Project

General

Profile

Actions

Bug #10046

closed

OpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures

Added by vo.x (Vit Ondruch) almost 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]
[ruby-core:63772]

Description

I observe following test failures in Fedora 21 and Rawhide:

  4) Error:
OpenSSL::TestSSLSession#test_ctx_server_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb'
  5) Error:
OpenSSL::TestSSLSession#test_ctx_client_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'

I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:

* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
- disable SSLv2 and SSLv3 protocols by default (can be enabled
  via appropriate SSL_CTX_clear_options() call)

According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?


Files


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supportedClosedActions

Updated by zzak (Zachary Scott) almost 8 years ago

Can we vendor openssl like we do libyaml?

Updated by vo.x (Vit Ondruch) almost 8 years ago

There routines were disabled in OpenSSL for good reasons I suppose. I don't understand, why Ruby should be less secure. Not speaking about duplicated work.

Updated by normalperson (Eric Wong) almost 8 years ago

wrote:

Can we vendor openssl like we do libyaml?

Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.

Updated by vo.x (Vit Ondruch) over 7 years ago

This patch is fixing the issue for me.

Updated by vo.x (Vit Ondruch) over 7 years ago

Sorry, it fixes just one of the two issues :/

Updated by zzak (Zachary Scott) over 7 years ago

  • Status changed from Open to Assigned

I can't reproduce these test failures, but this patch looks ok to me

Updated by vo.x (Vit Ondruch) over 7 years ago

You would need to have OpenSSL built with this patch:

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-disable-sslv2v3.patch

This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.

BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).

Updated by hsbt (Hiroshi SHIBATA) over 7 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r49099.


  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb):
    fix test failure with OpenSSL disabled SSLv3 protocol.
    [ruby-core:63772] [Bug #10046]

Updated by hsbt (Hiroshi SHIBATA) over 7 years ago

  • Status changed from Closed to Open

I committed patch of OpenSSL#test_ctx_client_session_cb, but test_ctx_server_session_cb fix is broken with my OSX environment(Mavericks).

Actions #10

Updated by vo.x (Vit Ondruch) almost 7 years ago

  • Related to Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported added
Actions #11

Updated by vo.x (Vit Ondruch) almost 7 years ago

  • Status changed from Open to Closed

Resolved by r51650

Actions #12

Updated by vo.x (Vit Ondruch) almost 7 years ago

Actually r51649 is the fix. Sorry for the noise.

Updated by nagachika (Tomoyuki Chikanaga) over 6 years ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED to 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE

Backported into ruby_2_2 branch at r52413.

Updated by usa (Usaku NAKAMURA) over 6 years ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE to 2.0.0: UNKNOWN, 2.1: DONE, 2.2: DONE

ruby_2_1 r52637 merged revision(s) 49099.

Actions

Also available in: Atom PDF