Ruby Issue Tracking System

03/30/2015

11:40 AM Ruby Bug #10968 (Feedback): [BUG] object allocation during garbage collection phase in /opt/rubies/ruby-2.2.1/lib/ruby/2.2.0/openssl/ssl.rb:177

This [1] seems to be the section of the code where the error happened.
@ko1: Could this be a GC issue?
[1] https://github.com/ruby/ruby/blob/trunk/ext/openssl/ossl_ssl.c#L1661 MartinBosslet (Martin Bosslet)

03/07/2014

03:15 AM Ruby Revision 92a5ebb4 (git): * test/openssl/test_ssl.rb: Reuse TLS default options from

OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45280 b2dd03c8-39d4-4d8f-98ff-823fe69b080e MartinBosslet (Martin Bosslet)

03/06/2014

01:52 AM Ruby Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

The patch has been committed. After discussing the issue with Dirkjan, the decision was made to additionally add
ECDHE-ECDSA-RC4-SHA
ECDHE-RSA-RC4-SHA
RC4-SHA
to the end of the list because RC4 has been widely deploye... MartinBosslet (Martin Bosslet)

01:43 AM Ruby Revision 699b209c (git): * lib/openssl/ssl.rb: Explicitly whitelist the default

SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
compression by default.
Reported by Jeff Hodges.
[ruby-core:59829] [Bug #9424]
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45274 b2dd03c8-39d4-4d8f-98ff-823fe69b080e MartinBosslet (Martin Bosslet)

02/02/2014

10:37 PM Ruby Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

Attached the last patch updated with a whitelist of 30 ciphers. The rationale:
- prefer ephemeral DH to enable forward secrecy
- prefer GCM over CBC mode
- prefer AES-128 over AES-256 (due to performance mostly, both are secure)
-... MartinBosslet (Martin Bosslet)

01/29/2014

10:50 PM Ruby Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

After discussing the issue with Dirkjan and also internally, I feel that updating our own TLS cipher list is the best option we have at this point. So far, there is no indication as to when OpenSSL might update the defaults themselves. T... MartinBosslet (Martin Bosslet)

01/27/2014

02:15 AM Ruby Feature #9439: Remove OpenSSL from stdlib

Aaron Patterson wrote:
> On Sat, Jan 25, 2014 at 12:32:12AM +0000, mame@tsg.ne.jp wrote:
> ...
No, not at all :)
> > Shyouhei's point is that we can no longer develop the OpenSSL extension.
> ...
Those who know me also know that ... MartinBosslet (Martin Bosslet)

01:47 AM Ruby Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

Yusuke Endoh wrote:
> Cooperatively with some committers, I investigated the current condition of default settings in OpenSSL (and OS X). It is very complicated. Correct me if I'm wrong.
Thanks for that!
> ...
That's the kind of... MartinBosslet (Martin Bosslet)

01/23/2014

04:25 PM Ruby Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

Yusuke Endoh wrote:
>
> ...
Np, thank you!

B Kelly wrote:
> Martin.Bosslet@gmail.com wrote:
> ...
And it is. It doesn't matter if you remove something or if you think (!) you are improving the situation. The final patch we all a... MartinBosslet (Martin Bosslet)

01/22/2014

12:12 PM Ruby Bug #9424: ruby 1.9 & 2.x has insecure SSL/TLS client defaults

First some words why I (and others here) believe that it's not a good idea to deviate from OpenSSL defaults:
Security is a delicate issue and typically consumers relying on a library like OpenSSL often do so because they don't want to... MartinBosslet (Martin Bosslet)