* [ruby-dev:50960] [Ruby master Feature#17173] open-uri で ciphers を設定したい
@ 2020-09-16 4:55 zn
2020-09-25 9:17 ` [ruby-dev:50961] " akr
0 siblings, 1 reply; 2+ messages in thread
From: zn @ 2020-09-16 4:55 UTC (permalink / raw)
To: ruby-dev
Issue #17173 has been reported by znz (Kazuhiro NISHIYAMA).
----------------------------------------
Feature #17173: open-uri で ciphers を設定したい
https://bugs.ruby-lang.org/issues/17173
* Author: znz (Kazuhiro NISHIYAMA)
* Status: Open
* Priority: Normal
* Assignee: akr (Akira Tanaka)
----------------------------------------
Debian GNU/Linux 10 (buster) の OpenSSL 1.1.1d の環境だと https://www.famitsu.com で `dh key too small` になってつながらないのですが、 `ciphers` に `DEFAULT:!DH` を設定するとつながるので、 `open-uri` 経由でも `ciphers` を設定したいです。
curl での確認:
```
% curl --head https://www.famitsu.com/
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
zsh: exit 35 curl --head https://www.famitsu.com/
% curl --ciphers 'DEFAULT:!DH' --head https://www.famitsu.com/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 16 Sep 2020 04:48:25 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
Vary: Accept-Encoding
Strict-Transport-Security: max-age=60
```
ruby での確認:
```
% ruby -r open-uri -e 'open("https://www.famitsu.com/")'
Traceback (most recent call last):
13: from -e:1:in `<main>'
12: from /usr/lib/ruby/2.5.0/open-uri.rb:35:in `open'
11: from /usr/lib/ruby/2.5.0/open-uri.rb:735:in `open'
10: from /usr/lib/ruby/2.5.0/open-uri.rb:165:in `open_uri'
9: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `open_loop'
8: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `catch'
7: from /usr/lib/ruby/2.5.0/open-uri.rb:226:in `block in open_loop'
6: from /usr/lib/ruby/2.5.0/open-uri.rb:755:in `buffer_open'
5: from /usr/lib/ruby/2.5.0/open-uri.rb:337:in `open_http'
4: from /usr/lib/ruby/2.5.0/net/http.rb:909:in `start'
3: from /usr/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
2: from /usr/lib/ruby/2.5.0/net/http.rb:985:in `connect'
1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError)
zsh: exit 1 ruby -r open-uri -e 'open("https://www.famitsu.com/")'
% ruby -r net/http -e 'http=Net::HTTP.new("www.famitsu.com", 443); http.use_ssl=true; http.ciphers="DEFAULT:!DH"; p http.get("/")'
#<Net::HTTPOK 200 OK readbody=true>
```
https://www.ssllabs.com/ssltest/analyze.html?d=www.famitsu.com によると Cipher Suites は
```
# TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128
```
となっていて、 Handshake Simulation では
```
Chrome 80 / Win 10 R RSA 2048 (SHA256) TLS 1.2 TLS_RSA_WITH_AES_256_GCM_SHA384 No FS
Firefox 73 / Win 10 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
OpenSSL 1.1.1c R RSA 2048 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH 1024 FS
```
のようになっていて、 `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` が選ばれて DH 1024 bit を拒否するクライアントからは繋らない設定になっているサーバーがあるようです。(`dh key too small` で web 検索すると同様の設定のサーバーは他にもあるようです。)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
* [ruby-dev:50961] [Ruby master Feature#17173] open-uri で ciphers を設定したい
2020-09-16 4:55 [ruby-dev:50960] [Ruby master Feature#17173] open-uri で ciphers を設定したい zn
@ 2020-09-25 9:17 ` akr
0 siblings, 0 replies; 2+ messages in thread
From: akr @ 2020-09-25 9:17 UTC (permalink / raw)
To: ruby-dev
Issue #17173 has been updated by akr (Akira Tanaka).
