Project

General

Profile

Backport #9640

Please backport SSL fixes to 2.1

Added by zeha (Christian Hofstaedtler) almost 6 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
[ruby-core:61511]


Related issues

Related to Ruby master - Feature #9613: Warn about unsafe ossl ciphersOpenActions
Related to Ruby master - Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults Closed01/17/2014Actions

Associated revisions

Revision c8137d67
Added by nagachika (Tomoyuki Chikanaga) about 5 years ago

merge revision(s) r45274,r45278,r45280,r48097: [Backport #9424] [Backport #9640]

    * lib/openssl/ssl.rb: Explicitly whitelist the default
      SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
      compression by default.
      Reported by Jeff Hodges.
      [ruby-core:59829] [Bug #9424]

    * test/openssl/test_ssl.rb: Reuse TLS default options from
      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.

    * ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
      options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
      this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_1@48098 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Revision 48098
Added by nagachika (Tomoyuki Chikanaga) about 5 years ago

merge revision(s) r45274,r45278,r45280,r48097: [Backport #9424] [Backport #9640]

* lib/openssl/ssl.rb: Explicitly whitelist the default
  SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
  compression by default.
  Reported by Jeff Hodges.
  [ruby-core:59829] [Bug #9424]

* test/openssl/test_ssl.rb: Reuse TLS default options from
  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.

* ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
  options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
  this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]

History

Updated by hsbt (Hiroshi SHIBATA) almost 6 years ago

It seems to break backward compatibility.

Updated by zzak (Zachary Scott) almost 6 years ago

  • Status changed from Open to Rejected

Please Don't report issues here.

Also, there is already a ticket to discuss this patch in #9613

Updated by hsbt (Hiroshi SHIBATA) over 5 years ago

  • Status changed from Rejected to Open

zzak

You shouldn't change status of backport issue by yourself. It's branch maintainer's work.

Updated by naruse (Yui NARUSE) over 5 years ago

Updated by naruse (Yui NARUSE) over 5 years ago

  • Related to Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults added

Updated by naruse (Yui NARUSE) over 5 years ago

Zachary Scott wrote:

Please Don't report issues here.

If the ticket is really backport ticket, here is correct place;
and this ticket is actually a backport ticket.

Updated by zzak (Zachary Scott) over 5 years ago

Sorry for the misunderstanding, I think we should discuss it on trunk first.

Also, I don’t believe the current patch (as-is) should be backported.

On Mar 17, 2014, at 7:09 PM, shibata.hiroshi@gmail.com wrote:

Issue #9640 has been updated by Hiroshi SHIBATA.

Status changed from Rejected to Open

zzak

You shouldn't change status of backport issue by yourself. It's branch maintainer's work.


Backport #9640: Please backport SSL fixes to 2.1
https://bugs.ruby-lang.org/issues/9640#change-45837

  • Author: Christian Hofstaedtler
  • Status: Open
  • Priority: Normal

* Assignee:

Please backport the fixes for issue #9424 to 2.1.

https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/45274/diff/ext/openssl/lib/openssl/ssl.rb

--
http://bugs.ruby-lang.org/

Updated by reed (Reed Loden) about 5 years ago

Since the POODLE attack was released today (and is causing folks to generally disable SSLv3 everywhere), any possibility of getting the patch backported to a current stable release of Ruby so people can be protected against it and other problems?

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

I thought before it cannot be backported because it seems to cause compatibility issues.
But now I feel the necessity of rethink about it according to the change of circumstance (ex. POODLE).

I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

I think r45274 changes only default settings, so users who need SSLv3 or old ciphers have some workarounds, for example via Net::HTTP#ssl_version= or Net::HTTP#ciphers=). Is it correct?

Updated by usa (Usaku NAKAMURA) about 5 years ago

Tomoyuki Chikanaga wrote:

But now I feel the necessity of rethink about it according to the change of circumstance (ex. POODLE).

I feel so, too.

I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

ext/openssl(/lib/openssl/ssl.rb) actually sets the default of chiphers, so changing them of OpenSSL itself is meaningless about us.
Am I wrong?

I think r45274 changes only default settings, so users who need SSLv3 or old ciphers have some workarounds, for example via Net::HTTP#ssl_version= or Net::HTTP#ciphers=). Is it correct?

Since net/http does not have the interface to change the ciphers at the moment, available workaround should be a complex monkey patch, I guess.

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

ext/openssl(/lib/openssl/ssl.rb) actually sets the default of chiphers, so changing them of OpenSSL itself is meaningless about us.
Am I wrong?

Thank you for pointing out that. It seems that I misunderstood about the point.
So I think we should backport the change.

Since net/http does not have the interface to change the ciphers at the moment, available workaround should be a complex monkey patch, I guess.

Yes. But I think the workaround to do something potentially dangerous could be complicated. Users should know what they really to do.

Updated by usa (Usaku NAKAMURA) about 5 years ago

Tomoyuki Chikanaga wrote:

Yes. But I think the workaround to do something potentially dangerous could be complicated. Users should know what they really to do.

agreed.

So, the way to do is:

  • backport this patch
  • say "if you have some trouble, revert this patch by yourself in your own risk"

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

  • Status changed from Open to Assigned
  • Assignee set to nagachika (Tomoyuki Chikanaga)

OK, I'll handle this ticket.
And I filled the 'Backport' field of #9424 too.

Updated by nagachika (Tomoyuki Chikanaga) about 5 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

Applied in changeset r48098.


merge revision(s) r45274,r45278,r45280,r48097: [Backport #9424] [Backport #9640]

* lib/openssl/ssl.rb: Explicitly whitelist the default
  SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
  compression by default.
  Reported by Jeff Hodges.
  [ruby-core:59829] [Bug #9424]

* test/openssl/test_ssl.rb: Reuse TLS default options from
  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.

* ext/openssl/lib/openssl/ssl.rb (DEFAULT_PARAMS): override
  options even if OpenSSL::SSL::OP_NO_SSLv3 is not defined.
  this is pointed out by Stephen Touset. [ruby-core:65711] [Bug #9424]

Also available in: Atom PDF