Bug #13401
closedOpenSSL::SSL::SSLSocket :hostname= accessor removed
Description
Hello. I've found a small issue, but it is important for security.
Some websites will force you to use SNI. For example "httpbin.org".
openssl s_client -connect httpbin.org:443
tlsv1 alert internal error
openssl s_client -connect httpbin.org:443 -servername httpbin.org
ok
require "openssl"
require "socket"
HOST = "httpbin.org"
class SSL < OpenSSL::SSL::SSLSocket
def initialize *args
super
@hostname = HOST
end
end
socket = TCPSocket.open HOST, 443
begin
ssl_socket = SSL.new socket, OpenSSL::SSL::SSLContext.new
begin
ssl_socket.connect
puts "connected"
ensure
ssl_socket.close
end
ensure
socket.close
end
This code works fine with any ruby 2.0-2.3 and rubinius, but it failed with 2.4.0 and 2.4.1.
I can see that you've removed accessor from lib/ruby/2.4.0/openssl/ssl.rb:
if ExtConfig::HAVE_TLSEXT_HOST_NAME
attr_reader :hostname
end
ext/openssl/ossl_ssl.c:
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
/* #hostname is defined in lib/openssl/ssl.rb */
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
#endif
So we have to use self.hostname = HOST instead of @hostname = HOST.
Please document this new behaviour in documentation. Thank you.
Updated by nobu (Nobuyoshi Nakada) almost 7 years ago
- Status changed from Open to Assigned
- Assignee set to rhenium (Kazuki Yamaguchi)
Updated by rhenium (Kazuki Yamaguchi) almost 7 years ago
- Status changed from Assigned to Third Party's Issue
(Third Party's Issue since new bugs should go to https://github.com/ruby/openssl)
The accessor still exists, as you see, only if the OpenSSL library with which ext/openssl was compiled supports SNI. This has not changed. Setting the server name directly to the instance variable has never been documented or a proper way.
Updated by puchuu (Andrew Aladjev) almost 7 years ago
rhenium (Kazuki Yamaguchi) wrote:
The accessor still exists, as you see, only if the OpenSSL library with which ext/openssl was compiled supports SNI. This has not changed. Setting the server name directly to the instance variable has never been documented or a proper way.
Hostname was an attr_accessor and @hostname= worked fine, but now there are attr_reader and separate :hostname= method. This change could break some applications. Please fix or add new info to the docs. Thank you.
Ok, I will report it to github.