diff --git a/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch b/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch new file mode 100644 index 0000000..6c7a4dd --- /dev/null +++ b/ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch @@ -0,0 +1,47 @@ +From ae215a47ae1a6527bb7b8566e5bcc9430652462f Mon Sep 17 00:00:00 2001 +From: Ewoud Kohl van Wijngaarden +Date: Fri, 5 Jan 2024 15:58:59 +0100 +Subject: [PATCH] Only set min_version on OpenSSL < 1.1.0 + +Both Red Hat and Debian-like systems configure the minimum TLS version +to be 1.2 by default, but allow users to change this via configs. + +On Red Hat and derivatives this happens via crypto-policies[1], which in +writes settings in /etc/crypto-policies/back-ends/opensslcnf.config. +Most notably, it sets TLS.MinProtocol there. For Debian there's +MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is +considered a secure default. + +In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION +for min_version. TLS 1.0 and 1.1 are considered insecure. By always +setting this in the default parameters, the system wide default can't be +respected, even if a developer wants to. + +This takes the approach that's also done for ciphers: it's only set for +OpenSSL < 1.1.0. + +[1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening +--- + lib/openssl/ssl.rb | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb +index e557b8b48..83ecacafb 100644 +--- a/ext/openssl/lib/openssl/ssl.rb ++++ b/ext/openssl/lib/openssl/ssl.rb +@@ -22,7 +22,6 @@ module OpenSSL + module SSL + class SSLContext + DEFAULT_PARAMS = { # :nodoc: +- :min_version => OpenSSL::SSL::TLS1_VERSION, + :verify_mode => OpenSSL::SSL::VERIFY_PEER, + :verify_hostname => true, + :options => -> { +@@ -55,6 +54,7 @@ class SSLContext + if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") && + OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000) + DEFAULT_PARAMS.merge!( ++ min_version: OpenSSL::SSL::TLS1_VERSION, + ciphers: %w{ + ECDHE-ECDSA-AES128-GCM-SHA256 + ECDHE-RSA-AES128-GCM-SHA256 diff --git a/ruby.spec b/ruby.spec index 4f2d6a4..e2256f0 100644 --- a/ruby.spec +++ b/ruby.spec @@ -281,6 +281,10 @@ Patch9: ruby-3.3.0-Disable-syntax-suggest-test-case.patch # Make sure hardeding flags are correctly applied. # https://bugs.ruby-lang.org/issues/20520 Patch12: ruby-3.4.0-Extract-hardening-CFLAGS-to-a-special-hardenflags-variable.patch +# Fix Ruby OpenSSL to respect crypto-policies TLS minimal version. +# https://github.com/ruby/openssl/pull/710 +# https://github.com/ruby/ruby/commit/6213ab1a51387fd9cdcb5e87908722f3bbdf78cb +Patch13: ruby-3.4.0-openssl-respect-crypto-policies-tls-min.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} %{?with_rubypick:Suggests: rubypick} @@ -761,6 +765,7 @@ analysis result in RBS format, a standard type description format for Ruby %patch 6 -p1 %patch 9 -p1 %patch 12 -p1 +%patch 13 -p1 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -1766,6 +1771,8 @@ make -C %{_vpath_builddir} runruby TESTRUN_SCRIPT=" \ * Thu Jan 30 2025 Jun Aruga - 3.3.7-9 - Upgrade to Ruby 3.3.7 Resolves: RHEL-77994 +- Fix Ruby OpenSSL to respect crypto-policies TLS minimal version. + Resolves: RHEL-21019 * Tue Oct 29 2024 Troy Dawson - Bump release for October 2024 mass rebuild: