Bug #12324
closedSupport OpenSSL 1.1.0 (and drop support for 0.9.6/0.9.7)
Description
The last beta for OpenSSL1.1.0 (1.1.0-pre5) was released a week ago. According to OpenSSL's website[1], OpenSSL 1.1.0 final will be released on 2016-05-12.
OpenSSL 1.1.0 introduces many many compatibility breaking changes[2][3] but they are almost done and I think we can start work on it.
Also, I think we can drop support for ancient (-0.9.7) versions of OpenSSL. This can save many compatibility macros (about 700 lines). Considering the last official release is over 9 years ago (2007-02-23) and even 0.9.8/1.0.0 series are no longer supported[1], there should be no reason to continue supporting them. In fact builds with OpenSSL 0.9.7 are already broken since r40461 (2013-04-25, Ruby 2.1.0) but it looks like nobody noticed it. (I personally think all unsupported version should be removed but 0.9.8 is unfortunately still widely used...)
[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.openssl.org/news/openssl-1.1.0-notes.html
[3] https://www.openssl.org/news/changelog.html
I found some incompatibilities in OpenSSL 1.1.0 which affect Ruby-world API:
-
SSL_CTX_set_tmp_ecdh_callback() is removed
OpenSSL::SSL::SSLContext#tmp_ecdh_callback (exists in Ruby 2.3, [Feature #11356]) breaks. This is used to enable ECDH and specify the curve to be used.
OpenSSL 1.0.2 and later provide SSL_CTX_set1_curves_list(). This sets the "supported (named) curves" and OpenSSL selects the most appropriate curve from the list. The automatic selection is enabled by SSL_CTX_set_ecdh_auto() on 1.0.2. It is always enabled on 1.1.0.Summarizing... ECDH is enabled:
- OpenSSL 1.1.0: always.
- OpenSSL 1.0.2, LibreSSL 2.3: if SSL_CTX_set_ecdh_auto() is called.
- OpenSSL -1.0.2, LibreSSL 2.3: if SSL_CTX_set_tmp_ecdh{_callback,}() is called.
The curve to be used is:
- OpenSSL 1.0.2/1.1.0: automatically selected by OpenSSL, if enabled. The "supported curves" can be changed by SSL_CTX_set1_curves{_list,}().
- LibreSSL 2.3: automatically selected if enabled. The list can't be changed.
- OpenSSL -1.0.2, LibreSSL 2.3: set by SSL_CTX_set_tmp_ecdh{_callback,}().
In my patch, I made this deprecated (rb_warn() on SSLContext#setup) it and added SSLContext#set_ecdh_curves:
- OpenSSL 1.0.2/1.1.0: wraps SSL_CTX_set1_curves_list()
- OpenSSL -1.0.1, LibreSSL 2.3: wraps SSL_CTX_set_tmp_ecdh() (so only 1 curve can be set)
# assume the client supports P-224 and P-521 ctx = OpenSSL::SSL::SSLContext.new ctx.set_ecdh_curves "P-384:P-224:P-521" svr = OpenSSL::SSL::SSLServer.new(sock, ctx) svr.accept # will use P-224
-
Accessors for OpenSSL::PKey::{DH,DSA,RSA}'s paramters/keys
Since most structures of OpenSSL are made opaque, we can no longer set directly these values. OpenSSL 1.1.0 provides setter functions (e.g. DH_set0_key()) but they are not equivalent; they require setting all relevant values at the same time. For example, such code (4 usage in tests) is no longer possible:
dh = OpenSSL::PKey::DH.new(File.read("dhparams.pem")) dh.priv_key = OpenSSL::BN.new("000..")
In my patch I deprecated them and added XX#set_XXX methods (such as DH#set_key, which sets pub_key and priv_key).
dh = OpenSSL::PKey::DH.new(File.read("dhparams.pem")) dh.set_key(OpenSSL::BN.new("000.."), # pub_key OpenSSL::BN.new("000..")) # priv_key
This is not beautiful but it looks like there is no other way for this...
-
Security level
Please see the manpage SSL_CTX_set_security_level(3):
https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html
OpenSSL 1.1.0 introduces "security level", which disables insecure settings, such as insecure ciphers, depending on the level. The default level is 1 and this means:
The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export ciphersuites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any ciphersuite using MD5 for the MAC is also prohibited.
(from 1.1.0-pre5 doc)New methods would be essential. Actually this breaks many tests which use aNULL cipher suites.
