Bug#771219: unblock: ruby-httpclient/2.3.3-3.1

[Cédric Boutillier <boutil@debian.org>]

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock

Please unblock package ruby-httpclient

ruby-httpclient currently in Jessie FTBFS due to failing tests because
of a deprecated default SSL configuration (#768673).
The bug is fixed with 2.3.3-3.1 uploaded in unstable earlier today,
thanks to Tomasz Buchert, who imported some fixes from upstream for a
sane default configuration.

Please find in attachment the debdiff between the two versions.

Thanks in advance.

Best wishes,

Cédric


unblock ruby-httpclient/2.3.3-3.1

-- System Information:
Debian Release: jessie/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-2-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

diff -Nru ruby-httpclient-2.3.3/debian/changelog ruby-httpclient-2.3.3/debian/changelog
--- ruby-httpclient-2.3.3/debian/changelog	2014-06-27 03:03:36.000000000 +0200
+++ ruby-httpclient-2.3.3/debian/changelog	2014-11-27 11:33:03.000000000 +0100
@@ -1,3 +1,12 @@
+ruby-httpclient (2.3.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * Fix default SSL configuration (Closes: #768673)
+      The patch 0003-fix-ssl-config.patch extracted from upstream code is
+      added to set the default SSL configuration to auto instead of SSLv3.
+
+ -- Tomasz Buchert <tomasz.buchert@inria.fr>  Wed, 26 Nov 2014 18:59:26 +0100
+
 ruby-httpclient (2.3.3-3) unstable; urgency=medium
 
   * fix-port-allocation-in-tests.patch: fix port allocation for servers
diff -Nru ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch
--- ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch	1970-01-01 01:00:00.000000000 +0100
+++ ruby-httpclient-2.3.3/debian/patches/0003-fix-ssl-config.patch	2014-11-27 11:16:13.000000000 +0100
@@ -0,0 +1,64 @@
+Description: Change default SSL configuration
+ The POODLE attack (https://en.wikipedia.org/wiki/POODLE) deprecated the use
+ of SSLv3 protocol. We change the default configuration to autodetection
+ and try to explicitly disable SSLv2 and SSLv3, preferring TLS protocol suites
+ instead.
+ This patch is a minimal adaptation of a commit in the project's upstream:
+ https://github.com/nahi/httpclient/commit/90d5c791c941c72521784dc4ea8eed60987800da
+
+--- a/lib/httpclient/ssl_config.rb
++++ b/lib/httpclient/ssl_config.rb
+@@ -34,7 +34,13 @@
+   class SSLConfig
+     include OpenSSL if SSLEnabled
+ 
+-    # String name of OpenSSL's SSL version method name: SSLv2, SSLv23 or SSLv3
++    # Which TLS protocol version (also called method) will be used. Defaults
++    # to :auto which means that OpenSSL decides (In my tests this resulted 
++    # with always the highest available protocol being used).
++    # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1,
++    # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default).
++    # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
++    # in your specific Ruby environment.
+     attr_reader :ssl_version
+     # OpenSSL::X509::Certificate:: certificate for SSL client authenticateion.
+     # nil by default. (no client authenticateion)
+@@ -83,8 +89,13 @@
+       @verify_callback = nil
+       @dest = nil
+       @timeout = nil
+-      @ssl_version = "SSLv3"
+-      @options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
++      @ssl_version = :auto
++      # Follow ruby-ossl's definition
++      @options = OpenSSL::SSL::OP_ALL
++      @options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++      @options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++      @options |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
++      @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+       # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
+       @ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
+       @cacerts_loaded = false
+@@ -283,7 +294,7 @@
+       ctx.timeout = @timeout
+       ctx.options = @options
+       ctx.ciphers = @ciphers
+-      ctx.ssl_version = @ssl_version
++      ctx.ssl_version = @ssl_version unless @ssl_version == :auto
+     end
+ 
+     # post connection check proc for ruby < 1.8.5.
+--- a/test/test_ssl.rb
++++ b/test/test_ssl.rb
+@@ -33,7 +33,10 @@
+     assert_equal(OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, cfg.verify_mode)
+     assert_nil(cfg.verify_callback)
+     assert_nil(cfg.timeout)
+-    assert_equal(OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2, cfg.options)
++    expected_options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
++    expected_options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
++    expected_options |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
++    assert_equal(expected_options, cfg.options)
+     assert_equal("ALL:!aNULL:!eNULL:!SSLv2", cfg.ciphers)
+     assert_instance_of(OpenSSL::X509::Store, cfg.cert_store)
+   end
diff -Nru ruby-httpclient-2.3.3/debian/patches/series ruby-httpclient-2.3.3/debian/patches/series
--- ruby-httpclient-2.3.3/debian/patches/series	2014-06-27 00:41:13.000000000 +0200
+++ ruby-httpclient-2.3.3/debian/patches/series	2014-11-27 11:16:13.000000000 +0100
@@ -1,2 +1,3 @@
 0001-Remove-Hash-element-order-dependency.patch
 fix-port-allocation-in-tests.patch
+0003-fix-ssl-config.patch

Attachment: signature.asc
Description: Digital signature