From 5698d58d9ffd97f3cb760c5eb1c84eb177303f5e Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 6 Mar 2014 01:43:53 +0000
Subject: [PATCH 1/2] * lib/openssl/ssl.rb: Explicitly whitelist the default  
 SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable   compression by default.  
 Reported by Jeff Hodges.   [ruby-core:59829] [Bug #9424]

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45274 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Conflicts:
	ChangeLog
	ext/openssl/lib/openssl/ssl.rb
---
 ChangeLog                      |  8 ++++++
 ext/openssl/lib/openssl/ssl.rb | 52 +++++++++++++++++++++++++++-------
 2 files changed, 50 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 967980eaa9d5a0..786023958131df 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+Thu Mar  6 10:33:31 2014  Martin Bosslet  <Martin.Bosslet@gmail.com>
+
+	* lib/openssl/ssl.rb: Explicitly whitelist the default
+	  SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
+	  compression by default.
+	  Reported by Jeff Hodges.
+	  [ruby-core:59829] [Bug #9424]
+
 Tue Jan 14 02:20:00 2014  Kenta Murata  <mrkn@mrkn.jp>
 
 	* ext/bigdecimal/bigdecimal.c (BigDecimal_divide): Add an additional
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index 64ebc8e9878946..0600080adc9d0f 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -20,19 +20,51 @@
 module OpenSSL
   module SSL
     class SSLContext
-      options = OpenSSL::SSL::OP_ALL
-      if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
-        options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
-      end
-      if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-        options |= OpenSSL::SSL::OP_NO_COMPRESSION
-      end
-
       DEFAULT_PARAMS = {
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :ciphers => "DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!ADH",
-        :options => options,
+        :ciphers => %w{
+          ECDHE-ECDSA-AES128-GCM-SHA256
+          ECDHE-RSA-AES128-GCM-SHA256
+          ECDHE-ECDSA-AES256-GCM-SHA384
+          ECDHE-RSA-AES256-GCM-SHA384
+          DHE-RSA-AES128-GCM-SHA256
+          DHE-DSS-AES128-GCM-SHA256
+          DHE-RSA-AES256-GCM-SHA384
+          DHE-DSS-AES256-GCM-SHA384
+          ECDHE-ECDSA-AES128-SHA256
+          ECDHE-RSA-AES128-SHA256
+          ECDHE-ECDSA-AES128-SHA
+          ECDHE-RSA-AES128-SHA
+          ECDHE-ECDSA-AES256-SHA384
+          ECDHE-RSA-AES256-SHA384
+          ECDHE-ECDSA-AES256-SHA
+          ECDHE-RSA-AES256-SHA
+          DHE-RSA-AES128-SHA256
+          DHE-RSA-AES256-SHA256
+          DHE-RSA-AES128-SHA
+          DHE-RSA-AES256-SHA
+          DHE-DSS-AES128-SHA256
+          DHE-DSS-AES256-SHA256
+          DHE-DSS-AES128-SHA
+          DHE-DSS-AES256-SHA
+          AES128-GCM-SHA256
+          AES256-GCM-SHA384
+          AES128-SHA256
+          AES256-SHA256
+          AES128-SHA
+          AES256-SHA
+          ECDHE-ECDSA-RC4-SHA
+          ECDHE-RSA-RC4-SHA
+          RC4-SHA
+        }.join(":"),
+        :options => -> {
+          opts = OpenSSL::SSL::OP_ALL
+          opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+          opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+          opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+          opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+        }.call
       }
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new

From dc5a643bc5b32ea9fa7d57b6c13be65c3045cb35 Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Fri, 7 Mar 2014 03:15:39 +0000
Subject: [PATCH 2/2] * test/openssl/test_ssl.rb: Reuse TLS default options
 from   OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45280 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

Conflicts:
	ChangeLog
	test/openssl/test_ssl.rb
---
 ChangeLog                | 5 +++++
 test/openssl/test_ssl.rb | 6 +-----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 786023958131df..f6e3807c6e1c05 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+Fri Mar  7 12:06:19 2014  Martin Bosslet  <Martin.Bosslet@gmail.com>
+
+	* test/openssl/test_ssl.rb: Reuse TLS default options from
+	  OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.
+
 Thu Mar  6 10:33:31 2014  Martin Bosslet  <Martin.Bosslet@gmail.com>
 
 	* lib/openssl/ssl.rb: Explicitly whitelist the default
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index a13f0e1a9c49a7..b743819518f7b5 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -4,10 +4,6 @@
 
 class OpenSSL::TestSSL < OpenSSL::SSLTestCase
 
-  TLS_DEFAULT_OPS = defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
-                    OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
-                    OpenSSL::SSL::OP_ALL
-
   def test_ctx_setup
     ctx = OpenSSL::SSL::SSLContext.new
     assert_equal(ctx.setup, true)
@@ -276,7 +272,7 @@ def test_sslctx_set_params
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.set_params
       assert_equal(OpenSSL::SSL::VERIFY_PEER, ctx.verify_mode)
-      assert_equal(TLS_DEFAULT_OPS, ctx.options)
+      assert_equal(OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options], ctx.options)
       ciphers = ctx.ciphers
       ciphers_versions = ciphers.collect{|_, v, _, _| v }
       ciphers_names = ciphers.collect{|v, _, _, _| v }