I added SSLContext#security_level and SSLContext#security_level= in my patch.
Here is my try. Because of the amount of OpenSSL changes, almost all .c files had to be modified. Roughly splitted into 38 commits:
https://github.com/ruby/ruby/compare/trunk...rhenium:feature/openssl-110-v1
(the attached gzip'ed is the same)
This includes:
- Add check for SSL_CTX_clear_options(), which doesn't exist in OpenSSL 0.9.8l and older.
- Drop support for 0.9.7.
- Remove OPENSSL_NO_HMAC support as it have never worked.
- Deprecate (rb_warn()ing) SSLContext#tmp_ecdh_callback and add SSL::SSLContext#set_ecdh_curves method.
- Deprecate parameters/keys setter for PKey::DH, PKey::RSA and PKey::DSA, and add PKey::XX#set_XXX methods.
- Add SSL::SSLContext#security_level and #security_level=.
- Test fixes for open-uri and rubygems (regenerate the test certificates; they are incorrectly created and OpenSSL 1.1.0 starts to complain about it).
This compiles and tests pass with the following versions (on my Linux/gcc environment):
- 0.9.8zh
- 1.0.0t
- 1.0.1s
- 1.0.2g
- OpenSSL master
- LibreSSL 2.3.3
Note that this doesn't compile with 1.1.0-pre5; OpenSSL GH-975 is required (already in master and the 1.1.0 final will include this).
https://github.com/openssl/openssl/pull/975
The patch is far from perfect - I'm not sure about the new methods and also probably there are bugs.
Any comments are welcome, I'll update the patch.
Thanks,
Files
Updated by mcr (Michael Richardson) over 8 years ago
I tried your git tree, at: commit 7085ed6411718538c0f47f8281b9089d21d4426d
I did have openssl-pre5 installed, which failed, and I installed from openssl master and rebuilt ruby again, did an rvm mount on the results, and I got:
ext-ruby-2.4-ssl :004 > OpenSSL::PKey::EC.builtin_curves.include?(['X25519','X25519']) => true
so that totally looks right, and I now can play with the new IRTF CFRG curve...
Updated by mcr (Michael Richardson) over 8 years ago
Please see gist: https://gist.github.com/mcr/73e10792abd529c5f53562ed275b7c1b
(I could remove the rake/rails stuff around it if you like)
with X25519 selected as the curve, I get:
%rake highway:selfsigned rake aborted! OpenSSL::X509::CertificateError: EVP lib /corp/projects/pandora/highway/lib/tasks/cert.rake:53:in `sign' /corp/projects/pandora/highway/lib/tasks/cert.rake:53:in `block (2 levels) in ' /home/mcr/.rvm/gems/ext-ruby-2.4-ssl/bin/ruby_executable_hooks:15:in `eval' /home/mcr/.rvm/gems/ext-ruby-2.4-ssl/bin/ruby_executable_hooks:15:in `' Tasks: TOP => highway:selfsigned
With the secp112r1 curve, I get a good certificate generated:
% openssl x509 -in db/cert/vendor_secp112r1.crt -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 1 (0x1) Signature Algorithm: ecdsa-with-SHA256 ... ASN1 OID: secp112r1
I'm investigating generating the certificate with the openssl ca driver, to help isolate it as an openssl vs ruby integration issue.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
It's because X25519 is an algorithm for key exchange. Ed25519, the corresponding (sharing the elliptic curve) signature scheme, is not yet implemented in OpenSSL. There are tickets but it looks like nobody is working on it at the moment.
https://rt.openssl.org/Ticket/Display.html?id=4077
https://github.com/openssl/openssl/issues/487
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
- File patches-v2.tar.gz patches-v2.tar.gz added
- File interdiff-v1-v2.patch interdiff-v1-v2.patch added
I made v2 of the patch:
https://github.com/ruby/ruby/compare/trunk...rhenium:feature/openssl-110-v2
Changes:
-
Re-ordered commits in more meaningful order (and squashed some small commits).
I'm so sorry if you already started reviewing. I also attach the interdiff (this is small).
-
When using with an older OpenSSL, make OpenSSL::SSL::SSLContext#security_level= raise NotImplementedError if the argument is not 0.
The patches 01-05 are small cleanups/fixes.
