Project

General

Profile

Bug #11724

SNIでsessionが無効だったときにhostnameがサーバに送られない

Added by usa (Usaku NAKAMURA) almost 4 years ago. Updated over 3 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
[ruby-dev:49376]

Description

これも https://github.com/ruby/ruby/pull/964 を見る限り相当手痛いバグなので要backportと思います。

が、確かにこの修正でnet/httpのSNIできねー問題は直るんでしょうけど、そもそもこれはおかしいのはext/opensslの方だと思いますので、むしろそっちを直すべきだと強く感じます。
あとテストがない。
なので、Closedにはしておきますが、backportする前にどないかしたい(またはしてほしい)ですね。


Related issues

Related to Ruby master - Bug #11401: Net::HTTP SSL session resumption does not send SNIClosedActions
Related to Ruby master - Bug #10398: Server Name Indication support broken when reusing a (dead) sessionClosedActions

Associated revisions

Revision 43739c72
Added by nagachika (Tomoyuki Chikanaga) almost 4 years ago

merge revision(s) 52682: [Backport #11401] [Backport #11724]

    * lib/net/http.rb: set hostname before call ossl_ssl_set_session.
      [Bug #11401][ruby-core:70152][fix GH-964] Patch by @mkarnebeek

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@52785 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 52785
Added by nagachika (Tomoyuki Chikanaga) almost 4 years ago

merge revision(s) 52682: [Backport #11401] [Backport #11724]

* lib/net/http.rb: set hostname before call ossl_ssl_set_session.
  [Bug #11401][ruby-core:70152][fix GH-964] Patch by @mkarnebeek

Revision 61a3fff6
Added by rhe over 3 years ago

openssl: move SSLSocket#initialize to C extension

  • ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
    SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
    Currently this is delayed until ossl_ssl_setup(), which is called from
    SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
    illegal value. We expect an exception to be raised in #hostname= but
    actually we get it in the later SSLSocket#connect. Because the SSL is
    not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
    is also delayed.
    This also fixes: [ruby-dev:49376] [Bug #11724]

  • ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
    as the Ruby version but this instantiate the SSL object at the same
    time.

(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.

(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().

(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.

(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.

(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().

(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.

  • ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
    should not be NULL because we now set it in #initialize.

  • ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
    to check if the SSL is NULL.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@55191 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 55191
Added by rhenium (Kazuki Yamaguchi) over 3 years ago

openssl: move SSLSocket#initialize to C extension

  • ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
    SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
    Currently this is delayed until ossl_ssl_setup(), which is called from
    SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
    illegal value. We expect an exception to be raised in #hostname= but
    actually we get it in the later SSLSocket#connect. Because the SSL is
    not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
    is also delayed.
    This also fixes: [ruby-dev:49376] [Bug #11724]

  • ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
    as the Ruby version but this instantiate the SSL object at the same
    time.

(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.

(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().

(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.

(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.

(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().

(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.

  • ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
    should not be NULL because we now set it in #initialize.

  • ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
    to check if the SSL is NULL.

Revision 55191
Added by rhe over 3 years ago

openssl: move SSLSocket#initialize to C extension

  • ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
    SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
    Currently this is delayed until ossl_ssl_setup(), which is called from
    SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
    illegal value. We expect an exception to be raised in #hostname= but
    actually we get it in the later SSLSocket#connect. Because the SSL is
    not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
    is also delayed.
    This also fixes: [ruby-dev:49376] [Bug #11724]

  • ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
    as the Ruby version but this instantiate the SSL object at the same
    time.

(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.

(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().

(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.

(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.

(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().

(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.

  • ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
    should not be NULL because we now set it in #initialize.

  • ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
    to check if the SSL is NULL.

Revision 55191
Added by rhe over 3 years ago

openssl: move SSLSocket#initialize to C extension

  • ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
    SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
    Currently this is delayed until ossl_ssl_setup(), which is called from
    SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
    illegal value. We expect an exception to be raised in #hostname= but
    actually we get it in the later SSLSocket#connect. Because the SSL is
    not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
    is also delayed.
    This also fixes: [ruby-dev:49376] [Bug #11724]

  • ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
    as the Ruby version but this instantiate the SSL object at the same
    time.

(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.

(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().

(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.

(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.

(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().

(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.

  • ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
    should not be NULL because we now set it in #initialize.

  • ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
    to check if the SSL is NULL.

