Bug #10046

OpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures

Added by Vit Ondruch about 1 year ago. Updated 7 months ago.

[ruby-core:63772]
Status:Open
Priority:Normal
Assignee:-
ruby -v:ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux] Backport:2.0.0: UNKNOWN, 2.1: REQUIRED

Description

I observe following test failures in Fedora 21 and Rawhide:

  4) Error:
OpenSSL::TestSSLSession#test_ctx_server_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb'
  5) Error:
OpenSSL::TestSSLSession#test_ctx_client_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'

I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:

* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
- disable SSLv2 and SSLv3 protocols by default (can be enabled
  via appropriate SSL_CTX_clear_options() call)

According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?

0001-Don-t-use-obsolete-SSLv3-for-tests.patch Magnifier (1.33 KB) Vit Ondruch, 11/21/2014 03:15 PM


Related issues

Related to Ruby trunk - Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported Open

Associated revisions

Revision 49099
Added by Hiroshi SHIBATA 7 months ago

  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb): fix test failure with OpenSSL disabled SSLv3 protocol. [Bug #10046]

History

#1 Updated by Zachary Scott 12 months ago

Can we vendor openssl like we do libyaml?

#2 Updated by Vit Ondruch 12 months ago

There routines were disabled in OpenSSL for good reasons I suppose. I don't understand, why Ruby should be less secure. Not speaking about duplicated work.

#3 Updated by Eric Wong 12 months ago

e@zzak.io wrote:

Can we vendor openssl like we do libyaml?

Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.

#4 Updated by Vit Ondruch 8 months ago

This patch is fixing the issue for me.

#5 Updated by Vit Ondruch 8 months ago

Sorry, it fixes just one of the two issues :/

#6 Updated by Zachary Scott 8 months ago

  • Status changed from Open to Assigned

I can't reproduce these test failures, but this patch looks ok to me

#7 Updated by Vit Ondruch 8 months ago

You would need to have OpenSSL built with this patch:

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-disable-sslv2v3.patch

This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.

BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).

#8 Updated by Hiroshi SHIBATA 7 months ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r49099.


  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb): fix test failure with OpenSSL disabled SSLv3 protocol. [Bug #10046]

#9 Updated by Hiroshi SHIBATA 7 months ago

  • Status changed from Closed to Open

I committed patch of OpenSSL#test_ctx_client_session_cb, but test_ctx_server_session_cb fix is broken with my OSX environment(Mavericks).

#10 Updated by Vit Ondruch 7 days ago

  • Related to Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported added

Also available in: Atom PDF