- [01/35] ext/openssl: check if SSL_CTX_clear_options() is available
- [02/35] ext/openssl: fix ex_data handling for X509_STORE
- [03/35] ext/openssl: always use our implementation of SSL_SESSION_cmp()
- [04/35] ext/openssl: no need to check OPENSSL_FIPS in extconf.rb
- [05/35] ext/openssl: remove 'extern "C" { }' blocks
06 drops OpenSSL -0.9.7 support.
- [06/35] ext/openssl: drop support for OpenSSL 0.9.6/0.9.7
Then 07 removes OPENSSL_NO_HMAC support which has been broken for years.
- [07/35] ext/openssl: drop support for OPENSSL_NO_HMAC
08-14 handles removed / deprecated functions.
- [08/35] ext/openssl: include openssl/asn1.h instead of openssl/asn1_mac.h
- [09/35] ext/openssl: avoid deprecated BN primes functions
- [10/35] ext/openssl: disable OpenSSL::Random.pseudo_bytes if deprecated
- [11/35] ext/openssl: d2i_ASN1_BOOLEAN is removed
- [12/35] ext/openssl: avoid using deprecated protocol version specific methods
- [13/35] ext/openssl: SSL_state() is removed
- [14/35] ext/openssl: setting locking callbacks is no longer needed
15-24 fix compilation errors by replacing direct struct accesses with accessor functions.
- [15/35] ext/openssl: use EVP_CIPHER_CTX_{new,free} to allocate EVP_CIPHER_CTX
- [16/35] ext/openssl: use HMAC_CTX_{new,free,reset} to allocate HMAC_CTX
- [17/35] ext/openssl: use EVP_MD_CTX_new() to allocate EVP_MD_CTX
- [18/35] ext/openssl: OCSP_SINGLERESP and OCSP_CERTID are also made opaque
- [19/35] ext/openssl: BIGNUM and BN_GENCB is made opaque
- [20/35] ext/openssl: SSL_SESSION is made opaque
- [21/35] ext/openssl: use *_up_ref() functions
- [22/35] ext/openssl: X509* are made opaque
- [25/35] ext/openssl: use SSL_CTX_get_ciphers()
- [24/35] ext/openssl: EVP_PKEY, DH, DSA, RSA, EC_KEY are made opaque
Now it compiles. The patch 24 (↑) and 25-28 contain Ruby-land changes.
- [25/35] ext/openssl: add SSLContext#security_level, #security_level=
- [26/35] ext/openssl: add SSLContext#set_ecdh_curves
- [27/35] ext/openssl: remove SHA, DSS, DSS1 if using OpenSSL 1.1.0
- [28/35] ext/openssl: ENGINE.cleanup is no-op in OpenSSL 1.1.0
The next is TODO, I think this is a bug in OpenSSL.
- [29/35] ext/openssl: avoid SEGV on Cipher.new("ChaCha20-Poly1305")
30-35 fixes some test cases that are affected by OpenSSL's changes.
- [30/35] test/openssl: DSA256 is prohibited with security_level=1
- [31/35] test/openssl: X25519 doesn't support signing
- [32/35] test/openssl: fix test_server_session to dup the session
- [33/35] test/openssl: don't test default session timeout
- [34/35] test/open-uri: regenerate test certificates
- [35/35] test/rubygems: regenerate certificates
Updated by naruse (Yui NARUSE) over 8 years ago
- Status changed from Open to Assigned
- Assignee set to matz (Yukihiro Matsumoto)
I think you become a committer and commit it by yourself. (and maintain it)
Updated by zzak (zzak _) over 8 years ago
I'm happy for your help with Ruby's OpenSSL!
This is a rather large change, and would like to see it land in the (To Be Released) openssl gem:
https://github.com/ruby/openssl
If you're interested, I can give you commit to the openssl gem repo as well.
Updated by naruse (Yui NARUSE) over 8 years ago
Zachary Scott wrote:
I'm happy for your help with Ruby's OpenSSL!
This is a rather large change, and would like to see it land in the (To Be Released) openssl gem:
https://github.com/ruby/opensslIf you're interested, I can give you commit to the openssl gem repo as well.
@zzak (zzak _) Could you explain him (or add explanation to README.rd of ruby/openssl) the relation and status between openssl gem and Ruby repo.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
Updated by vo.x (Vit Ondruch) over 8 years ago
even 0.9.8/1.0.0 series are no longer supported[1]
If I am not mistaken, 0.9.8 is still part of RHEL5/CentOS5 and they are still supported, although not by upstream.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
Vit Ondruch wrote:
even 0.9.8/1.0.0 series are no longer supported[1]
If I am not mistaken, 0.9.8 is still part of RHEL5/CentOS5 and they are still supported, although not by upstream.
