From da4a9f4b889f411ef65240da312906ce0b2db978 Mon Sep 17 00:00:00 2001 From: Jun Aruga Date: Mon, 16 Dec 2024 17:16:12 +0100 Subject: [PATCH] Fix Ruby OpenSSL to respect crypto-policies TLS minimal version. This issue was identified at the ticket RHEL-21019. https://issues.redhat.com/browse/RHEL-21019 --- ...nssl-respect-crypto-policies-tls-min.patch | 47 +++++++++++++++++++ ruby.spec | 10 +++- 2 files changed, 56 insertions(+), 1 deletion(-) create mode 100644 ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch diff --git a/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch b/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch new file mode 100644 index 0000000..6c7a4dd --- /dev/null +++ b/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch @@ -0,0 +1,47 @@ +From ae215a47ae1a6527bb7b8566e5bcc9430652462f Mon Sep 17 00:00:00 2001 +From: Ewoud Kohl van Wijngaarden +Date: Fri, 5 Jan 2024 15:58:59 +0100 +Subject: [PATCH] Only set min_version on OpenSSL < 1.1.0 + +Both Red Hat and Debian-like systems configure the minimum TLS version +to be 1.2 by default, but allow users to change this via configs. + +On Red Hat and derivatives this happens via crypto-policies[1], which in +writes settings in /etc/crypto-policies/back-ends/opensslcnf.config. +Most notably, it sets TLS.MinProtocol there. For Debian there's +MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is +considered a secure default. + +In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION +for min_version. TLS 1.0 and 1.1 are considered insecure. By always +setting this in the default parameters, the system wide default can't be +respected, even if a developer wants to. + +This takes the approach that's also done for ciphers: it's only set for +OpenSSL < 1.1.0. + +[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening +--- + lib/openssl/ssl.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb +index e557b8b48..83ecacafb 100644 +--- a/ext/openssl/lib/openssl/ssl.rb ++++ b/ext/openssl/lib/openssl/ssl.rb +@@ -22,7 +22,6 @@ module OpenSSL + module SSL + class SSLContext + DEFAULT_PARAMS = { # :nodoc: +- :min_version => OpenSSL::SSL::TLS1_VERSION, + :verify_mode => OpenSSL::SSL::VERIFY_PEER, + :verify_hostname => true, + :options => -> { +@@ -55,6 +54,7 @@ class SSLContext + if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") && + OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000) + DEFAULT_PARAMS.merge!( ++ min_version: OpenSSL::SSL::TLS1_VERSION, + ciphers: %w{ + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 diff --git a/ruby.spec b/ruby.spec index 88ea172..82b5d34 100644 --- a/ruby.spec +++ b/ruby.spec @@ -173,7 +173,7 @@ Summary: An interpreter of object-oriented scripting language Name: ruby Version: %{ruby_version}%{?development_release} -Release: 17%{?dist} +Release: 18%{?dist} # Licenses, which are likely not included in binary RPMs: # Apache-2.0: # benchmark/gc/redblack.rb @@ -282,6 +282,10 @@ Patch9: ruby-3.3.0-Disable-syntax-suggest-test-case.patch # Make sure hardeding flags are correctly applied. # https://bugs.ruby-lang.org/issues/20520 Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch +# Fix Ruby OpenSSL to respect crypto-policies TLS minimal version. +# https://github.com/ruby/openssl/pull/710 +# https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb +Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?with_rubypick:Suggests: rubypick} @@ -761,6 +765,7 @@ analysis result in RBS format, a standard type description format for Ruby %patch 6 -p1 %patch 9 -p1 %patch 12 -p1 +%patch 13 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1756,6 +1761,9 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ %changelog +* Mon Dec 16 2024 Jun Aruga - 3.3.6-18 +- Fix Ruby OpenSSL to respect crypto-policies TLS minimal version. + * Wed Nov 20 2024 David Abdurachmanov - 3.3.6-17 - Add riscv64 information for checksec