ruby-dev (Japanese) list archive (unofficial mirror)
 help / color / mirror / Atom feed
* [ruby-dev:50960] [Ruby master Feature#17173] open-uri で ciphers を設定したい
@ 2020-09-16  4:55 zn
  2020-09-25  9:17 ` [ruby-dev:50961] " akr
  0 siblings, 1 reply; 2+ messages in thread
From: zn @ 2020-09-16  4:55 UTC (permalink / raw)
  To: ruby-dev

Issue #17173 has been reported by znz (Kazuhiro NISHIYAMA).

----------------------------------------
Feature #17173: open-uri で ciphers を設定したい
https://bugs.ruby-lang.org/issues/17173

* Author: znz (Kazuhiro NISHIYAMA)
* Status: Open
* Priority: Normal
* Assignee: akr (Akira Tanaka)
----------------------------------------
Debian GNU/Linux 10 (buster) の OpenSSL 1.1.1d の環境だと https://www.famitsu.com で `dh key too small` になってつながらないのですが、 `ciphers` に `DEFAULT:!DH` を設定するとつながるので、 `open-uri` 経由でも `ciphers` を設定したいです。

curl での確認:

```
% curl --head https://www.famitsu.com/
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
zsh: exit 35    curl --head https://www.famitsu.com/
% curl --ciphers 'DEFAULT:!DH' --head https://www.famitsu.com/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 16 Sep 2020 04:48:25 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
Vary: Accept-Encoding
Strict-Transport-Security: max-age=60
```

ruby での確認:

```
% ruby -r open-uri -e 'open("https://www.famitsu.com/")'
Traceback (most recent call last):
        13: from -e:1:in `<main>'
        12: from /usr/lib/ruby/2.5.0/open-uri.rb:35:in `open'
        11: from /usr/lib/ruby/2.5.0/open-uri.rb:735:in `open'
        10: from /usr/lib/ruby/2.5.0/open-uri.rb:165:in `open_uri'
         9: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `open_loop'
         8: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `catch'
         7: from /usr/lib/ruby/2.5.0/open-uri.rb:226:in `block in open_loop'
         6: from /usr/lib/ruby/2.5.0/open-uri.rb:755:in `buffer_open'
         5: from /usr/lib/ruby/2.5.0/open-uri.rb:337:in `open_http'
         4: from /usr/lib/ruby/2.5.0/net/http.rb:909:in `start'
         3: from /usr/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
         2: from /usr/lib/ruby/2.5.0/net/http.rb:985:in `connect'
         1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError)
zsh: exit 1     ruby -r open-uri -e 'open("https://www.famitsu.com/")'
% ruby -r net/http -e 'http=Net::HTTP.new("www.famitsu.com", 443); http.use_ssl=true; http.ciphers="DEFAULT:!DH"; p http.get("/")'
#<Net::HTTPOK 200 OK readbody=true>
```

https://www.ssllabs.com/ssltest/analyze.html?d=www.famitsu.com によると Cipher Suites は

```
# TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK	256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK	256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK	128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK	256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK	256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK	128
```

となっていて、 Handshake Simulation では

```
Chrome 80 / Win 10  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Firefox 73 / Win 10  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.1.1c  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
```

のようになっていて、 `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` が選ばれて DH 1024 bit を拒否するクライアントからは繋らない設定になっているサーバーがあるようです。(`dh key too small` で web 検索すると同様の設定のサーバーは他にもあるようです。)



-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread

* [ruby-dev:50961] [Ruby master Feature#17173] open-uri で ciphers を設定したい
  2020-09-16  4:55 [ruby-dev:50960] [Ruby master Feature#17173] open-uri で ciphers を設定したい zn
@ 2020-09-25  9:17 ` akr
  0 siblings, 0 replies; 2+ messages in thread
From: akr @ 2020-09-25  9:17 UTC (permalink / raw)
  To: ruby-dev

Issue #17173 has been updated by akr (Akira Tanaka).


net/http の ciphers を設定する ssl_ciphers キーワード引数を open-uri に加えるのはあり得ると思います。


----------------------------------------
Feature #17173: open-uri で ciphers を設定したい
https://bugs.ruby-lang.org/issues/17173#change-87701

* Author: znz (Kazuhiro NISHIYAMA)
* Status: Open
* Priority: Normal
* Assignee: akr (Akira Tanaka)
----------------------------------------
Debian GNU/Linux 10 (buster) の OpenSSL 1.1.1d の環境だと https://www.famitsu.com で `dh key too small` になってつながらないのですが、 `ciphers` に `DEFAULT:!DH` を設定するとつながるので、 `open-uri` 経由でも `ciphers` を設定したいです。

curl での確認:

```
% curl --head https://www.famitsu.com/
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
zsh: exit 35    curl --head https://www.famitsu.com/
% curl --ciphers 'DEFAULT:!DH' --head https://www.famitsu.com/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 16 Sep 2020 04:48:25 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
Vary: Accept-Encoding
Strict-Transport-Security: max-age=60
```

ruby での確認:

```
% ruby -r open-uri -e 'open("https://www.famitsu.com/")'
Traceback (most recent call last):
        13: from -e:1:in `<main>'
        12: from /usr/lib/ruby/2.5.0/open-uri.rb:35:in `open'
        11: from /usr/lib/ruby/2.5.0/open-uri.rb:735:in `open'
        10: from /usr/lib/ruby/2.5.0/open-uri.rb:165:in `open_uri'
         9: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `open_loop'
         8: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `catch'
         7: from /usr/lib/ruby/2.5.0/open-uri.rb:226:in `block in open_loop'
         6: from /usr/lib/ruby/2.5.0/open-uri.rb:755:in `buffer_open'
         5: from /usr/lib/ruby/2.5.0/open-uri.rb:337:in `open_http'
         4: from /usr/lib/ruby/2.5.0/net/http.rb:909:in `start'
         3: from /usr/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
         2: from /usr/lib/ruby/2.5.0/net/http.rb:985:in `connect'
         1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError)
zsh: exit 1     ruby -r open-uri -e 'open("https://www.famitsu.com/")'
% ruby -r net/http -e 'http=Net::HTTP.new("www.famitsu.com", 443); http.use_ssl=true; http.ciphers="DEFAULT:!DH"; p http.get("/")'
#<Net::HTTPOK 200 OK readbody=true>
```

https://www.ssllabs.com/ssltest/analyze.html?d=www.famitsu.com によると Cipher Suites は

```
# TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK	256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK	128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK	256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67)   DH 1024 bits   FS   WEAK	128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK	256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK	256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK	128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp384r1 (eq. 7680 bits RSA)   FS	128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp384r1 (eq. 7680 bits RSA)   FS   WEAK	128
```

となっていて、 Handshake Simulation では

```
Chrome 80 / Win 10  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_RSA_WITH_AES_256_GCM_SHA384  No FS
Firefox 73 / Win 10  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384   ECDH secp256r1  FS
OpenSSL 1.1.1c  R	RSA 2048 (SHA256)  	TLS 1.2	TLS_DHE_RSA_WITH_AES_256_GCM_SHA384   DH 1024  FS
```

のようになっていて、 `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` が選ばれて DH 1024 bit を拒否するクライアントからは繋らない設定になっているサーバーがあるようです。(`dh key too small` で web 検索すると同様の設定のサーバーは他にもあるようです。)



-- 
https://bugs.ruby-lang.org/

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2020-09-25  9:18 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-16  4:55 [ruby-dev:50960] [Ruby master Feature#17173] open-uri で ciphers を設定したい zn
2020-09-25  9:17 ` [ruby-dev:50961] " akr

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).