Yes, that's exactly why I didn't drop them in this series, and it didn't reduce code greatly compared to dropping 0.9.6/0.9.7.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
- File patches-v3.tar.gz patches-v3.tar.gz added
- File interdiff-v2-v3.patch interdiff-v2-v3.patch added
Patch v3. It looks like OpenSSL 1.1.0 is delaying...
https://github.com/ruby/ruby/compare/trunk...rhenium:feature/openssl-110-v3
Changes:
- Rebased to apply atop trunk.
- [03/36] is new: I noticed OpenSSL::X509::Attribute#value= segfaults if the passed argument is bad.
- Fixed my broken [v2 22/35]. It was not covered by test.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
Can I have SVN access?
I'd love to help improving/maintaining Ruby and ext/openssl. Several of my patches including openssl-related and non-openssl-related, have landed with the help of @nobu (Nobuyoshi Nakada) and @nurse. I was planning to send more patches, but it would be nice if I can commit without bothering other committers.
Updated by hsbt (Hiroshi SHIBATA) over 8 years ago
I added this issue to agenda of developer meeting at next week.
https://bugs.ruby-lang.org/projects/ruby/wiki/DevelopersMeeting20160517Japan
Please wait a few days.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
Hiroshi SHIBATA wrote:
I added this issue to agenda of developer meeting at next week.
https://bugs.ruby-lang.org/projects/ruby/wiki/DevelopersMeeting20160517Japan
Please wait a few days.
Thanks!
Updated by matz (Yukihiro Matsumoto) over 8 years ago
OK, you can be a committer. Follow the instruction in:
- https://bugs.ruby-lang.org/projects/ruby/wiki/CommitterHowto
- https://bugs.ruby-lang.org/projects/ruby/wiki/CommitterHowtoJa
Matz.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
Thanks, I will.
Updated by hsbt (Hiroshi SHIBATA) over 8 years ago
- Assignee changed from matz (Yukihiro Matsumoto) to rhenium (Kazuki Yamaguchi)
I added commit-bit to Kazuki Yamaguchi-san few weeks ago.
Please do apply your proposal by yourself.
Updated by Anonymous over 8 years ago
- Status changed from Assigned to Closed
Applied in changeset r55282.
openssl: check existence of RAND_pseudo_bytes()
-
ext/openssl/extconf.rb: Check if RAND_pseudo_bytes() is usable. It is
marked as deprecated in OpenSSL 1.1.0.
[ruby-core:75225] [Feature #12324] -
ext/openssl/ossl_rand.c: Disable Random.pseudo_bytes if
RAND_pseudo_bytes() is unavailable. -
test/openssl/test_random.rb: Don't test Random.pseudo_bytes if not
defined.
Updated by terceiro (Antonio Terceiro) over 8 years ago
- Tracker changed from Feature to Bug
- Backport set to 2.1: UNKNOWN, 2.2: UNKNOWN, 2.3: UNKNOWN
Hi, would it be possible to have a backport of this for Ruby 2.3? Debian 9 will be released with Ruby 2.3, and we will probably need to build against OpenSSL 1.1.0 between now and then.
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
This is based on r55162 (openssl: drop OpenSSL 0.9.6/0.9.7 support) so backporting 1.1.0 support is not so simple.
Perhaps Debian should disable ext/openssl and bundle openssl gem (though not yet released)?
Updated by terceiro (Antonio Terceiro) over 8 years ago
Kazuki Yamaguchi wrote:
This is based on r55162 (openssl: drop OpenSSL 0.9.6/0.9.7 support) so backporting 1.1.0 support is not so simple.
well, openssl 0.9.x is long gone from all supported Debian releases, so including that would not be a problem for Debian, but I understand why it could be an issues for Ruby 2.3 upstream. So if I take that, would I be able to also take the other patches and form a Debian-specific OpenSSL 1.1.0 support patch?
Perhaps Debian should disable ext/openssl and bundle openssl gem (though not yet released)?
That would be even better, but it's not clear to me what's the status of that standalone openssl package, e.g. is it a safe drop-in replacement from the openssl bundled with the interpreter? Do you have any pointers?
