Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updates for OpenSSL 3 #2800

Merged
merged 1 commit into from Jan 22, 2022
Merged

Updates for OpenSSL 3 #2800

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
7 changes: 5 additions & 2 deletions ext/puma_http11/extconf.rb
View file
Open in desktop
Expand Up @@ -33,11 +33,14 @@
have_func "SSL_CTX_set_min_proto_version(NULL, 0)", "openssl/ssl.h"

have_func "X509_STORE_up_ref"
have_func("SSL_CTX_set_ecdh_auto(NULL, 0)", "openssl/ssl.h")
have_func "SSL_CTX_set_ecdh_auto(NULL, 0)" , "openssl/ssl.h"

# below are yes for 3.0.0 & later, use for OpenSSL 3 detection
have_func "SSL_get1_peer_certificate" , "openssl/ssl.h"

# Random.bytes available in Ruby 2.5 and later, Random::DEFAULT deprecated in 3.0
if Random.respond_to?(:bytes)
$defs.push("-DHAVE_RANDOM_BYTES")
$defs.push "-DHAVE_RANDOM_BYTES"
puts "checking for Random.bytes... yes"
else
puts "checking for Random.bytes... no"
Expand Down
20 changes: 17 additions & 3 deletions ext/puma_http11/mini_ssl.c
View file
Open in desktop
Expand Up @@ -49,6 +49,7 @@ const rb_data_type_t engine_data_type = {
0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
};

#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
DH *get_dh2048() {
/* `openssl dhparam -C 2048`
* -----BEGIN DH PARAMETERS-----
Expand Down Expand Up @@ -119,6 +120,7 @@ DH *get_dh2048() {

return dh;
}
#endif

static void
sslctx_free(void *ptr) {
Expand Down Expand Up @@ -209,7 +211,9 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
int ssl_options;
VALUE key, cert, ca, verify_mode, ssl_cipher_filter, no_tlsv1, no_tlsv1_1,
verification_flags, session_id_bytes, cert_pem, key_pem;
#ifndef HAVE_SSL_GET1_PEER_CERTIFICATE
DH *dh;
#endif
BIO *bio;
X509 *x509;
EVP_PKEY *pkey;
Expand Down Expand Up @@ -317,9 +321,6 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
}

dh = get_dh2048();
SSL_CTX_set_tmp_dh(ctx, dh);

#if OPENSSL_VERSION_NUMBER < 0x10002000L
// Remove this case if OpenSSL 1.0.1 (now EOL) support is no
// longer needed.
Expand Down Expand Up @@ -353,6 +354,15 @@ sslctx_initialize(VALUE self, VALUE mini_ssl_ctx) {
SSL_MAX_SSL_SESSION_ID_LENGTH);

// printf("\ninitialize end security_level %d\n", SSL_CTX_get_security_level(ctx));

#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
// https://www.openssl.org/docs/man3.0/man3/SSL_CTX_set_dh_auto.html
SSL_CTX_set_dh_auto(ctx, 1);
#else
dh = get_dh2048();
SSL_CTX_set_tmp_dh(ctx, dh);
#endif

rb_obj_freeze(self);
return self;
}
Expand Down Expand Up @@ -551,7 +561,11 @@ VALUE engine_peercert(VALUE self) {

TypedData_Get_Struct(self, ms_conn, &engine_data_type, conn);

#ifdef HAVE_SSL_GET1_PEER_CERTIFICATE
cert = SSL_get1_peer_certificate(conn->ssl);
#else
cert = SSL_get_peer_certificate(conn->ssl);
#endif
if(!cert) {
/*
* See if there was a failed certificate associated with this client.
Expand Down