[ruby-core:61380] [ruby-trunk - Bug #9613] [Open] Warn about unsafe ossl ciphers

[ruby-core:61380] [ruby-trunk - Bug #9613] [Open] Warn about unsafe ossl ciphers

[e]

Issue #9613 has been reported by Zachary Scott.

----------------------------------------
Bug #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: 2.2.0dev
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.

## Solution

* Implement a new class: OpenSSL::SSL::Ciphers
  * This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
  * Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
  * Designed to default to no compression, and no sslv2/v3
  * Used by DEFAULT_PARAMS[:options]
  * This class may contain helper methods such as: #compression_enabled?

## Pros

* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)

## Concerns

I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
  * Since r45274 is not a security fix, do we consider this a bug?
  * Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security



-- 
http://bugs.ruby-lang.org/

[ruby-core:61559] [ruby-trunk - Bug #9613] Warn about unsafe ossl ciphers

[naruse]

Issue #9613 has been updated by Yui NARUSE.

Related to Backport #9640: Please backport SSL fixes to 2.1 added

----------------------------------------
Bug #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613#change-45841

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: 2.2.0dev
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.

## Solution

* Implement a new class: OpenSSL::SSL::Ciphers
  * This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
  * Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
  * Designed to default to no compression, and no sslv2/v3
  * Used by DEFAULT_PARAMS[:options]
  * This class may contain helper methods such as: #compression_enabled?

## Pros

* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)

## Concerns

I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
  * Since r45274 is not a security fix, do we consider this a bug?
  * Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security



-- 
http://bugs.ruby-lang.org/

[ruby-core:61569] [ruby-trunk - Bug #9613] Warn about unsafe ossl ciphers

[ch---bugs-ruby-lang]

Issue #9613 has been updated by Christian Hofstaedtler.


Single datapoint: 45274 will likely end up in Debian jessie's ruby 2.1, and by extension probably in Ubuntu's ruby 2.1.

----------------------------------------
Bug #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613#change-45851

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: 
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: 2.2.0dev
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.

## Solution

* Implement a new class: OpenSSL::SSL::Ciphers
  * This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
  * Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
  * Designed to default to no compression, and no sslv2/v3
  * Used by DEFAULT_PARAMS[:options]
  * This class may contain helper methods such as: #compression_enabled?

## Pros

* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)

## Concerns

I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
  * Since r45274 is not a security fix, do we consider this a bug?
  * Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security



-- 
httsp://bugs.ruby-lang.org/

[ruby-core:70786] [Ruby trunk - Feature #9613] Warn about unsafe ossl ciphers

[zzak]

Issue #9613 has been updated by Zachary Scott.

Tracker changed from Bug to Feature
Assignee set to openssl

----------------------------------------
Feature #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613#change-54169

* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: openssl
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.

## Solution

* Implement a new class: OpenSSL::SSL::Ciphers
  * This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
  * Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
  * Designed to default to no compression, and no sslv2/v3
  * Used by DEFAULT_PARAMS[:options]
  * This class may contain helper methods such as: #compression_enabled?

## Pros

* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)

## Concerns

I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
  * Since r45274 is not a security fix, do we consider this a bug?
  * Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security



-- 
https://bugs.ruby-lang.org/