mcollective-client 2.6.0 → 2.6.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -119,3 +119,32 @@ class Dir
|
|
|
119
119
|
File.expand_path(tmp)
|
|
120
120
|
end unless method_defined?(:tmpdir)
|
|
121
121
|
end
|
|
122
|
+
|
|
123
|
+
# Reject all SSLv2 ciphers and all SSLv2 or SSLv3 handshakes by default
|
|
124
|
+
require 'openssl'
|
|
125
|
+
class OpenSSL::SSL::SSLContext
|
|
126
|
+
if DEFAULT_PARAMS[:options]
|
|
127
|
+
DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
|
|
128
|
+
else
|
|
129
|
+
DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
|
|
130
|
+
end
|
|
131
|
+
|
|
132
|
+
# ruby 1.8.5 doesn't define this constant, but has it on by default
|
|
133
|
+
if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
|
|
134
|
+
DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
|
|
135
|
+
end
|
|
136
|
+
|
|
137
|
+
DEFAULT_PARAMS[:ciphers] << ':!SSLv2'
|
|
138
|
+
|
|
139
|
+
alias __mcollective_original_initialize initialize
|
|
140
|
+
private :__mcollective_original_initialize
|
|
141
|
+
|
|
142
|
+
def initialize(*args)
|
|
143
|
+
__mcollective_original_initialize(*args)
|
|
144
|
+
params = {
|
|
145
|
+
:options => DEFAULT_PARAMS[:options],
|
|
146
|
+
:ciphers => DEFAULT_PARAMS[:ciphers],
|
|
147
|
+
}
|
|
148
|
+
set_params(params)
|
|
149
|
+
end
|
|
150
|
+
end
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
require 'spec_helper'
|
|
2
|
+
|
|
3
|
+
require 'mcollective/monkey_patches'
|
|
4
|
+
|
|
5
|
+
describe OpenSSL::SSL::SSLContext do
|
|
6
|
+
it 'sets parameters on initialization' do
|
|
7
|
+
described_class.any_instance.expects(:set_params)
|
|
8
|
+
subject
|
|
9
|
+
end
|
|
10
|
+
|
|
11
|
+
it 'disables SSLv2 via the SSLContext#options bitmask' do
|
|
12
|
+
(subject.options & OpenSSL::SSL::OP_NO_SSLv2).should == OpenSSL::SSL::OP_NO_SSLv2
|
|
13
|
+
end
|
|
14
|
+
|
|
15
|
+
it 'explicitly disable SSLv2 ciphers using the ! prefix so they cannot be re-added' do
|
|
16
|
+
cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
|
|
17
|
+
cipher_str.split(':').should include('!SSLv2')
|
|
18
|
+
end
|
|
19
|
+
|
|
20
|
+
it 'has no ciphers with version SSLv2 enabled' do
|
|
21
|
+
ciphers = subject.ciphers.select do |name, version, bits, alg_bits|
|
|
22
|
+
/SSLv2/.match(version)
|
|
23
|
+
end
|
|
24
|
+
ciphers.should be_empty
|
|
25
|
+
end
|
|
26
|
+
|
|
27
|
+
it 'disables SSLv3 via the SSLContext#options bitmask' do
|
|
28
|
+
(subject.options & OpenSSL::SSL::OP_NO_SSLv3).should == OpenSSL::SSL::OP_NO_SSLv3
|
|
29
|
+
end
|
|
30
|
+
|
|
31
|
+
end
|
|
@@ -249,6 +249,7 @@ module MCollective
|
|
|
249
249
|
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.user").returns("user1")
|
|
250
250
|
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.password").returns("password1")
|
|
251
251
|
Activemq.any_instance.stubs(:get_bool_option).with("activemq.pool.1.ssl", false).returns(true)
|
|
252
|
+
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.ciphers", false).returns(false)
|
|
252
253
|
end
|
|
253
254
|
|
|
254
255
|
it "should ensure all settings are provided" do
|
|
@@ -292,6 +293,27 @@ module MCollective
|
|
|
292
293
|
|
|
293
294
|
expect { connector.ssl_parameters(1, false) }.to raise_error
|
|
294
295
|
end
|
|
296
|
+
|
|
297
|
+
context 'ciphers' do
|
|
298
|
+
before :each do
|
|
299
|
+
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.cert", false).returns("rspec")
|
|
300
|
+
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.key", false).returns('rspec.key')
