From: chris@... Date: 2015-07-25T14:26:47+00:00 Subject: [ruby-core:70123] [Ruby trunk - Bug #10910] NoMethodError when opening SSL connection with OpenSSL::SSL::VERIFY_PEER set and anonymous ciphers allowed Issue #10910 has been updated by Chris Sinjakli. Just rebased against trunk, and the test still fails on my machine if I remove the changes to `ext/openssl/lib/openssl/ssl.rb`. For a little more context, I'm running the test on OS X Yosemite, linking against OpenSSL from Homebrew (version OpenSSL 1.0.2d 9 Jul 2015). I originally ran into this on Ubuntu 12.04, but I don't have that machine running any more, so I can't check the OpenSSL version. One thing I just thought of is that `ADH-AES256-GCM-SHA384` might not be available in all versions of OpenSSL. I'm not sure what would happen in that case, as I don't provide a fallback cipher in the tests with `use_anon_cipher: true`. ---------------------------------------- Bug #10910: NoMethodError when opening SSL connection with OpenSSL::SSL::VERIFY_PEER set and anonymous ciphers allowed https://bugs.ruby-lang.org/issues/10910#change-53555 * Author: Chris Sinjakli * Status: Feedback * Priority: Normal * Assignee: openssl * ruby -v: ruby 2.3.0dev * Backport: 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED ---------------------------------------- When establishing an SSL connection with peer verification enabled, if the list of allowed ciphers includes an anonymous cipher, and negotiation with the server results in that cipher being used, a NoMethodError is raised with a stack trace like: ~~~ /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:99:in `verify_certificate_identity': undefined method `extensions' for nil:NilClass (NoMethodError) from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:156:in `post_connection_check' from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:922:in `connect' from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:863:in `do_start' from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:852:in `start' from ../test_ssl.rb:4:in `
' ~~~ This is because no certificate is returned when using an anonymous cipher, while the verification code which runs when OpenSSL::SSL::VERIFY_PEER is set expects one to be present. I've attached a patch which fixes this. Let me know if there's anything you'd like me to change (happy to refactor, or alter the approach). This behaviour is present in 2.0, 2.1, and 2.2. ---Files-------------------------------- ssl_verify.patch (2.71 KB) -- https://bugs.ruby-lang.org/