Add 'sigalgs=' method for setting accepted signature algorithms #769
Conversation
This adds OpenSSL::SSL::SSLContext#sigalgs= method and according unit tests to provide access to the OpenSSL SSL_CTX_set1_sigalgs_list() method. Using this method, authentication signature algorithms can be configured.
mj-vivavis
force-pushed
the
add-sigalgs-support
branch
from
8e538fd to
206e431
Compare
ext/openssl/ossl_ssl.c
Outdated
| SSL_CTX *ctx; | ||
|
|
||
| if (NIL_P(v)) | ||
| return v; |
There was a problem hiding this comment.
Shouldn't ssl_ctx.sigalgs = nil be an error (i.e., do nothing and let StringValueCStr() raise TypeError)?
There was a problem hiding this comment.
Maybe yes, since one most likely did not expect this to be a no-op. I originally decided to implement it consistent to ctx.ciphersuites = nil, which also silently ignores an nil-Argument.
There was a problem hiding this comment.
Good catch... ctx.ciphersuites = nil doesn't seem right either.
| def test_sigalgs_method_valid_sigalgs | ||
| ssl_ctx = OpenSSL::SSL::SSLContext.new | ||
| pend 'sigalgs= method is missing' unless ssl_ctx.respond_to?(:sigalgs=) | ||
|
|
||
| ssl_ctx.freeze | ||
| assert_raise(FrozenError) { ssl_ctx.sigalgs = '"ECDSA+SHA256:RSA+SHA256"' } | ||
| end |
There was a problem hiding this comment.
This seems unfinished - was it supposed to be the successful path?
There should be a test case that involves an actual TLS session with start_server.
| @@ -195,6 +195,7 @@ def find_openssl_library | |||
| have_func("EVP_PKEY_check(NULL)", evp_h) | |||
| have_func("EVP_PKEY_new_raw_private_key(0, NULL, (unsigned char *)\"\", 0)", evp_h) | |||
| have_func("SSL_CTX_set_ciphersuites(NULL, \"\")", ssl_h) | |||
| have_func("SSL_CTX_set1_sigalgs(NULL, NULL, 0L)", ssl_h) | |||
There was a problem hiding this comment.
Please check SSL_CTX_set1_sigalgs_list() (with _list) as it is the function used in ossl_ssl.c.
|
Hi @mj-vivavis, I hope you are doing well. Could you rebase this PR on the latest master branch and check the review comments? I want to see the support of the |
|
Please see #895 |
I would appreciate your work! |
This adds OpenSSL::SSL::SSLContext#sigalgs= method and according unit tests to provide access to the OpenSSL SSL_CTX_set1_sigalgs_list() method. Using this method, the enabled/supported signature algorithms for client/server authentication can be configured.