From 080db3b2082f34042a41379da9adb81dced9ebd4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Thu, 23 Jul 2015 14:09:03 +0200 Subject: [PATCH] Fix test broken by disable SSLv3 in OpenSSL. --- ...3-in-test-as-it-is-insecure-and-may-.patch | 25 +++++++++++++++++++ ...-when-testing-SSL-session-cache-call.patch | 23 +++++++++++++++++ ruby.spec | 10 +++++--- 3 files changed, 54 insertions(+), 4 deletions(-) create mode 100644 ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch create mode 100644 ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch diff --git a/ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch b/ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch new file mode 100644 index 0000000..efd947f --- /dev/null +++ b/ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch @@ -0,0 +1,25 @@ +From b9fa5fc9a14e6c889c9a0fa9c9386b2018f2314c Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Fri, 17 Jul 2015 11:25:09 -0600 +Subject: [PATCH 4/8] Don't force SSLv3 in test, as it is insecure and may not + be supported + +LibreSSL disables SSLv3 by default, and there's no reason this code +should require SSLv3. + +diff --git test/openssl/test_ssl_session.rb test/openssl/test_ssl_session.rb +index 0c384c7..d4713d9 100644 +--- test/openssl/test_ssl_session.rb ++++ test/openssl/test_ssl_session.rb +@@ -355,7 +355,7 @@ __EOS__ + 3.times do + sock = TCPSocket.new("127.0.0.1", port) + begin +- ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new("SSLv3")) ++ ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new) + ssl.sync_close = true + ssl.session = last_client_session if last_client_session + ssl.connect +-- +2.4.5 + diff --git a/ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch b/ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch new file mode 100644 index 0000000..d5e90ae --- /dev/null +++ b/ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch @@ -0,0 +1,23 @@ +From fb08c34eee2c883a01ab0dda2a2e34a290516a2a Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Fri, 17 Jul 2015 11:31:45 -0600 +Subject: [PATCH 5/8] Use OP_NO_TICKET when testing SSL session cache callbacks + +This fixes the test when using LibreSSL and possibly some +configurations of OpenSSL. + +diff --git test/openssl/test_ssl_session.rb test/openssl/test_ssl_session.rb +index d4713d9..58fa20b 100644 +--- test/openssl/test_ssl_session.rb ++++ test/openssl/test_ssl_session.rb +@@ -316,6 +316,7 @@ __EOS__ + + ctx_proc = Proc.new { |ctx, ssl| + ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_SERVER ++ ctx.options = OpenSSL::SSL::OP_NO_TICKET + last_server_session = nil + + # get_cb is called whenever a client proposed to resume a session but +-- +2.4.5 + diff --git a/ruby.spec b/ruby.spec index 664c002..181f910 100644 --- a/ruby.spec +++ b/ruby.spec @@ -112,6 +112,10 @@ Patch5: ruby-1.9.3-mkmf-verbose.patch # in support for ABRT. # http://bugs.ruby-lang.org/issues/8566 Patch6: ruby-2.1.0-Allow-to-specify-additional-preludes-by-configuratio.patch +# Don't use SSLv3 for tests. +# https://bugs.ruby-lang.org/issues/10046 +Patch10: ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch +Patch11: ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: ruby(rubygems) >= %{rubygems_version} @@ -430,6 +434,8 @@ rm -rf ext/fiddle/libffi* %patch4 -p1 %patch5 -p1 %patch6 -p1 +%patch10 +%patch11 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -584,10 +590,6 @@ DISABLE_TESTS="" # the test suite). touch abrt.rb -# Test is broken due to SSLv3 disabled in Fedora. -# https://bugs.ruby-lang.org/issues/10046 -sed -i '/def test_ctx_server_session_cb$/,/^ end$/ s/^/#/' test/openssl/test_ssl_session.rb - make check TESTS="-v $DISABLE_TESTS" %post libs -p /sbin/ldconfig