(PUP-11718) Remove SSLv2 handling

mhashizume · mhashizume · commit 995aea1db4ee · 2023-04-12T13:45:39.000-07:00
Previously, Puppet disabled the use of SSLv2 in OpenSSL. However,
starting with OpenSSL 1.0.2g, SSLv2 was disabled by default at
build-time, and the OP_NO_SSLv2 constant was deprecated in OpenSSL
1.1.0.

This commit removes SSLv2 configurations from Puppet.
diff --git a/lib/puppet/util/monkey_patches.rb b/lib/puppet/util/monkey_patches.rb
@@ -29,17 +29,13 @@ def daemonize
   end
 end
 
-# (#19151) Reject all SSLv2 ciphers and handshakes
 require_relative '../../puppet/ssl/openssl_loader'
 unless Puppet::Util::Platform.jruby_fips?
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
-      DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
+      DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv3
     else
-      DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
-    end
-    if DEFAULT_PARAMS[:ciphers]
-      DEFAULT_PARAMS[:ciphers] << ':!SSLv2'
+      DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv3
     end
 
     alias __original_initialize initialize
diff --git a/spec/unit/util/monkey_patches_spec.rb b/spec/unit/util/monkey_patches_spec.rb
@@ -29,21 +29,10 @@
 end
 
 describe OpenSSL::SSL::SSLContext do
-  it 'disables SSLv2 via the SSLContext#options bitmask' do
-    expect(subject.options & OpenSSL::SSL::OP_NO_SSLv2).to eq(OpenSSL::SSL::OP_NO_SSLv2)
-  end
-
   it 'disables SSLv3 via the SSLContext#options bitmask' do
     expect(subject.options & OpenSSL::SSL::OP_NO_SSLv3).to eq(OpenSSL::SSL::OP_NO_SSLv3)
   end
 
-  it 'explicitly disable SSLv2 ciphers using the ! prefix so they cannot be re-added' do
-    cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
-    if cipher_str
-      expect(cipher_str.split(':')).to include('!SSLv2')
-    end
-  end
-
   it 'does not exclude SSLv3 ciphers shared with TLSv1' do
     cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
     if cipher_str
@@ -55,13 +44,6 @@
     expect_any_instance_of(described_class).to receive(:set_params)
     subject
   end
-
-  it 'has no ciphers with version SSLv2 enabled' do
-    ciphers = subject.ciphers.select do |name, version, bits, alg_bits|
-      /SSLv2/.match(version)
-    end
-    expect(ciphers).to be_empty
-  end
 end
 
 
