Project

General

Profile

Actions

Backport #9640

closed

Please backport SSL fixes to 2.1

Added by zeha (Christian Hofstaedtler) over 10 years ago. Updated about 10 years ago.



Related issues 2 (1 open1 closed)

Related to Ruby master - Feature #9613: Warn about unsafe ossl ciphersOpenActions
Related to Ruby master - Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults Closednagachika (Tomoyuki Chikanaga)01/17/2014Actions

Updated by hsbt (Hiroshi SHIBATA) over 10 years ago

It seems to break backward compatibility.

Updated by zzak (zzak _) over 10 years ago

  • Status changed from Open to Rejected

Please Don't report issues here.

Also, there is already a ticket to discuss this patch in #9613

Updated by hsbt (Hiroshi SHIBATA) over 10 years ago

  • Status changed from Rejected to Open

zzak

You shouldn't change status of backport issue by yourself. It's branch maintainer's work.

Updated by naruse (Yui NARUSE) over 10 years ago

Updated by naruse (Yui NARUSE) over 10 years ago

  • Related to Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults added

Updated by naruse (Yui NARUSE) over 10 years ago

Zachary Scott wrote:

Please Don't report issues here.

If the ticket is really backport ticket, here is correct place;
and this ticket is actually a backport ticket.

Updated by zzak (zzak _) over 10 years ago

Sorry for the misunderstanding, I think we should discuss it on trunk first.

Also, I don’t believe the current patch (as-is) should be backported.

On Mar 17, 2014, at 7:09 PM, wrote:

Issue #9640 has been updated by Hiroshi SHIBATA.

Status changed from Rejected to Open

zzak

You shouldn't change status of backport issue by yourself. It's branch maintainer's work.


Backport #9640: Please backport SSL fixes to 2.1
https://bugs.ruby-lang.org/issues/9640#change-45837

  • Author: Christian Hofstaedtler
  • Status: Open
  • Priority: Normal
  • Assignee:

Please backport the fixes for issue #9424 to 2.1.

https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/45274/diff/ext/openssl/lib/openssl/ssl.rb

--
http://bugs.ruby-lang.org/

Updated by reed (Reed Loden) about 10 years ago

Since the POODLE attack was released today (and is causing folks to generally disable SSLv3 everywhere), any possibility of getting the patch backported to a current stable release of Ruby so people can be protected against it and other problems?

Updated by nagachika (Tomoyuki Chikanaga) about 10 years ago

I thought before it cannot be backported because it seems to cause compatibility issues.
But now I feel the necessity of rethink about it according to the change of circumstance (ex. POODLE).

I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

I think r45274 changes only default settings, so users who need SSLv3 or old ciphers have some workarounds, for example via Net::HTTP#ssl_version= or Net::HTTP#ciphers=). Is it correct?

Updated by usa (Usaku NAKAMURA) about 10 years ago

Tomoyuki Chikanaga wrote:

But now I feel the necessity of rethink about it according to the change of circumstance (ex. POODLE).

I feel so, too.

I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

ext/openssl(/lib/openssl/ssl.rb) actually sets the default of chiphers, so changing them of OpenSSL itself is meaningless about us.
Am I wrong?

I think r45274 changes only default settings, so users who need SSLv3 or old ciphers have some workarounds, for example via Net::HTTP#ssl_version= or Net::HTTP#ciphers=). Is it correct?

Since net/http does not have the interface to change the ciphers at the moment, available workaround should be a complex monkey patch, I guess.

Updated by nagachika (Tomoyuki Chikanaga) about 10 years ago

I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

ext/openssl(/lib/openssl/ssl.rb) actually sets the default of chiphers, so changing them of OpenSSL itself is meaningless about us.
Am I wrong?

Thank you for pointing out that. It seems that I misunderstood about the point.
So I think we should backport the change.

Since net/http does not have the interface to change the ciphers at the moment, available workaround should be a complex monkey patch, I guess.

Yes. But I think the workaround to do something potentially dangerous could be complicated. Users should know what they really to do.

Updated by usa (Usaku NAKAMURA) about 10 years ago

Tomoyuki Chikanaga wrote:

Yes. But I think the workaround to do something potentially dangerous could be complicated. Users should know what they really to do.

agreed.

So, the way to do is:

  • backport this patch
  • say "if you have some trouble, revert this patch by yourself in your own risk"

Updated by nagachika (Tomoyuki Chikanaga) about 10 years ago

  • Status changed from Open to Assigned
  • Assignee set to nagachika (Tomoyuki Chikanaga)

OK, I'll handle this ticket.
And I filled the 'Backport' field of #9424 too.

Updated by nagachika (Tomoyuki Chikanaga) about 10 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r48098.


merge revision(s) r45274,r45278,r45280,r48097: [Backport #9424] [Backport #9640]

* lib/openssl/ssl.rb: Explicitly whitelist the default
  SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
  compression by default.
  Reported by Jeff Hodges.
  [ruby-core:59829] [Bug #9424]

* test/openssl/test_ssl.rb: Reuse TLS default options from
  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.

* ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
  options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
  this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]
Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0Like0