Skip to content

SSLContext#ciphers= mutates the context when set fails #219

New issue
New issue
Closed
Closed
SSLContext#ciphers= mutates the context when set fails#219
@p-mongo

Description

@p-mongo
p-mongo
opened on Nov 19, 2020

If I try to set the ciphers to a value which is rejected, the cipher list is still modified (set to the empty list):

irb(main):020:0> c=OpenSSL::SSL::SSLContext.new
=> #<OpenSSL::SSL::SSLContext:0x3c3820bb>
irb(main):021:0> c.ciphers
=> [["ECDHE-ECDSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDH-ECDSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDH-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["DHE-RSA-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["DHE-DSS-AES128-GCM-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDHE-ECDSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDH-ECDSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDH-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["DHE-RSA-AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["DHE-DSS-AES128-SHA256", "TLSv1/SSLv3", 128, 256], ["ECDHE-ECDSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["ECDHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["AES128-SHA", "TLSv1/SSLv3", 128, 128], ["ECDH-ECDSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["ECDH-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["DHE-RSA-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["DHE-DSS-AES128-SHA", "TLSv1/SSLv3", 128, 128], ["ECDHE-ECDSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["ECDHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["ECDH-ECDSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["ECDH-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["DHE-RSA-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["DHE-DSS-AES256-GCM-SHA384", "TLSv1/SSLv3", 256, 384], ["ECDHE-ECDSA-AES256-SHA384", "TLSv1/SSLv3", 256, 384], ["ECDHE-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 384], ["AES256-SHA256", "TLSv1/SSLv3", 256, 256], ["ECDH-ECDSA-AES256-SHA384", "TLSv1/SSLv3", 256, 384], ["ECDH-RSA-AES256-SHA384", "TLSv1/SSLv3", 256, 384], ["DHE-RSA-AES256-SHA256", "TLSv1/SSLv3", 256, 256], ["DHE-DSS-AES256-SHA256", "TLSv1/SSLv3", 256, 256], ["ECDHE-ECDSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["ECDHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["AES256-SHA", "TLSv1/SSLv3", 256, 256], ["ECDH-ECDSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["ECDH-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["DHE-RSA-AES256-SHA", "TLSv1/SSLv3", 256, 256], ["DHE-DSS-AES256-SHA", "TLSv1/SSLv3", 256, 256]]
irb(main):022:0> c.ciphers=['AES256-SHA']
Traceback (most recent call last):
        7: from /home/w/.rbenv/versions/jruby-9.2.13/bin/irb:13:in `<main>'
        6: from org/jruby/RubyKernel.java:1189:in `catch'
        5: from org/jruby/RubyKernel.java:1189:in `catch'
        4: from org/jruby/RubyKernel.java:1442:in `loop'
        3: from org/jruby/RubyKernel.java:1048:in `eval'
        2: from (irb):22:in `evaluate'
        1: from org/jruby/ext/openssl/SSLContext.java:507:in `ciphers='
OpenSSL::SSL::SSLError (no cipher match)
irb(main):023:0> c.ciphers
=> []

I expect the context to only be modified if the assignment succeeded.

jruby 9.2.13.0 (2.5.7) 2020-08-03 9a89c94bcc OpenJDK 64-Bit Server VM 11.0.9+11-post-Debian-1 on 11.0.9+11-post-Debian-1 +jit [linux-x86_64]

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions