Project

General

Profile

Actions

Bug #10910

closed

NoMethodError when opening SSL connection with OpenSSL::SSL::VERIFY_PEER set and anonymous ciphers allowed

Added by Sinjo (Chris Sinjakli) about 9 years ago. Updated over 8 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.3.0dev
[ruby-core:68330]

Description

When establishing an SSL connection with peer verification enabled, if the list of allowed ciphers includes an anonymous cipher, and negotiation with the server results in that cipher being used, a NoMethodError is raised with a stack trace like:

/Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:99:in `verify_certificate_identity': undefined method `extensions' for nil:NilClass (NoMethodError)
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:156:in `post_connection_check'
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:922:in `connect'
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:852:in `start'
        from ../test_ssl.rb:4:in `<main>'

This is because no certificate is returned when using an anonymous cipher, while the verification code which runs when OpenSSL::SSL::VERIFY_PEER is set expects one to be present.

I've attached a patch which fixes this. Let me know if there's anything you'd like me to change (happy to refactor, or alter the approach).

This behaviour is present in 2.0, 2.1, and 2.2.


Files

ssl_verify.patch (2.71 KB) ssl_verify.patch Sinjo (Chris Sinjakli), 02/26/2015 10:53 PM
update_libssl_on_travis.patch (821 Bytes) update_libssl_on_travis.patch Sinjo (Chris Sinjakli), 07/31/2015 10:59 AM
Actions #1

Updated by zzak (zzak _) about 9 years ago

  • Status changed from Open to Assigned
  • Assignee set to 7150

Updated by Sinjo (Chris Sinjakli) over 8 years ago

Just wondering what the status is on this one. I noticed it got assigned to the openssl group a few months back, but there's been no word since then.

Updated by tenderlovemaking (Aaron Patterson) over 8 years ago

  • Status changed from Assigned to Feedback

Hi,

When I apply just the test, it doesn't fail. Are you sure the bug is still present? If it's still present, can you make a test that fails without changes to the implementation?

Updated by Sinjo (Chris Sinjakli) over 8 years ago

Just rebased against trunk, and the test still fails on my machine if I remove the changes to ext/openssl/lib/openssl/ssl.rb.

For a little more context, I'm running the test on OS X Yosemite, linking against OpenSSL from Homebrew (version OpenSSL 1.0.2d 9 Jul 2015). I originally ran into this on Ubuntu 12.04, but I don't have that machine running any more, so I can't check the OpenSSL version.

One thing I just thought of is that ADH-AES256-GCM-SHA384 might not be available in all versions of OpenSSL. I'm not sure what would happen in that case, as I don't provide a fallback cipher in the tests with use_anon_cipher: true.

Updated by tenderlovemaking (Aaron Patterson) over 8 years ago

I see. I'm not sure what I did wrong because it seems to be behaving correctly now. Maybe I was running an older version of openssl. Anyway, the patch looks good to me. I just wish there was an easier way to get a list of the default ciphers other than allocating a new SSLContext object. I'll poke around and see what I can find, but other than that the patch looks good to me.

Updated by tenderlovemaking (Aaron Patterson) over 8 years ago

  • Status changed from Feedback to Assigned
Actions #7

Updated by Anonymous over 8 years ago

  • Status changed from Assigned to Closed

Applied in changeset r51409.


  • ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
    helpful exception when verifying the peer connection and an
    anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
    Thanks to Chris Sinjakli for the patch.

  • test/openssl/test_ssl.rb (class OpenSSL): test for change

Updated by nobu (Nobuyoshi Nakada) over 8 years ago

  • Status changed from Closed to Open

Updated by tenderlovemaking (Aaron Patterson) over 8 years ago

Thanks, I'm taking a look.

On Thu, Jul 30, 2015 at 09:17:38AM +0000, wrote:

Issue #10910 has been updated by Nobuyoshi Nakada.

Status changed from Closed to Open

This has failed on travis.

https://travis-ci.org/ruby/ruby/builds/72882783


Bug #10910: NoMethodError when opening SSL connection with OpenSSL::SSL::VERIFY_PEER set and anonymous ciphers allowed
https://bugs.ruby-lang.org/issues/10910#change-53613

  • Author: Chris Sinjakli
  • Status: Open
  • Priority: Normal
  • Assignee: openssl
  • ruby -v: ruby 2.3.0dev
  • Backport: 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED

When establishing an SSL connection with peer verification enabled, if the list of allowed ciphers includes an anonymous cipher, and negotiation with the server results in that cipher being used, a NoMethodError is raised with a stack trace like:

/Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:99:in `verify_certificate_identity': undefined method `extensions' for nil:NilClass (NoMethodError)
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:156:in `post_connection_check'
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:922:in `connect'
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
        from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:852:in `start'
        from ../test_ssl.rb:4:in `<main>'

This is because no certificate is returned when using an anonymous cipher, while the verification code which runs when OpenSSL::SSL::VERIFY_PEER is set expects one to be present.

I've attached a patch which fixes this. Let me know if there's anything you'd like me to change (happy to refactor, or alter the approach).

This behaviour is present in 2.0, 2.1, and 2.2.

---Files--------------------------------
ssl_verify.patch (2.71 KB)

--
https://bugs.ruby-lang.org/

--
Aaron Patterson
http://tenderlovemaking.com/

Updated by Sinjo (Chris Sinjakli) over 8 years ago

Turns out Travis ships an old, apparently broken version of libssl. I've attached a patch which updates it before running the build. You can see the patch running on this build: https://travis-ci.org/Sinjo/ruby/builds/73534479

Updated by tenderlovemaking (Aaron Patterson) over 8 years ago

  • Status changed from Open to Closed

Thanks. I've applied the patch and the build is green now.

Actions #12

Updated by nagachika (Tomoyuki Chikanaga) over 8 years ago

  • Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED to 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE

r51409 and r51453 were backported into ruby_2_2 branch at r51554.

Actions #13

Updated by usa (Usaku NAKAMURA) over 8 years ago

  • Backport changed from 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: DONE to 2.0.0: REQUIRED, 2.1: DONE, 2.2: DONE

ruby_2_1 r51608 merged revision(s) 51409,51453.
note: changed a little to get rid of conflicts.

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0