Revision 55191
Added by rhe over 3 years ago

openssl: move SSLSocket#initialize to C extension

  • ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
    SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
    Currently this is delayed until ossl_ssl_setup(), which is called from
    SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
    illegal value. We expect an exception to be raised in #hostname= but
    actually we get it in the later SSLSocket#connect. Because the SSL is
    not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
    is also delayed.
    This also fixes: [ruby-dev:49376] [Bug #11724]

  • ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
    as the Ruby version but this instantiate the SSL object at the same
    time.

(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.

(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().

(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.

(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.

(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().

(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.

  • ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
    should not be NULL because we now set it in #initialize.

  • ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
    to check if the SSL is NULL.

History

#1

Updated by usa (Usaku NAKAMURA) almost 4 years ago

  • Is duplicate of Bug #11401: Net::HTTP SSL session resumption does not send SNI added

Updated by nagachika (Tomoyuki Chikanaga) almost 4 years ago

r52785 でひとまず r52682 は ruby_2_2 には backport しましたが、openssl の変更がある予定ということで Backport 欄は残しておきます。

Updated by usa (Usaku NAKAMURA) almost 4 years ago

  • Subject changed from backport r52682 to SNIでsessionが無効だったときにhostnameがサーバに送られない
  • Status changed from Closed to Open

むしろ ext/openssl においては問題が解決してないわけなのでopenにしておこうかと。

#4

Updated by usa (Usaku NAKAMURA) almost 4 years ago

  • Is duplicate of deleted (Bug #11401: Net::HTTP SSL session resumption does not send SNI)
#5

Updated by usa (Usaku NAKAMURA) almost 4 years ago

  • Related to Bug #11401: Net::HTTP SSL session resumption does not send SNI added
#6

Updated by Anonymous over 3 years ago

  • Status changed from Open to Closed

Applied in changeset r55191.


openssl: move SSLSocket#initialize to C extension

  • ext/openssl/lib/openssl/ssl.rb (SSLSocket): Move the implementation of
    SSLSocket#initialize to C. Initialize the SSL (OpenSSL object) in it.
    Currently this is delayed until ossl_ssl_setup(), which is called from
    SSLSocket#accept or #connect. Say we call SSLSocket#hostname= with an
    illegal value. We expect an exception to be raised in #hostname= but
    actually we get it in the later SSLSocket#connect. Because the SSL is
    not ready at #hostname=, the actual call of SSL_set_tlsext_host_name()
    is also delayed.
    This also fixes: [ruby-dev:49376] [Bug #11724]

  • ext/openssl/ossl_ssl.c (ossl_ssl_initialize): Added. Almost the same
    as the Ruby version but this instantiate the SSL object at the same
    time.

(ossl_ssl_setup): Adjust to the changes. Just set the underlying IO to
the SSL.

(ssl_started): Added. Make use of SSL_get_fd(). This returns -1 if not
yet set by SSL_set_fd().

(ossl_ssl_data_get_struct): Removed. Now GetSSL() checks that the SSL
exists.

(ossl_ssl_set_session): Don't call ossl_ssl_setup() here as now the
SSL is already instantiated in #initialize.

(ossl_ssl_shutdown, ossl_start_ssl, ossl_ssl_read_internal,
ossl_ssl_write_internal, ossl_ssl_stop, ossl_ssl_get_cert,
ossl_ssl_get_peer_cert, ossl_ssl_get_peer_cert_chain,
ossl_ssl_get_version, ossl_ssl_get_cipher, ossl_ssl_get_state,
ossl_ssl_pending, ossl_ssl_session_reused,
ossl_ssl_get_verify_result, ossl_ssl_get_client_ca_list,
ossl_ssl_npn_protocol, ossl_ssl_alpn_protocol, ossl_ssl_tmp_key): Use
GetSSL() instead of ossl_ssl_data_get_struct(). Use ssl_started().

(Init_ossl_ssl): Add method declarations of SSLSocket#{initialize,
hostname=}.

  • ext/openssl/ossl_ssl.h (GetSSL): Check that the SSL is not NULL. It
    should not be NULL because we now set it in #initialize.

  • ext/openssl/ossl_ssl_session.c (ossl_ssl_session_initialize): No need
    to check if the SSL is NULL.

#7

Updated by rhenium (Kazuki Yamaguchi) about 3 years ago

  • Related to Bug #10398: Server Name Indication support broken when reusing a (dead) session added

Also available in: Atom PDF