setup OpenSSL::ExtConfig emulation - mostly (conservative) guesses

Author: kares

src/main/java/org/jruby/ext/openssl/ExtConfig.java

@@ -0,0 +1,30 @@
+/*
+ * Copyright (c) 2017 Karol Bucek.
+ * All rights reserved. This program and the accompanying materials
+ * are made available under the terms of the Eclipse Public License v1.0
+ * which accompanies this distribution, and is available at
+ * http://www.eclipse.org/legal/epl-v10.html
+ */
+package org.jruby.ext.openssl;
+
+import org.jruby.Ruby;
+import org.jruby.RubyModule;
+
+/**
+ * OpenSSL::ExtConfig (emulation)
+ *
+ * @author kares
+ */
+public class ExtConfig {
+
+    static void create(Ruby runtime, RubyModule OpenSSL) {
+        RubyModule ExtConfig = OpenSSL.defineModuleUnder("ExtConfig");
+        ExtConfig.defineAnnotatedMethods(ExtConfig.class);
+
+        ExtConfig.setConstant("OPENSSL_NO_SOCK", runtime.getNil()); // true/false (default) on MRI
+        // TODO: we really should attempt to detect whether we support this :
+        ExtConfig.setConstant("TLS_DH_anon_WITH_AES_256_GCM_SHA384", runtime.getFalse());
+        ExtConfig.setConstant("HAVE_TLSEXT_HOST_NAME", runtime.getTrue());
+    }
+
+}

src/main/java/org/jruby/ext/openssl/OpenSSL.java

@@ -67,13 +67,14 @@ public static void createOpenSSL(final Ruby runtime) {
         final String warn = SafePropertyAccessor.getProperty("jruby.openssl.warn");
         if ( warn != null ) OpenSSL.warn = Boolean.parseBoolean(warn);
 
+        Config.createConfig(runtime, _OpenSSL);
+        ExtConfig.create(runtime, _OpenSSL);
         PKey.createPKey(runtime, _OpenSSL);
         BN.createBN(runtime, _OpenSSL);
         Digest.createDigest(runtime, _OpenSSL);
         Cipher.createCipher(runtime, _OpenSSL);
         Random.createRandom(runtime, _OpenSSL);
         HMAC.createHMAC(runtime, _OpenSSL);
-        Config.createConfig(runtime, _OpenSSL);
         ASN1.createASN1(runtime, _OpenSSL);
         X509.createX509(runtime, _OpenSSL);
         NetscapeSPKI.createNetscapeSPKI(runtime, _OpenSSL);
@@ -96,8 +97,6 @@ public static void createOpenSSL(final Ruby runtime) {
         // OpenSSL::FIPS: false
 
         final byte[] version = { '1','.','1','.','0' };
-        final boolean ruby18 = runtime.getInstanceConfig().getCompatVersion() == CompatVersion.RUBY1_8;
-        if ( ruby18 ) version[2] = '0'; // 1.0.0 compatible on 1.8
 
         _OpenSSL.setConstant("VERSION", StringHelper.newString(runtime, version));
 
@@ -115,11 +114,9 @@ public static void createOpenSSL(final Ruby runtime) {
         final RubyString VERSION;
         _OpenSSL.setConstant("OPENSSL_VERSION", VERSION = runtime.newString(OPENSSL_VERSION));
         _OpenSSL.setConstant("OPENSSL_VERSION_NUMBER", runtime.newFixnum(OPENSSL_VERSION_NUMBER));
-        if ( ! ruby18 ) {
-            // MRI 2.3 tests do: /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION
-            _OpenSSL.setConstant("OPENSSL_LIBRARY_VERSION", VERSION);
-            _OpenSSL.setConstant("OPENSSL_FIPS", runtime.getFalse());
-        }
+        // MRI 2.3 tests do: /\AOpenSSL +0\./ !~ OpenSSL::OPENSSL_LIBRARY_VERSION
+        _OpenSSL.setConstant("OPENSSL_LIBRARY_VERSION", VERSION);
+        _OpenSSL.setConstant("OPENSSL_FIPS", runtime.getFalse());
     }
 
     static RubyClass _OpenSSLError(final Ruby runtime) {

src/test/ruby/ssl/test_ssl.rb

@@ -82,6 +82,18 @@ def test_post_connection_check
     end
   end
 
+  def test_post_connect_check_with_anon_ciphers
+    start_server(OpenSSL::SSL::VERIFY_NONE, true, { use_anon_cipher: true }) { |server, port|
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.ciphers = "aNULL"
+      server_connect(port, ctx) { |ssl|
+        msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
+          "ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
+        assert_raise_with_message(OpenSSL::SSL::SSLError, msg){ssl.post_connection_check("localhost.localdomain")}
+      }
+    }
+  end if OpenSSL::ExtConfig::TLS_DH_anon_WITH_AES_256_GCM_SHA384
+
   def test_ssl_version_tlsv1
     ctx_proc = Proc.new do |ctx|
       ctx.ssl_version = "TLSv1"