net/http の ciphers を設定する ssl_ciphers キーワード引数を open-uri に加えるのはあり得ると思います。
----------------------------------------
Feature #17173: open-uri で ciphers を設定したい
https://bugs.ruby-lang.org/issues/17173#change-87701
* Author: znz (Kazuhiro NISHIYAMA)
* Status: Open
* Priority: Normal
* Assignee: akr (Akira Tanaka)
----------------------------------------
Debian GNU/Linux 10 (buster) の OpenSSL 1.1.1d の環境だと https://www.famitsu.com で `dh key too small` になってつながらないのですが、 `ciphers` に `DEFAULT:!DH` を設定するとつながるので、 `open-uri` 経由でも `ciphers` を設定したいです。
curl での確認:
```
% curl --head https://www.famitsu.com/
curl: (35) error:141A318A:SSL routines:tls_process_ske_dhe:dh key too small
zsh: exit 35 curl --head https://www.famitsu.com/
% curl --ciphers 'DEFAULT:!DH' --head https://www.famitsu.com/
HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Wed, 16 Sep 2020 04:48:25 GMT
Content-Type: text/html
Connection: keep-alive
Vary: Accept-Encoding
Accept-Ranges: bytes
Vary: Accept-Encoding
Strict-Transport-Security: max-age=60
```
ruby での確認:
```
% ruby -r open-uri -e 'open("https://www.famitsu.com/")'
Traceback (most recent call last):
13: from -e:1:in `<main>'
12: from /usr/lib/ruby/2.5.0/open-uri.rb:35:in `open'
11: from /usr/lib/ruby/2.5.0/open-uri.rb:735:in `open'
10: from /usr/lib/ruby/2.5.0/open-uri.rb:165:in `open_uri'
9: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `open_loop'
8: from /usr/lib/ruby/2.5.0/open-uri.rb:224:in `catch'
7: from /usr/lib/ruby/2.5.0/open-uri.rb:226:in `block in open_loop'
6: from /usr/lib/ruby/2.5.0/open-uri.rb:755:in `buffer_open'
5: from /usr/lib/ruby/2.5.0/open-uri.rb:337:in `open_http'
4: from /usr/lib/ruby/2.5.0/net/http.rb:909:in `start'
3: from /usr/lib/ruby/2.5.0/net/http.rb:920:in `do_start'
2: from /usr/lib/ruby/2.5.0/net/http.rb:985:in `connect'
1: from /usr/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/usr/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock': SSL_connect returned=1 errno=0 state=error: dh key too small (OpenSSL::SSL::SSLError)
zsh: exit 1 ruby -r open-uri -e 'open("https://www.famitsu.com/")'
% ruby -r net/http -e 'http=Net::HTTP.new("www.famitsu.com", 443); http.use_ssl=true; http.ciphers="DEFAULT:!DH"; p http.get("/")'
#<Net::HTTPOK 200 OK readbody=true>
```
https://www.ssllabs.com/ssltest/analyze.html?d=www.famitsu.com によると Cipher Suites は
```
# TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK 128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp384r1 (eq. 7680 bits RSA) FS 256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp384r1 (eq. 7680 bits RSA) FS 128
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK 128
```
となっていて、 Handshake Simulation では
```
Chrome 80 / Win 10 R RSA 2048 (SHA256) TLS 1.2 TLS_RSA_WITH_AES_256_GCM_SHA384 No FS
Firefox 73 / Win 10 R RSA 2048 (SHA256) TLS 1.2 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH secp256r1 FS
OpenSSL 1.1.1c R RSA 2048 (SHA256) TLS 1.2 TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH 1024 FS
```
のようになっていて、 `TLS_DHE_RSA_WITH_AES_256_GCM_SHA384` が選ばれて DH 1024 bit を拒否するクライアントからは繋らない設定になっているサーバーがあるようです。(`dh key too small` で web 検索すると同様の設定のサーバーは他にもあるようです。)
--
https://bugs.ruby-lang.org/
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-09-25 9:18 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-09-16 4:55 [ruby-dev:50960] [Ruby master Feature#17173] open-uri で ciphers を設定したい zn
2020-09-25 9:17 ` [ruby-dev:50961] " akr
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).