Project

General

Profile

Bug #13401

OpenSSL::SSL::SSLSocket :hostname= accessor removed

Added by puchuu (Andrew Aladjev) over 2 years ago. Updated over 2 years ago.

Status:
Third Party's Issue
Priority:
Normal
Target version:
-
[ruby-core:80567]

Description

Hello. I've found a small issue, but it is important for security.

Some websites will force you to use SNI. For example "httpbin.org".

openssl s_client -connect httpbin.org:443

tlsv1 alert internal error

openssl s_client -connect httpbin.org:443 -servername httpbin.org

ok

require "openssl"
require "socket"

HOST = "httpbin.org"

class SSL < OpenSSL::SSL::SSLSocket
  def initialize *args
    super
    @hostname = HOST
  end
end

socket = TCPSocket.open HOST, 443

begin
  ssl_socket = SSL.new socket, OpenSSL::SSL::SSLContext.new

  begin
    ssl_socket.connect
    puts "connected"
  ensure
    ssl_socket.close
  end

ensure
  socket.close
end

This code works fine with any ruby 2.0-2.3 and rubinius, but it failed with 2.4.0 and 2.4.1.

I can see that you've removed accessor from lib/ruby/2.4.0/openssl/ssl.rb:

if ExtConfig::HAVE_TLSEXT_HOST_NAME
  attr_reader :hostname
end

ext/openssl/ossl_ssl.c:

#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
    /* #hostname is defined in lib/openssl/ssl.rb */
    rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
#endif

So we have to use self.hostname = HOST instead of @hostname = HOST.

Please document this new behaviour in documentation. Thank you.

History

Updated by nobu (Nobuyoshi Nakada) over 2 years ago

  • Assignee set to rhenium (Kazuki Yamaguchi)
  • Status changed from Open to Assigned

Updated by rhenium (Kazuki Yamaguchi) over 2 years ago

  • Status changed from Assigned to Third Party's Issue

(Third Party's Issue since new bugs should go to https://github.com/ruby/openssl)

The accessor still exists, as you see, only if the OpenSSL library with which ext/openssl was compiled supports SNI. This has not changed. Setting the server name directly to the instance variable has never been documented or a proper way.

Updated by puchuu (Andrew Aladjev) over 2 years ago

rhenium (Kazuki Yamaguchi) wrote:

The accessor still exists, as you see, only if the OpenSSL library with which ext/openssl was compiled supports SNI. This has not changed. Setting the server name directly to the instance variable has never been documented or a proper way.

Hostname was an attr_accessor and @hostname= worked fine, but now there are attr_reader and separate :hostname= method. This change could break some applications. Please fix or add new info to the docs. Thank you.

Ok, I will report it to github.

Also available in: Atom PDF