Project

General

Profile

Actions

Bug #10046

closed

OpenSSL::TestSSLSession#test_ctx_server_session_cb and OpenSSL::TestSSLSession#test_ctx_client_session_cb test failures

Added by vo.x (Vit Ondruch) over 10 years ago. Updated about 9 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.1.2p95 (2014-05-08 revision 45877) [x86_64-linux]
[ruby-core:63772]

Description

I observe following test failures in Fedora 21 and Rawhide:

  4) Error:
OpenSSL::TestSSLSession#test_ctx_server_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:351:in `block (2 levels) in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `times'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:346:in `block in test_ctx_server_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:344:in `test_ctx_server_session_cb'
  5) Error:
OpenSSL::TestSSLSession#test_ctx_client_session_cb:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server hello A: sslv3 alert handshake failure
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `connect'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:294:in `block in test_ctx_client_session_cb'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `call'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/utils.rb:298:in `start_server'
    /builddir/build/BUILD/ruby-2.1.2/test/openssl/test_ssl_session.rb:290:in `test_ctx_client_session_cb'

I believe, that I observer these failures since openssl-1.0.1h-5.fc21 was build. From the changelog of OpenSSL, it seems that there was disabled SSLv2 and SSLv3:

* Mon Jun 30 2014 Tomáš Mráz <tmraz@redhat.com> 1.0.1h-5
- disable SSLv2 and SSLv3 protocols by default (can be enabled
  via appropriate SSL_CTX_clear_options() call)

According to the OpenSSL maintainer, they are going to be disabled in upstream release of OpenSSL 1.0.3 as well, since they are not secure enough. So I am wondering, what can do Ruby about this?


Files


Related issues 1 (0 open1 closed)

Related to Ruby master - Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supportedClosedActions

Updated by zzak (zzak _) over 10 years ago

Can we vendor openssl like we do libyaml?

Updated by vo.x (Vit Ondruch) over 10 years ago

There routines were disabled in OpenSSL for good reasons I suppose. I don't understand, why Ruby should be less secure. Not speaking about duplicated work.

Updated by normalperson (Eric Wong) over 10 years ago

wrote:

Can we vendor openssl like we do libyaml?

Not speaking for Martin, but I think that would be a horrible idea.
OpenSSL has new CVEs issued for it all the time and that would be a big
maintenance burden to stay up-to-date with new releases. It also gives
OpenSSL even more inertia, making it harder to adopt alternatives.

Updated by vo.x (Vit Ondruch) about 10 years ago

This patch is fixing the issue for me.

Updated by vo.x (Vit Ondruch) about 10 years ago

Sorry, it fixes just one of the two issues :/

Updated by zzak (zzak _) about 10 years ago

  • Status changed from Open to Assigned

I can't reproduce these test failures, but this patch looks ok to me

Updated by vo.x (Vit Ondruch) about 10 years ago

You would need to have OpenSSL built with this patch:

http://pkgs.fedoraproject.org/cgit/openssl.git/tree/openssl-1.0.1h-disable-sslv2v3.patch

This patch is now applied in openssl-1.0.1j-3.fc22 in Fedora Rawhide. I would not be surprised to see this patch in RHEL soon.

BTW the attached patch fixes just the OpenSSL::TestSSLSession#test_ctx_client_session_cb error. I can't figure out how to fix the other one. When I try various possibilities instead of SSLv3, it either timeouts or complains about wrong order of operation (or something like that, can't remember now).

Updated by hsbt (Hiroshi SHIBATA) almost 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r49099.


  • test/openssl/test_ssl_session.rb (OpenSSL#test_ctx_client_session_cb):
    fix test failure with OpenSSL disabled SSLv3 protocol.
    [ruby-core:63772] [Bug #10046]

Updated by hsbt (Hiroshi SHIBATA) almost 10 years ago

  • Status changed from Closed to Open

I committed patch of OpenSSL#test_ctx_client_session_cb, but test_ctx_server_session_cb fix is broken with my OSX environment(Mavericks).

Actions #10

Updated by vo.x (Vit Ondruch) over 9 years ago

  • Related to Bug #11366: Don't force SSLv3 in test, as it is insecure and may not be supported added
Actions #11

Updated by vo.x (Vit Ondruch) over 9 years ago

  • Status changed from Open to Closed

Resolved by r51650

Actions #12

Updated by vo.x (Vit Ondruch) over 9 years ago

Actually r51649 is the fix. Sorry for the noise.

Updated by nagachika (Tomoyuki Chikanaga) about 9 years ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED to 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE

Backported into ruby_2_2 branch at r52413.

Updated by usa (Usaku NAKAMURA) about 9 years ago

  • Backport changed from 2.0.0: UNKNOWN, 2.1: REQUIRED, 2.2: DONE to 2.0.0: UNKNOWN, 2.1: DONE, 2.2: DONE

ruby_2_1 r52637 merged revision(s) 49099.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0