From: Aaron Patterson <tenderlove@...>
Date: 2015-07-30T08:11:32-07:00
Subject: [ruby-core:70192] Re: [Ruby trunk - Bug #10910] [Open] NoMethodError when opening SSL connection with OpenSSL::SSL::VERIFY_PEER set and anonymous ciphers allowed

Thanks, I'm taking a look.

On Thu, Jul 30, 2015 at 09:17:38AM +0000, nobu@ruby-lang.org wrote:
> Issue #10910 has been updated by Nobuyoshi Nakada.
> 
> Status changed from Closed to Open
> 
> This has failed on travis.
> 
> https://travis-ci.org/ruby/ruby/builds/72882783
> 
> ----------------------------------------
> Bug #10910: NoMethodError when opening SSL connection with OpenSSL::SSL::VERIFY_PEER set and anonymous ciphers allowed
> https://bugs.ruby-lang.org/issues/10910#change-53613
> 
> * Author: Chris Sinjakli
> * Status: Open
> * Priority: Normal
> * Assignee: openssl
> * ruby -v: ruby 2.3.0dev
> * Backport: 2.0.0: REQUIRED, 2.1: REQUIRED, 2.2: REQUIRED
> ----------------------------------------
> When establishing an SSL connection with peer verification enabled, if the list of allowed ciphers includes an anonymous cipher, and negotiation with the server results in that cipher being used, a NoMethodError is raised with a stack trace like:
> 
> ~~~
> /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:99:in `verify_certificate_identity': undefined method `extensions' for nil:NilClass (NoMethodError)
>         from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/openssl/ssl.rb:156:in `post_connection_check'
>         from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:922:in `connect'
>         from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
>         from /Users/sinjo/rubies/2.1.3/lib/ruby/2.1.0/net/http.rb:852:in `start'
>         from ../test_ssl.rb:4:in `<main>'
> ~~~
> 
> This is because no certificate is returned when using an anonymous cipher, while the verification code which runs when OpenSSL::SSL::VERIFY_PEER is set expects one to be present.
> 
> I've attached a patch which fixes this. Let me know if there's anything you'd like me to change (happy to refactor, or alter the approach).
> 
> This behaviour is present in 2.0, 2.1, and 2.2.
> 
> ---Files--------------------------------
> ssl_verify.patch (2.71 KB)
> 
> 
> -- 
> https://bugs.ruby-lang.org/

-- 
Aaron Patterson
http://tenderlovemaking.com/