Bug #10046
closed
OpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures
Description
I observe following test failures in Fedora 21 and Rawhide:
4) Error:
OpenSSL::TestSSLSession#test_ctx_server_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb'
5) Error:
OpenSSL::TestSSLSession#test_ctx_client_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
/builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'
I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:
* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
- disable SSLv2 and SSLv3 protocols by default (can be enabled
via appropriate SSL_CTX_clear_options() call)
According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?
Files
Updated by zzak (zzak _) over 9 years ago
Can we vendor openssl like we do libyaml?
Updated by vo.x (Vit Ondruch) over 9 years ago
There routines were disabled in OpenSSL for good reasons I suppose. I don't understand, why Ruby should be less secure. Not speaking about duplicated work.
Updated by normalperson (Eric Wong) over 9 years ago
e@zzak.io wrote:
Can we vendor openssl like we do libyaml?
Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.
Updated by vo.x (Vit Ondruch) over 9 years ago
- File 0001-Don-t-use-obsolete-SSLv3-for-tests.patch 0001-Don-t-use-obsolete-SSLv3-for-tests.patch added
- Backport changed from 2.0.0: UNKNOWN, 2.1: UNKNOWN to 2.0.0: UNKNOWN, 2.1: REQUIRED
This patch is fixing the issue for me.
Updated by vo.x (Vit Ondruch) over 9 years ago
Sorry, it fixes just one of the two issues :/
Updated by zzak (zzak _) over 9 years ago
- Status changed from Open to Assigned
I can't reproduce these test failures, but this patch looks ok to me
Updated by vo.x (Vit Ondruch) over 9 years ago
You would need to have OpenSSL built with this patch:
http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-disable-sslv2v3.patch
This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.
BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).
Updated by hsbt (Hiroshi SHIBATA) over 9 years ago
- Status changed from Assigned to Closed
- % Done changed from 0 to 100
Applied in changeset r49099.
- test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb):
fix test failure with OpenSSL disabled SSLv3 protocol.
[ruby-core:63772] [Bug #10046]
Updated by hsbt (Hiroshi SHIBATA) over 9 years ago
- Status changed from Closed to Open
I committed patch of OpenSSL#test_ctx_client_session_cb, but test_ctx_server_session_cb fix is broken with my OSX environment(Mavericks).
Updated by vo.x (Vit Ondruch) over 8 years ago
- Related to Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported added
Updated by vo.x (Vit Ondruch) over 8 years ago
- Status changed from Open to Closed
Resolved by r51650
Updated by vo.x (Vit Ondruch) over 8 years ago
Actually r51649 is the fix. Sorry for the noise.
Updated by nagachika (Tomoyuki Chikanaga) over 8 years ago
- Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED to 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE
Backported into ruby_2_2 branch at r52413.
Updated by usa (Usaku NAKAMURA) over 8 years ago
- Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE to 2.0.0: UNKNOWN, 2.1: DONE, 2.2: DONE
ruby_2_1 r52637 merged revision(s) 49099.