Issue #12324 has been updated by Kazuki Yamaguchi.

File patches-v2.tar.gz added
File interdiff-v1-v2.patch added

I made v2 of the patch:

https://github.com/ruby/ruby/compare/trunk...rhenium:feature/openssl-110-v2

Changes:

- Re-ordered commits in more meaningful order (and squashed some small commits).

    I'm so sorry if you already started reviewing. I also attach the interdiff (this is small).

- When using with an older OpenSSL, make OpenSSL::SSL::SSLContext#security_level= raise NotImplementedError if the argument is not 0.

---

The patches 01-05 are small cleanups/fixes.

- [01/35] ext/openssl: check if SSL_CTX_clear_options() is available
- [02/35] ext/openssl: fix ex_data handling for X509_STORE
- [03/35] ext/openssl: always use our implementation of SSL_SESSION_cmp()
- [04/35] ext/openssl: no need to check OPENSSL_FIPS in extconf.rb
- [05/35] ext/openssl: remove 'extern "C" { }' blocks

06 drops OpenSSL -0.9.7 support.

- [06/35] ext/openssl: drop support for OpenSSL 0.9.6/0.9.7

Then 07 removes OPENSSL_NO_HMAC support which has been broken for years.

- [07/35] ext/openssl: drop support for OPENSSL_NO_HMAC

08-14 handles removed / deprecated functions.

- [08/35] ext/openssl: include openssl/asn1.h instead of openssl/asn1_mac.h
- [09/35] ext/openssl: avoid deprecated BN primes functions
- [10/35] ext/openssl: disable OpenSSL::Random.pseudo_bytes if deprecated
- [11/35] ext/openssl: d2i_ASN1_BOOLEAN is removed
- [12/35] ext/openssl: avoid using deprecated protocol version specific methods
- [13/35] ext/openssl: SSL_state() is removed
- [14/35] ext/openssl: setting locking callbacks is no longer needed

15-24 fix compilation errors by replacing direct struct accesses with accessor functions.

- [15/35] ext/openssl: use EVP_CIPHER_CTX_{new,free} to allocate EVP_CIPHER_CTX
- [16/35] ext/openssl: use HMAC_CTX_{new,free,reset} to allocate HMAC_CTX
- [17/35] ext/openssl: use EVP_MD_CTX_new() to allocate EVP_MD_CTX
- [18/35] ext/openssl: OCSP_SINGLERESP and OCSP_CERTID are also made opaque
- [19/35] ext/openssl: BIGNUM and BN_GENCB is made opaque
- [20/35] ext/openssl: SSL_SESSION is made opaque
- [21/35] ext/openssl: use *_up_ref() functions
- [22/35] ext/openssl: X509* are made opaque
- [25/35] ext/openssl: use SSL_CTX_get_ciphers()
- [24/35] ext/openssl: EVP_PKEY, DH, DSA, RSA, EC_KEY are made opaque

Now it compiles. The patch 24 () and 25-28 contain Ruby-land changes.

- [25/35] ext/openssl: add SSLContext#security_level, #security_level=
- [26/35] ext/openssl: add SSLContext#set_ecdh_curves
- [27/35] ext/openssl: remove SHA, DSS, DSS1 if using OpenSSL 1.1.0
- [28/35] ext/openssl: ENGINE.cleanup is no-op in OpenSSL 1.1.0

The next is TODO, I think this is a bug in OpenSSL.

- [29/35] ext/openssl: avoid SEGV on Cipher.new("ChaCha20-Poly1305")

30-35 fixes some test cases that are affected by OpenSSL's changes.

- [30/35] test/openssl: DSA256 is prohibited with security_level=1
- [31/35] test/openssl: X25519 doesn't support signing
- [32/35] test/openssl: fix test_server_session to dup the session
- [33/35] test/openssl: don't test default session timeout
- [34/35] test/open-uri: regenerate test certificates
- [35/35] test/rubygems: regenerate certificates


----------------------------------------
Feature #12324: Support OpenSSL 1.1.0 (and drop support for 0.9.6/0.9.7)
https://bugs.ruby-lang.org/issues/12324#change-58490

* Author: Kazuki Yamaguchi
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
The last beta for OpenSSL1.1.0 (1.1.0-pre5) was released a week ago. According to OpenSSL's website[1], OpenSSL 1.1.0 final will be released on 2016-05-12.
OpenSSL 1.1.0 introduces many many compatibility breaking changes[2][3] but they are almost done and I think we can start work on it.

Also, I think we can drop support for ancient (-0.9.7) versions of OpenSSL. This can save many compatibility macros (about 700 lines). Considering the last official release is over 9 years ago (2007-02-23) and even 0.9.8/1.0.0 series are no longer supported[1], there should be no reason to continue supporting them. In fact builds with OpenSSL 0.9.7 are already broken since r40461 (2013-04-25, Ruby 2.1.0) but it looks like nobody noticed it. (I personally think all unsupported version should be removed but 0.9.8 is unfortunately still widely used...)

[1] https://www.openssl.org/policies/releasestrat.html
[2] https://www.openssl.org/news/openssl-1.1.0-notes.html
[3] https://www.openssl.org/news/changelog.html

---

I found some incompatibilities in OpenSSL 1.1.0 which affect Ruby-world API:

- SSL_CTX_set_tmp_ecdh_callback() is removed

    OpenSSL::SSL::SSLContext#tmp_ecdh_callback (exists in Ruby 2.3, [Feature #11356]) breaks. This is used to enable ECDH and specify the curve to be used.
    OpenSSL 1.0.2 and later provide SSL_CTX_set1_curves_list(). This sets the "supported (named) curves" and OpenSSL selects the most appropriate curve from the list. The automatic selection is enabled by SSL_CTX_set_ecdh_auto() on 1.0.2. It is always enabled on 1.1.0.

