From 693a96cb402ee7c698cd1bffa50d54e8660bf920 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?V=C3=ADt=20Ondruch?= Date: Thu, 23 Jul 2015 14:09:03 +0200 Subject: [PATCH] Fix test broken by disabled SSLv3 in OpenSSL. --- ...3-in-test-as-it-is-insecure-and-may-.patch | 25 +++++++++++++++++++ ...-when-testing-SSL-session-cache-call.patch | 23 +++++++++++++++++ ...2.3.0-fix-test-ctx-client-session-cb.patch | 13 ++++++++++ ruby.spec | 13 ++++++---- 4 files changed, 69 insertions(+), 5 deletions(-) create mode 100644 ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch create mode 100644 ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch create mode 100644 ruby-2.3.0-fix-test-ctx-client-session-cb.patch diff --git a/ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch b/ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch new file mode 100644 index 0000000..efd947f --- /dev/null +++ b/ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch @@ -0,0 +1,25 @@ +From b9fa5fc9a14e6c889c9a0fa9c9386b2018f2314c Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Fri, 17 Jul 2015 11:25:09 -0600 +Subject: [PATCH 4/8] Don't force SSLv3 in test, as it is insecure and may not + be supported + +LibreSSL disables SSLv3 by default, and there's no reason this code +should require SSLv3. + +diff --git test/openssl/test_ssl_session.rb test/openssl/test_ssl_session.rb +index 0c384c7..d4713d9 100644 +--- test/openssl/test_ssl_session.rb ++++ test/openssl/test_ssl_session.rb +@@ -355,7 +355,7 @@ __EOS__ + 3.times do + sock = TCPSocket.new("127.0.0.1", port) + begin +- ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new("SSLv3")) ++ ssl = OpenSSL::SSL::SSLSocket.new(sock, OpenSSL::SSL::SSLContext.new) + ssl.sync_close = true + ssl.session = last_client_session if last_client_session + ssl.connect +-- +2.4.5 + diff --git a/ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch b/ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch new file mode 100644 index 0000000..d5e90ae --- /dev/null +++ b/ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch @@ -0,0 +1,23 @@ +From fb08c34eee2c883a01ab0dda2a2e34a290516a2a Mon Sep 17 00:00:00 2001 +From: Jeremy Evans +Date: Fri, 17 Jul 2015 11:31:45 -0600 +Subject: [PATCH 5/8] Use OP_NO_TICKET when testing SSL session cache callbacks + +This fixes the test when using LibreSSL and possibly some +configurations of OpenSSL. + +diff --git test/openssl/test_ssl_session.rb test/openssl/test_ssl_session.rb +index d4713d9..58fa20b 100644 +--- test/openssl/test_ssl_session.rb ++++ test/openssl/test_ssl_session.rb +@@ -316,6 +316,7 @@ __EOS__ + + ctx_proc = Proc.new { |ctx, ssl| + ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_SERVER ++ ctx.options = OpenSSL::SSL::OP_NO_TICKET + last_server_session = nil + + # get_cb is called whenever a client proposed to resume a session but +-- +2.4.5 + diff --git a/ruby-2.3.0-fix-test-ctx-client-session-cb.patch b/ruby-2.3.0-fix-test-ctx-client-session-cb.patch new file mode 100644 index 0000000..0757a52 --- /dev/null +++ b/ruby-2.3.0-fix-test-ctx-client-session-cb.patch @@ -0,0 +1,13 @@ +Index: test/openssl/test_ssl_session.rb +=================================================================== +--- test/openssl/test_ssl_session.rb (revision 49098) ++++ test/openssl/test_ssl_session.rb (revision 49099) +@@ -278,7 +278,7 @@ + + def test_ctx_client_session_cb + called = {} +- ctx = OpenSSL::SSL::SSLContext.new("SSLv3") ++ ctx = OpenSSL::SSL::SSLContext.new + ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT + + ctx.session_new_cb = lambda { |ary| diff --git a/ruby.spec b/ruby.spec index 00cc467..2dec272 100644 --- a/ruby.spec +++ b/ruby.spec @@ -117,6 +117,11 @@ Patch7: ruby-2.2.1-use-statfs.patch # https://github.com/rubygems/rubygems/issues/1289 # https://github.com/ruby/ruby/commit/6398515adfc86813686605019a3e22d49cd95517 Patch8: ruby-2.3.0-test_gem_remote_fetcher.rb-get-rid-of-errors.patch +# Don't use SSLv3 for tests. +# https://bugs.ruby-lang.org/issues/10046 +Patch9: ruby-2.3.0-fix-test-ctx-client-session-cb.patch +Patch10: ruby-2.3.0-Don-t-force-SSLv3-in-test-as-it-is-insecure-and-may-.patch +Patch11: ruby-2.3.0-Use-OP_NO_TICKET-when-testing-SSL-session-cache-call.patch Requires: %{name}-libs%{?_isa} = %{version}-%{release} Requires: ruby(rubygems) >= %{rubygems_version} @@ -419,6 +424,9 @@ rm -rf ext/fiddle/libffi* %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 +%patch10 +%patch11 # Provide an example of usage of the tapset: cp -a %{SOURCE3} . @@ -602,11 +610,6 @@ DISABLE_TESTS="" # the test suite). touch abrt.rb -# Test is broken due to SSLv3 disabled in Fedora. -# https://bugs.ruby-lang.org/issues/10046 -sed -i '/def test_ctx_client_session_cb$/,/^ end$/ s/^/#/' test/openssl/test_ssl_session.rb -sed -i '/def test_ctx_server_session_cb$/,/^ end$/ s/^/#/' test/openssl/test_ssl_session.rb - make check TESTS="-v $DISABLE_TESTS" %post libs -p /sbin/ldconfig