Updated by normalperson (Eric Wong) about 8 years ago
k@rhe.jp wrote:
Feature #12324: Support OpenSSL 1.1.0 (and drop support for 0.9.6/0.9.7)
https://bugs.ruby-lang.org/issues/12324
rhe: did you commit all of these?
I notice SSL_CTX_clear_options is still missing on an ancient
CentOS 5.x machine with 0.9.8e. Thanks.
Updated by rhenium (Kazuki Yamaguchi) about 8 years ago
On Sat, Dec 17, 2016 at 01:31:12AM +0000, Eric Wong wrote:
k@rhe.jp wrote:
Feature #12324: Support OpenSSL 1.1.0 (and drop support for 0.9.6/0.9.7)
https://bugs.ruby-lang.org/issues/12324rhe: did you commit all of these?
I notice SSL_CTX_clear_options is still missing on an ancient
CentOS 5.x machine with 0.9.8e. Thanks.
I dropped that patch. I found the OpenSSL 0.9.8e package in RHEL/CentOS
5 has backported SSL_CTX_clear_options() as part of CVE-2009-3555 fix,
and no one except them would use < 0.9.8m anymore.
Updated by normalperson (Eric Wong) about 8 years ago
Kazuki Yamaguchi k@rhe.jp wrote:
On Sat, Dec 17, 2016 at 01:31:12AM +0000, Eric Wong wrote:
k@rhe.jp wrote:
Feature #12324: Support OpenSSL 1.1.0 (and drop support for 0.9.6/0.9.7)
https://bugs.ruby-lang.org/issues/12324rhe: did you commit all of these?
I notice SSL_CTX_clear_options is still missing on an ancient
CentOS 5.x machine with 0.9.8e. Thanks.I dropped that patch. I found the OpenSSL 0.9.8e package in RHEL/CentOS
5 has backported SSL_CTX_clear_options() as part of CVE-2009-3555 fix,
and no one except them would use < 0.9.8m anymore.
Thanks for the response. I'll work with my sysadmins and see
if they're willing to upgrade OpenSSL; but they may not :<
If they are not, would you be willing to add
SSL_CTX_clear_options? I could carry the patch myself, but
maybe there are other ancient places who don't patch :<
Fwiw, I recommend using functions with custom name to emulate
missing functions, and #define to the official name:
static unsigned long
rb_SSL_CTX_clear_options(SSL_CTX *ctx, unsigned long op)
{
return ctx->options &= ~op;
}
#define SSL_CTX_clear_options(ctx,op) rb_SSL_CTX_clear_options((ctx),(op))
It makes debugging easier since the internal symbol name won't
conflict with the official version.
Thanks.
Updated by rhenium (Kazuki Yamaguchi) about 8 years ago
On Sat, Dec 17, 2016 at 09:09:49AM +0000, Eric Wong wrote:
Kazuki Yamaguchi k@rhe.jp wrote:
On Sat, Dec 17, 2016 at 01:31:12AM +0000, Eric Wong wrote:
k@rhe.jp wrote:
Feature #12324: Support OpenSSL 1.1.0 (and drop support for 0.9.6/0.9.7)
https://bugs.ruby-lang.org/issues/12324rhe: did you commit all of these?
I notice SSL_CTX_clear_options is still missing on an ancient
CentOS 5.x machine with 0.9.8e. Thanks.I dropped that patch. I found the OpenSSL 0.9.8e package in RHEL/CentOS
5 has backported SSL_CTX_clear_options() as part of CVE-2009-3555 fix,
and no one except them would use < 0.9.8m anymore.Thanks for the response. I'll work with my sysadmins and see
if they're willing to upgrade OpenSSL; but they may not :<If they are not, would you be willing to add
SSL_CTX_clear_options? I could carry the patch myself, but
maybe there are other ancient places who don't patch :<
I'm fine with adding if it helps. I don't want to imagine such systems
with 6 years unpatched OpenSSL, though.
I've added to the GitHub repository now:
https://github.com/ruby/openssl/commit/fd2ea0c41d55f3d0b34edb1d25c673bc004f6913
Will import to trunk in a few days together with a few more minor bug fixes.
Updated by normalperson (Eric Wong) about 8 years ago
Kazuki Yamaguchi k@rhe.jp wrote:
I'm fine with adding if it helps. I don't want to imagine such systems
with 6 years unpatched OpenSSL, though.I've added to the GitHub repository now:
Thanks! Yeah, security is an afterthought, for me :<