OpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures
I observe following test failures in Fedora 21 and Rawhide:
4) Error: OpenSSL::TestSSLSession#test_ctx_server_session_cb: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect' /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb' /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times' /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb' /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call' /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server' /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb' 5) Error: OpenSSL::TestSSLSession#test_ctx_client_session_cb: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect' /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb' /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call' /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server' /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'
I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:
* Mon Jun 30 2014 Tomáš Mráz <firstname.lastname@example.org> 1.0.1h-5 - disable SSLv2 and SSLv3 protocols by default (can be enabled via appropriate SSL_CTX_clear_options() call)
According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?
merge revision(s) 49099: [Backport #10046]
* test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb): fix test failure with OpenSSL disabled SSLv3 protocol. [Bug #10046]
#3 [ruby-core:64314] Updated by normalperson (Eric Wong) about 3 years ago
Can we vendor openssl like we do libyaml?
Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.
#7 [ruby-core:66413] Updated by vo.x (Vit Ondruch) almost 3 years ago
You would need to have OpenSSL built with this patch:
This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.
BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).
#8 [ruby-core:67291] Updated by hsbt (Hiroshi SHIBATA) over 2 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100