Pure Ruby EM SSL (working start_tls) #712
Conversation
| ctx.cert = OpenSSL::X509::Certificate.new(tls_parms[:cert_chain]) if tls_parms[:cert_chain] | ||
| ctx.key = OpenSSL::PKey::RSA.new(tls_parms[:priv_key]) if tls_parms[:priv_key] | ||
| verify_mode = OpenSSL::SSL::VERIFY_NONE | ||
| if tls_parms[:verify_peer] || tls_parms[:verify_peer] == 1 |
There was a problem hiding this comment.
Is this redundant because 1 is truthy?
There was a problem hiding this comment.
I'll happily remove the extra conditional, wasn't sure if all consuming libraries were following the rules and using a boolean.
|
Looks like we do not want to set context ssl_version, but instead use context options or ciphers to limit (like the C++ reactor). |
| EM_PROTO_TLSv1_2 => OpenSSL::SSL::OP_NO_TLSv1_2 | ||
| }.inject(0) do |options, (bits, option)| | ||
| options |= option if (bits & protocols_bitmask) == 0 | ||
| options |
There was a problem hiding this comment.
Yes, this better matches the C++ by looping over the entire array. Note that ssl_version might also be a non-array (but I think I coerce it to an array in lib/em/connection.rb, so by the time it gets to the reactor it should always be an array? gotta double check).
This is something I implemented differently in EM 1.2 vs. how Ruby does it, is allowing an array of possible ssl_versions. I want to propose this upstream; the way Ruby does it now makes it fairly hard to write "Allow the following SSL/TLS protocol versions: TLS 1.0, 1.1, or 1.2"
|
@sodabrew I think I have taken this as far as I can for the time being. These changes allow Sensu to run on platforms that cannot successfully compile the c++ reactor 👍 |
|
@amdprophet it's happening!
|
|
I made sure to comment on the few SSL test omission lines. |
|
|
|
I'll give this another look over and run the test suite myself in a few hours. Assuming I don't find anything else at issue, are you still working on this, or ready for merge? |
|
@sodabrew ready for merge 👍 |
|
The stock OS X Ruby 2.0 may have an older OpenSSL under the hood? and I found myself replacing this nice Hash inject with a less elegant pile of ifs, because I don't have the TLSv1_1, TLSv1_2 macros available: |
|
@sodabrew would you like me to apply your patch to this pr? |
|
Yes please do. I hadn't looked at the context for |
|
@sodabrew I'll make the necessary changes 👍 Thanks for catching these. |
| # SSLErrorWaitReadable and SSLErrorWaitWritable OpenSSL classes. | ||
| # Set them if not defined. | ||
| unless defined?(OpenSSL::SSL::SSLErrorWaitReadable) | ||
| OpenSSL::SSL::SSLErrorWaitReadable = OpenSSL::SSL::SSLError |
There was a problem hiding this comment.
I think this is OK? I wonder if it will work-alike.
There was a problem hiding this comment.
The problem is that this will rescue instances of OpenSSL::SSL::SSLError in the blocks for the Read/Write errors. I think the way to roll is to flip the situation around, so below you'd rescue a new class EventMachine::Error::SSLErrorWaitWritable, and then define it as:
if defined?(OpenSSL::SSL::SSLErrorWaitWritable)
EventMachine::Error::SSLErrorWaitWritable = OpenSSL::SSL::SSLErrorWaitWritable
else
class EventMachine::Error::SSLErrorWaitWritable < EventMachine::Error; end
endThere was a problem hiding this comment.
This is a better approach, I'll apply a similar patch 👍
There was a problem hiding this comment.
Figuring out what openssl threw before wait writable etc.
|
@sodabrew ready for your review & testing once again 👍 |
|
|
|
@sodabrew please let me know if there are any other changes that I need to make. We would love to see this make it into upstream 👍 |
|
Would you mind squashing to fewer commits? I think just a few commits should suffice for the final form of this PR. |
[pure_ruby_tls] initial implementation [pure_ruby_tls] closer to working start_tls [pure_ruby_tls] working start_tls implementation [pure_ruby_tls] fixed connection completed [pure_ruby_tls] debugging handshake errors when certs are used [pure_ruby_tls] fully operational battle station [pure_ruby_tls] implemented fail_if_no_peer_cert, cipher_list, and protocols_bitmask [pure_ruby_tls] support testing pure ruby reactor [pure_ruby_tls] ssl/tls tcp support support [pure_ruby_tls] working tls server [pure_ruby_tls] delete dup tests [pure_ruby_tls] fixed tcp client ready?() for aix and solaris [pure_ruby_tls] only use Socket::TCP_INFO on linux [pure_ruby_tls] working ssl_handshake_completed [pure_ruby_tls] default cert/key, error classes, working unbind, fix blocking eventable_write, and tests! [pure_ruby_tls] changed default cert subject to include EM, removed verify_peer == 1 [pure_ruby_tls] working ssl verify with peer cert [pure_ruby_tls] fixed ssl options, OP_ALL [pure_ruby_tls] working get peer cert and cipher [pure_ruby_tls] fixed ssl_verify_peer connection close, working sni_hostname [pure_ruby_tls] working dhparam [pure_ruby_tls] working ecdh curve on ruby 2.3 [pure_ruby_tls] omit verify peer tests that do not pass due to default server chain [pure_ruby_tls] support older versions of ruby and openssl [pure_ruby_tls] fixed ssl wait readable/writable error handling on older rubies [pure_ruby_tls] older rubies missing default dh keys [pure_ruby_tls] removed duplicate default cert creator
portertech
force-pushed
the
feature/pure_ruby_tls
branch
from
891fbe7 to
adafc7b
Compare
|
@sodabrew commits clean up 👍 |
|
Thank you! |
This pull request adds SSL/TLS support to the pure Ruby EM implementation.
@amdprophet & I went into the belly of the beast that is em/pure_ruby. The pure Ruby implementation leaves much to be desired, but it's a start!