    Summarizing... ECDH is enabled:

    - OpenSSL 1.1.0: always.
    - OpenSSL 1.0.2, LibreSSL 2.3: if SSL_CTX_set_ecdh_auto() is called.
    - OpenSSL -1.0.2, LibreSSL 2.3: if SSL_CTX_set_tmp_ecdh{_callback,}() is called.

    The curve to be used is:

    - OpenSSL 1.0.2/1.1.0: automatically selected by OpenSSL, if enabled. The "supported curves" can be changed by SSL_CTX_set1_curves{_list,}().
    - LibreSSL 2.3: automatically selected if enabled. The list can't be changed.
    - OpenSSL -1.0.2, LibreSSL 2.3: set by SSL_CTX_set_tmp_ecdh{_callback,}().


    In my patch, I made this deprecated (rb_warn() on SSLContext#setup) it and added SSLContext#set_ecdh_curves:

    - OpenSSL 1.0.2/1.1.0: wraps SSL_CTX_set1_curves_list()
    - OpenSSL -1.0.1, LibreSSL 2.3: wraps SSL_CTX_set_tmp_ecdh() (so only 1 curve can be set)

    ~~~ruby
    # assume the client supports P-224 and P-521
    ctx = OpenSSL::SSL::SSLContext.new
    ctx.set_ecdh_curves "P-384:P-224:P-521"
    svr = OpenSSL::SSL::SSLServer.new(sock, ctx)
    svr.accept # will use P-224
    ~~~

- Accessors for OpenSSL::PKey::{DH,DSA,RSA}'s paramters/keys

    Since most structures of OpenSSL are made opaque, we can no longer set directly these values. OpenSSL 1.1.0 provides setter functions (e.g. DH_set0_key()) but they are not equivalent; they require setting all relevant values at the same time. For example, such code (4 usage in tests) is no longer possible:

    ~~~ruby
    dh = OpenSSL::PKey::DH.new(File.read("dhparams.pem"))
    dh.priv_key = OpenSSL::BN.new("000..")
    ~~~

    In my patch I deprecated them and added XX#set_XXX methods (such as DH#set_key, which sets pub_key and priv_key).

    ~~~ruby
    dh = OpenSSL::PKey::DH.new(File.read("dhparams.pem"))
    dh.set_key(OpenSSL::BN.new("000.."), # pub_key
               OpenSSL::BN.new("000..")) # priv_key
    ~~~

    This is not beautiful but it looks like there is no other way for this...

- Security level

    Please see the manpage SSL_CTX_set_security_level(3):

    https://www.openssl.org/docs/manmaster/ssl/SSL_CTX_set_security_level.html

    OpenSSL 1.1.0 introduces "security level", which disables insecure settings, such as insecure ciphers, depending on the level. The default level is 1 and this means:

    > The security level corresponds to a minimum of 80 bits of security. Any parameters offering below 80 bits of security are excluded. As a result RSA, DSA and DH keys shorter than 1024 bits and ECC keys shorter than 160 bits are prohibited. All export ciphersuites are prohibited since they all offer less than 80 bits of security. SSL version 2 is prohibited. Any ciphersuite using MD5 for the MAC is also prohibited.
    > (from 1.1.0-pre5 doc)

    New methods would be essential. Actually this breaks many tests which use aNULL cipher suites.

    I added SSLContext#security_level and SSLContext#security_level= in my patch.

---

Here is my try. Because of the amount of OpenSSL changes, almost all .c files had to be modified. Roughly splitted into 38 commits:

https://github.com/ruby/ruby/compare/trunk...rhenium:feature/openssl-110-v1
(the attached gzip'ed is the same)

This includes:

- Add check for SSL_CTX_clear_options(), which doesn't exist in OpenSSL 0.9.8l and older.
- Drop support for 0.9.7.
- Remove OPENSSL_NO_HMAC support as it have never worked.
- Deprecate (rb_warn()ing) SSLContext#tmp_ecdh_callback and add SSL::SSLContext#set_ecdh_curves method.
- Deprecate parameters/keys setter for PKey::DH, PKey::RSA and PKey::DSA, and add PKey::XX#set_XXX methods.
- Add SSL::SSLContext#security_level and #security_level=.
- Test fixes for open-uri and rubygems (regenerate the test certificates; they are incorrectly created and OpenSSL 1.1.0 starts to complain about it).


This compiles and tests pass with the following versions (on my Linux/gcc environment):

- 0.9.8zh
- 1.0.0t
- 1.0.1s
- 1.0.2g
- OpenSSL master
- LibreSSL 2.3.3

Note that this doesn't compile with 1.1.0-pre5; OpenSSL GH-975 is required (already in master and the 1.1.0 final will include this).
https://github.com/openssl/openssl/pull/975

The patch is far from perfect - I'm not sure about the new methods and also probably there are bugs.

Any comments are welcome, I'll update the patch.

Thanks,

---Files--------------------------------
patches-v1.tar.gz (81.4 KB)
patches-v2.tar.gz (79.9 KB)
interdiff-v1-v2.patch (13.4 KB)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>