Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP4:GA
rubygem-puma
add-support-for-disabling-TLSv1.0.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File add-support-for-disabling-TLSv1.0.patch of Package rubygem-puma
From 04e159acd87e2eb6937d0a209804af1fafd513c1 Mon Sep 17 00:00:00 2001 From: dmaiocchi <dmaiocchi@suse.com> Date: Fri, 31 Jul 2020 17:42:41 +0200 Subject: [PATCH] add support for disabling TLSv1.0 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Many organizations run their applications using in environments that fall into scope of PCI-DSS compliance audits. One of the requirements set out by standard is to migrate to more secure protocols if possible. PCI Security Standards council has advised to migrate away from TLSv1.0 over last few years and recently set a migration deadline of 30 June 2018 (see [1] for more details). Change proposed in this commit gives an user option to disable `TLSv1.0` during bind, while still leaving the `TLSv1.1` and `TLSv1.2` enabled. `SSLv2` and `SSLv3` are permanently disabled (as they should). Default behaviour is not changed if the `no_tls` option is not defined. [1]: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls --- README.md | 6 ++++++ ext/puma_http11/mini_ssl.c | 23 +++++++++++++++++++-- ext/puma_http11/org/jruby/puma/MiniSSL.java | 8 ++++++- lib/puma/binder.rb | 2 ++ lib/puma/dsl.rb | 5 +++-- lib/puma/minissl.rb | 12 +++++++++++ 6 files changed, 51 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 6c1d0ac4..bd8d93e6 100644 --- a/README.md +++ b/README.md @@ -162,6 +162,12 @@ Need a bit of security? Use SSL sockets: $ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert' ``` +Don't want to use insecure TLSv1.0 ? + +``` +$ puma -b 'ssl://127.0.0.1:9292?key=path_to_key&cert=path_to_cert&no_tlsv1=true' +``` + ### Control/Status Server Puma has a built-in status/control app that can be used to query and control Puma itself. diff --git a/ext/puma_http11/mini_ssl.c b/ext/puma_http11/mini_ssl.c index cac1aa93..b2549cf1 100644 --- a/ext/puma_http11/mini_ssl.c +++ b/ext/puma_http11/mini_ssl.c @@ -142,6 +142,7 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { VALUE obj; SSL_CTX* ctx; SSL* ssl; + int ssl_options; ms_conn* conn = engine_alloc(self, &obj); @@ -161,6 +162,13 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { ID sym_verify_mode = rb_intern("verify_mode"); VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0); + ID sym_ssl_cipher_filter = rb_intern("ssl_cipher_filter"); + VALUE ssl_cipher_filter = rb_funcall(mini_ssl_ctx, sym_ssl_cipher_filter, 0); + + ID sym_no_tlsv1 = rb_intern("no_tlsv1"); + VALUE no_tlsv1 = rb_funcall(mini_ssl_ctx, sym_no_tlsv1, 0); + + ctx = SSL_CTX_new(SSLv23_server_method()); conn->ctx = ctx; @@ -172,10 +180,21 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) { SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL); } - SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION); + ssl_options = SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION; + + if(RTEST(no_tlsv1)) { + ssl_options |= SSL_OP_NO_TLSv1; + } + SSL_CTX_set_options(ctx, ssl_options); SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); - SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH"); + if (!NIL_P(ssl_cipher_filter)) { + StringValue(ssl_cipher_filter); + SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(ssl_cipher_filter)); + } + else { + SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH"); + } DH *dh = get_dh1024(); SSL_CTX_set_tmp_dh(ctx, dh); diff --git a/ext/puma_http11/org/jruby/puma/MiniSSL.java b/ext/puma_http11/org/jruby/puma/MiniSSL.java index c3b5d63f..830e5699 100644 --- a/ext/puma_http11/org/jruby/puma/MiniSSL.java +++ b/ext/puma_http11/org/jruby/puma/MiniSSL.java @@ -158,7 +158,13 @@ public class MiniSSL extends RubyObject { sslCtx.init(kmf.getKeyManagers(), tmf.getTrustManagers(), null); engine = sslCtx.createSSLEngine(); - String[] protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; + String[] protocols; + if(miniSSLContext.callMethod(threadContext, "no_tlsv1").isTrue()) { + protocols = new String[] { "TLSv1.1", "TLSv1.2" }; + } else { + protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" }; + } + engine.setEnabledProtocols(protocols); engine.setUseClientMode(false); diff --git a/lib/puma/binder.rb b/lib/puma/binder.rb index 7c68eebe..5a2c618c 100644 --- a/lib/puma/binder.rb +++ b/lib/puma/binder.rb @@ -184,6 +184,8 @@ module Puma ctx.ca = params['ca'] if params['ca'] end + ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true' + if params['verify_mode'] ctx.verify_mode = case params['verify_mode'] when "peer" diff --git a/lib/puma/dsl.rb b/lib/puma/dsl.rb index 220c4f73..8f78afba 100644 --- a/lib/puma/dsl.rb +++ b/lib/puma/dsl.rb @@ -285,12 +285,13 @@ module Puma def ssl_bind(host, port, opts) verify = opts.fetch(:verify_mode, 'none') + no_tlsv1 = opts.fetch(:no_tlsv1, 'false') if defined?(JRUBY_VERSION) keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}" - bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}" + bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}" else - bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{verify}" + bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}" end end diff --git a/lib/puma/minissl.rb b/lib/puma/minissl.rb index a65c1c64..aebfa888 100644 --- a/lib/puma/minissl.rb +++ b/lib/puma/minissl.rb @@ -175,6 +175,11 @@ module Puma class Context attr_accessor :verify_mode + attr_reader :no_tlsv1 + + def initialize + @no_tlsv1 = false + end if defined?(JRUBY_VERSION) # jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair @@ -211,11 +216,18 @@ module Puma @ca = ca end + def check raise "Key not configured" unless @key raise "Cert not configured" unless @cert end end + + def no_tlsv1=(tlsv1) + raise ArgumentError, "Invalid value of no_tlsv1" unless ['true', 'false', true, false].include?(tlsv1) + @no_tlsv1 = tlsv1 + end + end VERIFY_NONE = 0 -- 2.26.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
