OpenSSL::SSL::SSLSocket writes plaintext to the wire unless #connect is called #9
Comments
|
Note: rhenium/ruby@195c9ad?w=1 Tthe code is already in the oldest version of 'OpenSSL for Ruby' I could find, but the history before 'SSLSocket' is merged into it is missing. So I still don't know why it is made so. |
|
@rhenium that's unfortunate 😢 I have run into similar problems with the test suite trying to make improvements like this. |
|
Actually net/http was the only using the behavior. It has been replaced now: ruby/ruby@4081b34 Since the gem also targets 2.3 for now, we can't remove it immediately, though. |
|
+1 |
rhenium
added a commit
to rhenium/ruby-openssl
that referenced
this issue
Oct 24, 2021
OpenSSL::SSL::SSLSocket allowed #read and #write to be called before an SSL/TLS handshake is completed. They passed unencrypted data to the underlying socket. This behavior is very odd to have in this library. A verbose mode warning "SSL session is not started yet" was emitted whenever this happened. It also didn't behave well with OpenSSL::Buffering. Let's just get rid of it. Fixes: ruby#9
matzbot
pushed a commit
to ruby/ruby
that referenced
this issue
Nov 1, 2021
OpenSSL::SSL::SSLSocket allowed #read and #write to be called before an SSL/TLS handshake is completed. They passed unencrypted data to the underlying socket. This behavior is very odd to have in this library. A verbose mode warning "SSL session is not started yet" was emitted whenever this happened. It also didn't behave well with OpenSSL::Buffering. Let's just get rid of it. Fixes: ruby/openssl#9 ruby/openssl@bf780748b3
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Repro here:
https://gist.github.com/tarcieri/b20437a1b9364d82c365
Attempting to do I/O before the SSL handshake has completed should raise an exception instead of writing plaintext to the wire.
The text was updated successfully, but these errors were encountered: