Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-21019

ruby-openssl doesn't respect crypto-policies' default minimal TLS protocol

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • None
    • ruby
    • None
    • None
    • Low
    • rhel-sst-pt-python-ruby-nodejs
    • ssg_platform_tools
    • 8
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • All
    • None

      What were you trying to do that didn't work?

      I've reported this upstream https://github.com/ruby/openssl/issues/709

      The short version is that /etc/crypto-policies/back-ends/opensslcnf.config defines TLS.MinProtocol version, but in /usr/share/gems/gems/openssl-2.1.2/lib/openssl/ssl.rb this is overridden and hardcoded to TLSv1.0. Higher level API consumers can then change the min_version in SSLContext, but by default the user's crypto-policies (https://www.redhat.com/en/blog/consistent-security-crypto-policies-red-hat-enterprise-linux-8) are not respected.

      Please provide the package NVR for which bug is seen:

      I only tested this with CentOS Stream 8 (rubygem-openssl-2.1.2-111.module_el8+475+35a6c697.x86_64) but since it's also present in git master I think it affects all versions.

      How reproducible:

      Always

      Steps to reproduce

      1. Have TLS.MinProtocol = TLSv1.2 in /etc/crypto-policies/back-ends/opensslcnf.config (default)
      2. Use net/http to connect to a TLS < 1.2 host

      Expected results

      It refuses to connect

      Actual results

      It connects

              jaruga Jun Aruga
              ekohlvan@redhat.com Ewoud Kohl van Wijngaarden
              ruby-maint ruby-maint
              rhel-ruby-qe bot rhel-ruby-qe bot
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: