mcollective-client 2.6.0 → 2.6.1

Sign up to get free protection for your applications and to get access to all the features.
@@ -119,3 +119,32 @@ class Dir
119
119
  File.expand_path(tmp)
120
120
  end unless method_defined?(:tmpdir)
121
121
  end
122
+
123
+ # Reject all SSLv2 ciphers and all SSLv2 or SSLv3 handshakes by default
124
+ require 'openssl'
125
+ class OpenSSL::SSL::SSLContext
126
+ if DEFAULT_PARAMS[:options]
127
+ DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
128
+ else
129
+ DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
130
+ end
131
+
132
+ # ruby 1.8.5 doesn't define this constant, but has it on by default
133
+ if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
134
+ DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
135
+ end
136
+
137
+ DEFAULT_PARAMS[:ciphers] << ':!SSLv2'
138
+
139
+ alias __mcollective_original_initialize initialize
140
+ private :__mcollective_original_initialize
141
+
142
+ def initialize(*args)
143
+ __mcollective_original_initialize(*args)
144
+ params = {
145
+ :options => DEFAULT_PARAMS[:options],
146
+ :ciphers => DEFAULT_PARAMS[:ciphers],
147
+ }
148
+ set_params(params)
149
+ end
150
+ end
@@ -0,0 +1,31 @@
1
+ require 'spec_helper'
2
+
3
+ require 'mcollective/monkey_patches'
4
+
5
+ describe OpenSSL::SSL::SSLContext do
6
+ it 'sets parameters on initialization' do
7
+ described_class.any_instance.expects(:set_params)
8
+ subject
9
+ end
10
+
11
+ it 'disables SSLv2 via the SSLContext#options bitmask' do
12
+ (subject.options & OpenSSL::SSL::OP_NO_SSLv2).should == OpenSSL::SSL::OP_NO_SSLv2
13
+ end
14
+
15
+ it 'explicitly disable SSLv2 ciphers using the ! prefix so they cannot be re-added' do
16
+ cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
17
+ cipher_str.split(':').should include('!SSLv2')
18
+ end
19
+
20
+ it 'has no ciphers with version SSLv2 enabled' do
21
+ ciphers = subject.ciphers.select do |name, version, bits, alg_bits|
22
+ /SSLv2/.match(version)
23
+ end
24
+ ciphers.should be_empty
25
+ end
26
+
27
+ it 'disables SSLv3 via the SSLContext#options bitmask' do
28
+ (subject.options & OpenSSL::SSL::OP_NO_SSLv3).should == OpenSSL::SSL::OP_NO_SSLv3
29
+ end
30
+
31
+ end
@@ -249,6 +249,7 @@ module MCollective
249
249
  Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.user").returns("user1")
250
250
  Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.password").returns("password1")
251
251
  Activemq.any_instance.stubs(:get_bool_option).with("activemq.pool.1.ssl", false).returns(true)
252
+ Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.ciphers", false).returns(false)
252
253
  end
253
254
 
254
255
  it "should ensure all settings are provided" do
@@ -292,6 +293,27 @@ module MCollective
292
293
 
293
294
  expect { connector.ssl_parameters(1, false) }.to raise_error
294
295
  end
296
+
297
+ context 'ciphers' do
298
+ before :each do
299
+ Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.cert", false).returns("rspec")
300
+ Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.key", false).returns('rspec.key')
301
+ Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.ca", false).returns('rspec1.ca,rspec2.ca')
302
+ File.stubs(:exist?).returns(true)
303
+ end
304
+
305
+ it 'should not set ciphers by default' do
306
+ parameters = connector.ssl_parameters(1, false)
307
+ parameters.ciphers.should == false
308
+ end
309
+
310
+ it 'should support setting of ciphers' do
311
+ Activemq.any_instance.stubs(:get_option).with("activemq.pool.1.ssl.ciphers", false).returns('TLSv127:!NUTS')
312
+ parameters = connector.ssl_parameters(1, false)
313
+ parameters.ciphers.should == 'TLSv127:!NUTS'
314
+ end
315
+ end
316
+
295
317
  end
296
318
 
297
319
  describe "#get_key_file" do
@@ -248,6 +248,7 @@ module MCollective
248
248
  Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.user").returns("user1")
249
249
  Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.password").returns("password1")
250
250
  Rabbitmq.any_instance.stubs(:get_bool_option).with("rabbitmq.pool.1.ssl", false).returns(true)
251
+ Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.ciphers", false).returns(false)
251
252
  end
252
253
 
253
254
  it "should ensure all settings are provided" do
@@ -291,6 +292,26 @@ module MCollective
291
292
 
292
293
  expect { connector.ssl_parameters(1, false) }.to raise_error
293
294
  end
295
+
296
+ context 'ciphers' do
297
+ before :each do
298
+ Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.cert", false).returns("rspec")
299
+ Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.key", false).returns('rspec.key')
300
+ Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.ca", false).returns('rspec1.ca,rspec2.ca')
301
+ File.stubs(:exist?).returns(true)
302
+ end
303
+
304
+ it 'should not set ciphers by default' do
305
+ parameters = connector.ssl_parameters(1, false)
306
+ parameters.ciphers.should == false
307
+ end
308
+
309
+ it 'should support setting of ciphers' do
310
+ Rabbitmq.any_instance.stubs(:get_option).with("rabbitmq.pool.1.ssl.ciphers", false).returns('TLSv127:!NUTS')
311
+ parameters = connector.ssl_parameters(1, false)
312
+ parameters.ciphers.should == 'TLSv127:!NUTS'
313
+ end
314
+ end
294
315
  end
295
316
 
296
317
  describe "#get_key_file" do
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: mcollective-client
3
3
  version: !ruby/object:Gem::Version
4
- version: 2.6.0
4
+ version: 2.6.1
5
5
  prerelease:
6
6
  platform: ruby
7
7
  authors:
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2014-08-21 00:00:00.000000000 Z
12
+ date: 2014-10-28 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: systemu
@@ -247,6 +247,7 @@ files:
247
247
  - spec/unit/runner_spec.rb
248
248
  - spec/unit/util_spec.rb
249
249
  - spec/unit/agents_spec.rb
250
+ - spec/unit/monkey_patches_spec.rb
250
251
  - spec/unit/unix_daemon_spec.rb
251
252
  - spec/unit/rpc_spec.rb
252
253
  - spec/unit/facts_spec.rb
@@ -395,6 +396,7 @@ test_files:
395
396
  - spec/unit/runner_spec.rb
396
397
  - spec/unit/util_spec.rb
397
398
  - spec/unit/agents_spec.rb
399
+ - spec/unit/monkey_patches_spec.rb
398
400
  - spec/unit/unix_daemon_spec.rb
399
401
  - spec/unit/rpc_spec.rb
400
402
  - spec/unit/facts_spec.rb