Merge pull request #3093 from ashie/fix-ciphers

Set TLS ciphers list correcty on older OpenSSL
fluent · Aug 4, 2020 · d35c2a1 · d35c2a1
2 parents 17aae56 + 4de4893
commit d35c2a1
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 7 deletions.
diff --git a/lib/fluent/plugin_helper/cert_option.rb b/lib/fluent/plugin_helper/cert_option.rb
@@ -27,13 +27,9 @@ def cert_option_create_context(version, insecure, ciphers, conf)
         cert, key, extra = cert_option_server_validate!(conf)
 
         ctx = OpenSSL::SSL::SSLContext.new
-        unless insecure
-          # inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
-          # https://bugs.ruby-lang.org/issues/9424
-          ctx.set_params({})
-
-          ctx.ciphers = ciphers
-        end
+        # inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+        # https://bugs.ruby-lang.org/issues/9424
+        ctx.set_params({}) unless insecure
 
         if conf.client_cert_auth
           ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
@@ -56,6 +52,7 @@ def cert_option_create_context(version, insecure, ciphers, conf)
         end
 
         Fluent::TLS.set_version_to_context(ctx, version, conf.min_version, conf.max_version)
+        ctx.ciphers = ciphers unless insecure
 
         ctx
       end

diff --git a/test/plugin_helper/test_server.rb b/test/plugin_helper/test_server.rb
@@ -1233,6 +1233,40 @@ def assert_certificate(cert, expected_extensions)
         waiting(10){ sleep 0.1 until received.bytesize == 8 }
         assert_equal "yay\nfoo\n", received
       end
+
+      test 'set ciphers' do
+        cert_path = File.join(@server_cert_dir, "cert.pem")
+        private_key_path = File.join(@certs_dir, "server.key.pem")
+        create_server_pair_signed_by_self(cert_path, private_key_path, nil)
+        tls_options = {
+          protocol: :tls,
+          version: :TLSv1_2,
+          ciphers: 'SHA256',
+          insecure: false,
+          cert_path: cert_path,
+          private_key_path: private_key_path,
+        }
+        conf = @d.server_create_transport_section_object(tls_options)
+        ctx = @d.cert_option_create_context(conf.version, conf.insecure, conf.ciphers, conf)
+        matched = false
+        ctx.ciphers.each do |cipher|
+          cipher_name, tls_version = cipher
+          # OpenSSL 1.0.2: "TLSv1/SSLv3"
+          # OpenSSL 1.1.1: "TLSv1.2"
+          if tls_version == "TLSv1/SSLv3" || tls_version == "TLSv1.2"
+            matched = true
+            unless cipher_name.match(/#{conf.ciphers}/)
+              matched = false
+              break
+            end
+          end
+        end
+
+        error_msg = build_message("Unexpected ciphers for #{conf.version}",
+                                  "<?>\nwas expected to include only <?> ciphers for #{conf.version}",
+                                  ctx.ciphers, conf.ciphers)
+        assert(matched, error_msg)
+      end
     end
   end