Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set TLS ciphers list correcty on older OpenSSL #3093

Merged
merged 1 commit into from
Aug 4, 2020
+38 −7
Merged

Set TLS ciphers list correcty on older OpenSSL #3093

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 4 additions & 7 deletions lib/fluent/plugin_helper/cert_option.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,9 @@ def cert_option_create_context(version, insecure, ciphers, conf)
cert, key, extra = cert_option_server_validate!(conf)

ctx = OpenSSL::SSL::SSLContext.new
unless insecure
# inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# https://bugs.ruby-lang.org/issues/9424
ctx.set_params({})

ctx.ciphers = ciphers
end
# inject OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# https://bugs.ruby-lang.org/issues/9424
ctx.set_params({}) unless insecure

if conf.client_cert_auth
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
Expand All @@ -56,6 +52,7 @@ def cert_option_create_context(version, insecure, ciphers, conf)
end

Fluent::TLS.set_version_to_context(ctx, version, conf.min_version, conf.max_version)
ctx.ciphers = ciphers unless insecure

ctx
end
Expand Down
34 changes: 34 additions & 0 deletions test/plugin_helper/test_server.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1233,6 +1233,40 @@ def assert_certificate(cert, expected_extensions)
waiting(10){ sleep 0.1 until received.bytesize == 8 }
assert_equal "yay\nfoo\n", received
end

test 'set ciphers' do
cert_path = File.join(@server_cert_dir, "cert.pem")
private_key_path = File.join(@certs_dir, "server.key.pem")
create_server_pair_signed_by_self(cert_path, private_key_path, nil)
tls_options = {
protocol: :tls,
version: :TLSv1_2,
ciphers: 'SHA256',
insecure: false,
cert_path: cert_path,
private_key_path: private_key_path,
}
conf = @d.server_create_transport_section_object(tls_options)
ctx = @d.cert_option_create_context(conf.version, conf.insecure, conf.ciphers, conf)
matched = false
ctx.ciphers.each do |cipher|
cipher_name, tls_version = cipher
# OpenSSL 1.0.2: "TLSv1/SSLv3"
# OpenSSL 1.1.1: "TLSv1.2"
if tls_version == "TLSv1/SSLv3" || tls_version == "TLSv1.2"
matched = true
unless cipher_name.match(/#{conf.ciphers}/)
matched = false
break
end
end
end

error_msg = build_message("Unexpected ciphers for #{conf.version}",
"<?>\nwas expected to include only <?> ciphers for #{conf.version}",
ctx.ciphers, conf.ciphers)
assert(matched, error_msg)
end
end
end

Expand Down