ssl: remove unsupported TLS versions from SSLContext::METHODS

rhenium · rhenium · commit 3e5a009966bd · 2017-08-08T18:08:03.000+09:00
Check for all version-specific SSL methods. We do check for existence of TLSv1_1_method() and TLSv1_2_method(), but not for TLSv1_method(). This fixes compile error when OpenSSL is configured with no-tls1-method. Also check the OPENSSL_NO_TLS{1,1_1,1_2} macros for whether OpenSSL supports the corresponding versions or not. This prevents :TLSv1 from being in SSLContext::METHODS when OpenSSL is compiled with no-tls1. In particular, Debian sid has disabled TLS 1.0/1.1 support recently. The changes in ext/openssl are partial backport of 4eb4b32 ("Remove support for OpenSSL 0.9.8 and 1.0.0", 2016-11-30).
diff --git a/ext/openssl/extconf.rb b/ext/openssl/extconf.rb
@@ -109,16 +109,10 @@ def find_openssl_library
 Logging::message "=== Checking for OpenSSL features... ===\n"
 # compile options
 
-# check OPENSSL_NO_{SSL2,SSL3_METHOD} macro: on some environment, these symbols
-# exist even if compiled with no-ssl2 or no-ssl3-method.
-unless have_macro("OPENSSL_NO_SSL2", "openssl/opensslconf.h")
-  have_func("SSLv2_method")
-end
-unless have_macro("OPENSSL_NO_SSL3_METHOD", "openssl/opensslconf.h")
-  have_func("SSLv3_method")
-end
-have_func("TLSv1_1_method")
-have_func("TLSv1_2_method")
+# SSLv2 and SSLv3 may be removed in future versions of OpenSSL, and even macros
+# like OPENSSL_NO_SSL2 may not be defined.
+have_func("SSLv2_method")
+have_func("SSLv3_method")
 have_func("RAND_egd")
 engines = %w{builtin_engines openbsd_dev_crypto dynamic 4758cca aep atalla chil
              cswift nuron sureware ubsec padlock capi gmp gost cryptodev aesni}
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c
@@ -65,17 +65,19 @@ static const struct {
     { #name"_server", (SSL_METHOD *(*)(void))name##_server_method, version }, \
     { #name"_client", (SSL_METHOD *(*)(void))name##_client_method, version }
 #endif
-#if defined(HAVE_SSLV2_METHOD)
+#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL2_METHOD) && defined(HAVE_SSLV2_METHOD)
     OSSL_SSL_METHOD_ENTRY(SSLv2, SSL2_VERSION),
 #endif
-#if defined(HAVE_SSLV3_METHOD)
+#if !defined(OPENSSL_NO_SSL3) && !defined(OPENSSL_NO_SSL3_METHOD) && defined(HAVE_SSLV3_METHOD)
     OSSL_SSL_METHOD_ENTRY(SSLv3, SSL3_VERSION),
 #endif
+#if !defined(OPENSSL_NO_TLS1) && !defined(OPENSSL_NO_TLS1_METHOD)
     OSSL_SSL_METHOD_ENTRY(TLSv1, TLS1_VERSION),
-#if defined(HAVE_TLSV1_1_METHOD)
+#endif
+#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_1_METHOD)
     OSSL_SSL_METHOD_ENTRY(TLSv1_1, TLS1_1_VERSION),
 #endif
-#if defined(HAVE_TLSV1_2_METHOD)
+#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_TLS1_2_METHOD)
     OSSL_SSL_METHOD_ENTRY(TLSv1_2, TLS1_2_VERSION),
 #endif
     OSSL_SSL_METHOD_ENTRY(SSLv23, 0),
diff --git a/test/test_ssl.rb b/test/test_ssl.rb
@@ -810,7 +810,7 @@ def test_forbid_ssl_v3_from_server
 
 end
 
-if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_1
+if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1) && OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1)
 
   def test_tls_v1_1
     start_server_version(:TLSv1_1) { |server, port|
@@ -837,7 +837,7 @@ def test_forbid_tls_v1_from_server
 
 end
 
-if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
+if OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) && OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_1)
 
   def test_tls_v1_2
     start_server_version(:TLSv1_2) { |server, port|
diff --git a/test/test_ssl_session.rb b/test/test_ssl_session.rb
@@ -48,7 +48,7 @@ def test_session
     Timeout.timeout(5) do
       start_server do |server, port|
         sock = TCPSocket.new("127.0.0.1", port)
-        ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
+        ctx = OpenSSL::SSL::SSLContext.new
         ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
         ssl.sync_close = true
         ssl.connect
@@ -157,9 +157,7 @@ def test_client_session
     start_server do |server, port|
       2.times do
         sock = TCPSocket.new("127.0.0.1", port)
-        # Debian's openssl 0.9.8g-13 failed at assert(ssl.session_reused?),
-        # when use default SSLContext. [ruby-dev:36167]
-        ctx = OpenSSL::SSL::SSLContext.new("TLSv1")
+        ctx = OpenSSL::SSL::SSLContext.new
         ssl = OpenSSL::SSL::SSLSocket.new(sock, ctx)
         ssl.sync_close = true
         ssl.session = last_session if last_session
