diff options
| author | taca <taca@pkgsrc.org> | 2012-02-16 16:36:07 +0000 |
|---|---|---|
| committer | taca <taca@pkgsrc.org> | 2012-02-16 16:36:07 +0000 |
| commit | 48a2d9372e7095f15ee6ad8f191934cf5fa50c20 (patch) | |
| tree | 51eb308f08263f55f02bf1564a1ad9f3cba92b53 /lang/gprolog | |
| parent | 5184ce61ac59252c45adb56d57ac3fcf5d4a52c4 (diff) | |
| download | pkgsrc-48a2d9372e7095f15ee6ad8f191934cf5fa50c20.tar.gz | |
Update ruby18-base package to 1.8.7-pl357 (Ruby 1.8.7 patchlevel 357).
Wed Feb 8 14:06:59 2012 Hiroshi Nakamura <nahi@ruby-lang.org>
* ext/openssl/ossl_ssl.c: Add SSL constants and allow to unset SSL
option to prevent BEAST attack. See [Bug #5353].
In OpenSSL, OP_DONT_INSERT_EMPTY_FRAGMENTS is used to prevent
TLS-CBC-IV vulunerability described at
http://www.openssl.org/~bodo/tls-cbc.txt
It's known issue of TLSv1/SSLv3 but it attracts lots of attention
these days as BEAST attack. (CVE-2011-3389)
Until now ossl sets OP_ALL at SSLContext allocation and call
SSL_CTX_set_options at connection. SSL_CTX_set_options updates the
value by using |= so bits set by OP_ALL cannot be unset afterwards.
This commit changes to call SSL_CTX_set_options only 1 time for each
SSLContext. It sets the specified value if SSLContext#options= are
called and sets OP_ALL if not.
To help users to unset bits in OP_ALL, this commit also adds several
constant to SSL such as
OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. These constants were
not exposed in Ruby because there's no way to unset bits in OP_ALL
before.
Following is an example to enable 0/n split for BEAST prevention.
ctx.options = OP_ALL & ~OP_DONT_INSERT_EMPTY_FRAGMENTS
* test/openssl/test_ssl.rb: Test above option exists.
Diffstat (limited to 'lang/gprolog')
0 files changed, 0 insertions, 0 deletions