|
|
301
|
+
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.ca", false).returns('rspec1.ca,rspec2.ca')
|
|
302
|
+
File.stubs(:exist?).returns(true)
|
|
303
|
+
end
|
|
304
|
+
|
|
305
|
+
it 'should not set ciphers by default' do
|
|
306
|
+
parameters = connector.ssl_parameters(1, false)
|
|
307
|
+
parameters.ciphers.should == false
|
|
308
|
+
end
|
|
309
|
+
|
|
310
|
+
it 'should support setting of ciphers' do
|
|
311
|
+
Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.ciphers", false).returns('TLSv127:!NUTS')
|
|
312
|
+
parameters = connector.ssl_parameters(1, false)
|
|
313
|
+
parameters.ciphers.should == 'TLSv127:!NUTS'
|
|
314
|
+
end
|
|
315
|
+
end
|
|
316
|
+
|
|
295
317
|
end
|
|
296
318
|
|
|
297
319
|
describe "#get_key_file" do
|
|
@@ -248,6 +248,7 @@ module MCollective
|
|
|
248
248
|
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.user").returns("user1")
|
|
249
249
|
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.password").returns("password1")
|
|
250
250
|
Rabbitmq.any_instance.stubs(:get_bool_option).with("rabbitmq.pool.1.ssl", false).returns(true)
|
|
251
|
+
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.ciphers", false).returns(false)
|
|
251
252
|
end
|
|
252
253
|
|
|
253
254
|
it "should ensure all settings are provided" do
|
|
@@ -291,6 +292,26 @@ module MCollective
|
|
|
291
292
|
|
|
292
293
|
expect { connector.ssl_parameters(1, false) }.to raise_error
|
|
293
294
|
end
|
|
295
|
+
|
|
296
|
+
context 'ciphers' do
|
|
297
|
+
before :each do
|
|
298
|
+
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.cert", false).returns("rspec")
|
|
299
|
+
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.key", false).returns('rspec.key')
|
|
300
|
+
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.ca", false).returns('rspec1.ca,rspec2.ca')
|
|
301
|
+
File.stubs(:exist?).returns(true)
|
|
302
|
+
end
|
|
303
|
+
|
|
304
|
+
it 'should not set ciphers by default' do
|
|
305
|
+
parameters = connector.ssl_parameters(1, false)
|
|
306
|
+
parameters.ciphers.should == false
|
|
307
|
+
end
|
|
308
|
+
|
|
309
|
+
it 'should support setting of ciphers' do
|
|
310
|
+
Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.ciphers", false).returns('TLSv127:!NUTS')
|
|
311
|
+
parameters = connector.ssl_parameters(1, false)
|
|
312
|
+
parameters.ciphers.should == 'TLSv127:!NUTS'
|
|
313
|
+
end
|
|
314
|
+
end
|
|
294
315
|
end
|
|
295
316
|
|
|
296
317
|
describe "#get_key_file" do
|
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: mcollective-client
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 2.6.
|
|
4
|
+
version: 2.6.1
|
|
5
5
|
prerelease:
|
|
6
6
|
platform: ruby
|
|
7
7
|
authors:
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2014-
|
|
12
|
+
date: 2014-10-28 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: systemu
|
|
@@ -247,6 +247,7 @@ files:
|
|
|
247
247
|
- spec/unit/runner_spec.rb
|
|
248
248
|
- spec/unit/util_spec.rb
|
|
249
249
|
- spec/unit/agents_spec.rb
|
|
250
|
+
- spec/unit/monkey_patches_spec.rb
|
|
250
251
|
- spec/unit/unix_daemon_spec.rb
|
|
251
252
|
- spec/unit/rpc_spec.rb
|
|
252
253
|
- spec/unit/facts_spec.rb
|
|
@@ -395,6 +396,7 @@ test_files:
|
|
|
395
396
|
- spec/unit/runner_spec.rb
|
|
396
397
|
- spec/unit/util_spec.rb
|
|
397
398
|
- spec/unit/agents_spec.rb
|
|
399
|
+
- spec/unit/monkey_patches_spec.rb
|
|
398
400
|
- spec/unit/unix_daemon_spec.rb
|
|
399
401
|
- spec/unit/rpc_spec.rb
|
|
400
402
|
- spec/unit/facts_spec.rb
|