Fix Ruby OpenSSL to respect crypto-policies TLS minimal version.

This issue was identified at the ticket RHEL-21019. https://issues.redhat.com/browse/RHEL-21019
2024-12-16 17:16:12 +01:00 · 2024-12-16 17:16:12 +01:00 · 9a447e5643
commit 9a447e5643
parent 685a16b645
2 changed files with 53 additions and 0 deletions
--- a/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch
+++ b/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch
@ -0,0 +1,47 @@
+From ae215a47ae1a6527bb7b8566e5bcc9430652462f Mon Sep 17 00:00:00 2001
+From: Ewoud Kohl van Wijngaarden <ewoud@kohlvanwijngaarden.nl>
+Date: Fri, 5 Jan 2024 15:58:59 +0100
+Subject: [PATCH] Only set min_version on OpenSSL < 1.1.0
+
+Both Red Hat and Debian-like systems configure the minimum TLS version
+to be 1.2 by default, but allow users to change this via configs.
+
+On Red Hat and derivatives this happens via crypto-policies[1], which in
+writes settings in /etc/crypto-policies/back-ends/opensslcnf.config.
+Most notably, it sets TLS.MinProtocol there. For Debian there's
+MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is
+considered a secure default.
+
+In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION
+for min_version. TLS 1.0 and 1.1 are considered insecure. By always
+setting this in the default parameters, the system wide default can't be
+respected, even if a developer wants to.
+
+This takes the approach that's also done for ciphers: it's only set for
+OpenSSL < 1.1.0.
+
+[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
+---
+ lib/openssl/ssl.rb | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
+index e557b8b48..83ecacafb 100644
+--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
+@@ -22,7 +22,6 @@ module OpenSSL
+   module SSL
+     class SSLContext
+       DEFAULT_PARAMS = { # :nodoc:
+-        :min_version => OpenSSL::SSL::TLS1_VERSION,
+         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+         :verify_hostname => true,
+         :options => -> {
+@@ -55,6 +54,7 @@ class SSLContext
+       if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
+            OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
+         DEFAULT_PARAMS.merge!(
+          min_version: OpenSSL::SSL::TLS1_VERSION,
+           ciphers: %w{
+             ECDHE-ECDSA-AES128-GCM-SHA256
+             ECDHE-RSA-AES128-GCM-SHA256
--- a/ruby.spec
+++ b/ruby.spec
@ -284,6 +284,10 @@ Patch9: ruby-3.3.0-Disable-syntax-suggest-test-case.patch
 # Make sure hardeding flags are correctly applied.
 # https://bugs.ruby-lang.org/issues/20520
 Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch
+# Fix Ruby OpenSSL to respect crypto-policies TLS minimal version.
+# https://github.com/ruby/openssl/pull/710
+# https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb
+Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch

 Requires: %{name}-libs%{?_isa} = %{version}-%{release}
 %{?with_rubypick:Suggests: rubypick}
@ -763,6 +767,7 @@ analysis result in RBS format, a standard type description format for Ruby
 %patch 6 -p1
 %patch 9 -p1
 %patch 12 -p1
+%patch 13 -p1

 # Provide an example of usage of the tapset:
 cp -a %{SOURCE3} .
@ -1752,6 +1757,7 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \
 %changelog
 * Tue Jan 28 2025 Jun Aruga <jaruga@redhat.com> - 3.3.7-17
 - Upgrade to Ruby 3.3.7.
+- Fix Ruby OpenSSL to respect crypto-policies TLS minimal version.

 * Mon Nov 11 2024 Vít Ondruch <vondruch@redhat.com> - 3.3.6-16
 - Upgrade to Ruby 3.3.6.