_2 branch at r52413.

#14 [ruby-core:71545] Updated by Usaku NAKAMURA 9 months ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE to 2.0.0: UNKNOWN, 2.1: DONE, 2.2: DONE

ruby_2_1 r52637 merged revision(s) 49099.

Also available in: Atom PDF