[DRE-commits] [ruby-httpclient] 01/01: add 0003-fix-ssl-config.patch. Thanks Tomasz Buchert
Cédric Boutillier
boutil at moszumanska.debian.org
Thu Nov 27 17:55:51 UTC 2014
This is an automated email from the git hooks/post-receive script.
boutil pushed a commit to branch master
in repository ruby-httpclient.
commit 9234f313478f9340215a45bc6fcac5c9a62572b3
Author: Cédric Boutillier <boutil at debian.org>
Date: Thu Nov 27 11:17:35 2014 +0100
add 0003-fix-ssl-config.patch. Thanks Tomasz Buchert
---
debian/changelog | 9 +++++
debian/patches/0003-fix-ssl-config.patch | 64 ++++++++++++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 74 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index f4689b7..0ce7c0a 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+ruby-httpclient (2.3.3-3.1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+ * Fix default SSL configuration (Closes: #768673)
+ The patch 0003-fix-ssl-config.patch extracted from upstream code is
+ added to set the default SSL configuration to auto instead of SSLv3.
+
+ -- Tomasz Buchert <tomasz.buchert at inria.fr> Wed, 26 Nov 2014 18:59:26 +0100
+
ruby-httpclient (2.3.3-3) unstable; urgency=medium
* fix-port-allocation-in-tests.patch: fix port allocation for servers
diff --git a/debian/patches/0003-fix-ssl-config.patch b/debian/patches/0003-fix-ssl-config.patch
new file mode 100644
index 0000000..ed50c5b
--- /dev/null
+++ b/debian/patches/0003-fix-ssl-config.patch
@@ -0,0 +1,64 @@
+Description: Change default SSL configuration
+ The POODLE attack (https://en.wikipedia.org/wiki/POODLE) deprecated the use
+ of SSLv3 protocol. We change the default configuration to autodetection
+ and try to explicitly disable SSLv2 and SSLv3, preferring TLS protocol suites
+ instead.
+ This patch is a minimal adaptation of a commit in the project's upstream:
+ https://github.com/nahi/httpclient/commit/90d5c791c941c72521784dc4ea8eed60987800da
+
+--- a/lib/httpclient/ssl_config.rb
++++ b/lib/httpclient/ssl_config.rb
+@@ -34,7 +34,13 @@
+ class SSLConfig
+ include OpenSSL if SSLEnabled
+
+- # String name of OpenSSL's SSL version method name: SSLv2, SSLv23 or SSLv3
++ # Which TLS protocol version (also called method) will be used. Defaults
++ # to :auto which means that OpenSSL decides (In my tests this resulted
++ # with always the highest available protocol being used).
++ # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1,
++ # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default).
++ # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
++ # in your specific Ruby environment.
+ attr_reader :ssl_version
+ # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion.
+ # nil by default. (no client authenticateion)
+@@ -83,8 +89,13 @@
+ @verify_callback = nil
+ @dest = nil
+ @timeout = nil
+- @ssl_version = "SSLv3"
+- @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
++ @ssl_version = :auto
++ # Follow ruby-ossl's definition
++ @options = OpenSSL::SSL::OP_ALL
++ @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++ @options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++ @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
++ @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+ # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+ @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+ @cacerts_loaded = false
+@@ -283,7 +294,7 @@
+ ctx.timeout = @timeout
+ ctx.options = @options
+ ctx.ciphers = @ciphers
+- ctx.ssl_version = @ssl_version
++ ctx.ssl_version = @ssl_version unless @ssl_version == :auto
+ end
+
+ # post connection check proc for ruby < 1.8.5.
+--- a/test/test_ssl.rb
++++ b/test/test_ssl.rb
+@@ -33,7 +33,10 @@
+ assert_equal(OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, cfg.verify_mode)
+ assert_nil(cfg.verify_callback)
+ assert_nil(cfg.timeout)
+- assert_equal(OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2, cfg.options)
++ expected_options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
++ expected_options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++ expected_options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++ assert_equal(expected_options, cfg.options)
+ assert_equal("ALL:!aNULL:!eNULL:!SSLv2", cfg.ciphers)
+ assert_instance_of(OpenSSL::X509::Store, cfg.cert_store)
+ end
diff --git a/debian/patches/series b/debian/patches/series
index bd3aa20..a8ebd90 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
0001-Remove-Hash-element-order-dependency.patch
fix-port-allocation-in-tests.patch
+0003-fix-ssl-config.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-ruby-extras/ruby-httpclient.git
More information about the Pkg-ruby-extras-commits
mailing list