* [ruby-core:61380] [ruby-trunk - Bug #9613] [Open] Warn about unsafe ossl ciphers
[not found] <redmine.issue-9613.20140308030448@ruby-lang.org>
@ 2014-03-08 3:04 ` e
2014-03-17 18:54 ` [ruby-core:61559] [ruby-trunk - Bug #9613] " naruse
` (2 subsequent siblings)
3 siblings, 0 replies; 4+ messages in thread
From: e @ 2014-03-08 3:04 UTC (permalink / raw
To: ruby-core
Issue #9613 has been reported by Zachary Scott.
----------------------------------------
Bug #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613
* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee:
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: 2.2.0dev
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.
## Solution
* Implement a new class: OpenSSL::SSL::Ciphers
* This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
* Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
* Designed to default to no compression, and no sslv2/v3
* Used by DEFAULT_PARAMS[:options]
* This class may contain helper methods such as: #compression_enabled?
## Pros
* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)
## Concerns
I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:
* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
* Since r45274 is not a security fix, do we consider this a bug?
* Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:61559] [ruby-trunk - Bug #9613] Warn about unsafe ossl ciphers
[not found] <redmine.issue-9613.20140308030448@ruby-lang.org>
2014-03-08 3:04 ` [ruby-core:61380] [ruby-trunk - Bug #9613] [Open] Warn about unsafe ossl ciphers e
@ 2014-03-17 18:54 ` naruse
2014-03-18 0:01 ` [ruby-core:61569] " ch---bugs-ruby-lang
2015-09-13 3:27 ` [ruby-core:70786] [Ruby trunk - Feature " zzak
3 siblings, 0 replies; 4+ messages in thread
From: naruse @ 2014-03-17 18:54 UTC (permalink / raw
To: ruby-core
Issue #9613 has been updated by Yui NARUSE.
Related to Backport #9640: Please backport SSL fixes to 2.1 added
----------------------------------------
Bug #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613#change-45841
* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee:
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: 2.2.0dev
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.
## Solution
* Implement a new class: OpenSSL::SSL::Ciphers
* This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
* Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
* Designed to default to no compression, and no sslv2/v3
* Used by DEFAULT_PARAMS[:options]
* This class may contain helper methods such as: #compression_enabled?
## Pros
* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)
## Concerns
I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:
* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
* Since r45274 is not a security fix, do we consider this a bug?
* Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security
--
http://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:61569] [ruby-trunk - Bug #9613] Warn about unsafe ossl ciphers
[not found] <redmine.issue-9613.20140308030448@ruby-lang.org>
2014-03-08 3:04 ` [ruby-core:61380] [ruby-trunk - Bug #9613] [Open] Warn about unsafe ossl ciphers e
2014-03-17 18:54 ` [ruby-core:61559] [ruby-trunk - Bug #9613] " naruse
@ 2014-03-18 0:01 ` ch---bugs-ruby-lang
2015-09-13 3:27 ` [ruby-core:70786] [Ruby trunk - Feature " zzak
3 siblings, 0 replies; 4+ messages in thread
From: ch---bugs-ruby-lang @ 2014-03-18 0:01 UTC (permalink / raw
To: ruby-core
Issue #9613 has been updated by Christian Hofstaedtler.
Single datapoint: 45274 will likely end up in Debian jessie's ruby 2.1, and by extension probably in Ubuntu's ruby 2.1.
----------------------------------------
Bug #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613#change-45851
* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee:
* Category: ext/openssl
* Target version: current: 2.2.0
* ruby -v: 2.2.0dev
* Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.
## Solution
* Implement a new class: OpenSSL::SSL::Ciphers
* This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
* Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
* Designed to default to no compression, and no sslv2/v3
* Used by DEFAULT_PARAMS[:options]
* This class may contain helper methods such as: #compression_enabled?
## Pros
* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)
## Concerns
I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:
* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
* Since r45274 is not a security fix, do we consider this a bug?
* Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security
--
httsp://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
* [ruby-core:70786] [Ruby trunk - Feature #9613] Warn about unsafe ossl ciphers
[not found] <redmine.issue-9613.20140308030448@ruby-lang.org>
` (2 preceding siblings ...)
2014-03-18 0:01 ` [ruby-core:61569] " ch---bugs-ruby-lang
@ 2015-09-13 3:27 ` zzak
3 siblings, 0 replies; 4+ messages in thread
From: zzak @ 2015-09-13 3:27 UTC (permalink / raw
To: ruby-core
Issue #9613 has been updated by Zachary Scott.
Tracker changed from Bug to Feature
Assignee set to openssl
----------------------------------------
Feature #9613: Warn about unsafe ossl ciphers
https://bugs.ruby-lang.org/issues/9613#change-54169
* Author: Zachary Scott
* Status: Open
* Priority: Normal
* Assignee: openssl
----------------------------------------
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.
## Solution
* Implement a new class: OpenSSL::SSL::Ciphers
* This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
* Any constant not found within this class should raise a warning and report to the user
* Add an OpenSSL::SSL::Configuration class
* Designed to default to no compression, and no sslv2/v3
* Used by DEFAULT_PARAMS[:options]
* This class may contain helper methods such as: #compression_enabled?
## Pros
* We don't break anything, without warning users first
* Maintaining future whitelist ciphers is easier
* Future unsupported/blacklist ciphers are already dismissed
* Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)
## Concerns
I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:
* Do we backport both patches or just the warning?
* Should we bother backporting deprecation warnings?
* Since r45274 is not a security fix, do we consider this a bug?
* Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
* r45274 is a major change that could break existing apps, even considering security
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-09-13 3:05 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <redmine.issue-9613.20140308030448@ruby-lang.org>
2014-03-08 3:04 ` [ruby-core:61380] [ruby-trunk - Bug #9613] [Open] Warn about unsafe ossl ciphers e
2014-03-17 18:54 ` [ruby-core:61559] [ruby-trunk - Bug #9613] " naruse
2014-03-18 0:01 ` [ruby-core:61569] " ch---bugs-ruby-lang
2015-09-13 3:27 ` [ruby-core:70786] [Ruby trunk - Feature " zzak
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).