Closed steve8x8 closed 8 years ago
Um, how does one upload a patch here? Until I find out, here's it:
+++ geotoad.myown/lib/shadowget.rb 2015-07-23 13:25:09.212171998 +0200
--- geotoad.trunc/lib/shadowget.rb 2015-07-15 16:44:13.000000000 +0200
@@ -280,14 +280,19 @@
end
if uri.scheme == 'https'
http.use_ssl = true
- http.verify_mode = OpenSSL::SSL::VERIFY_NONE
- # openssl 1.0.1 tends to produce long headers which gc doesnt handle
- # reduce set of ciphers to the one that's known to work with 1.0.0h
- # http://gursevkalra.blogspot.de/2009/09/ruby-and-openssl-based-ssl-cipher.html
- http.ciphers = [ 'RC4-SHA', 'AES128-SHA', 'AES256-SHA', 'DES-CBC3-SHA' ]
- # force ssl context to TLSv1/SSLv3
- # http://www.ruby-forum.com/topic/200072
- http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1) }
+ # this was for a long time kind of security by obscurity
+ http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ # reduce set of ciphers
+ # https://www.ssllabs.com/ssltest/analyze.html?d=geocaching.com, drop <256 bit
+ #http.ciphers = [ 'RC4-SHA', 'AES128-SHA', 'AES256-SHA', 'DES-CBC3-SHA' ]
+ #http.ciphers = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers].split(/:/).map{ |c|
+ # (c =~ /(RC4|AES128|DES)/) ? nil : c
+ #}.compact.join(':')
+ http.ciphers = OpenSSL::SSL::SSLContext.new(:TLSv1_2).ciphers.map{ |c,x,y,z|
+ (z >= 256) ? c : nil
+ }.compact.join(':')
+ # force ssl context http://www.ruby-forum.com/topic/200072
+ http.instance_eval { @ssl_context = OpenSSL::SSL::SSLContext.new(:TLSv1_2) }
end
query = uri.path
I'd love to learn whether this works in Windows and MacOS environments and for Ruby 1.9.x and up (it does for Debian Jessie, with Ruby 2.1.5)
Patch has been committed - please test before 3.24.1 gets released in four weeks time.
There has been some testing (see Issue #326) that made me add a fallback for older Ruby versions which may not support TLSv1_2 (but support TLSv1). I've been testing this with Debian Wheezy's ruby1.9.1 (which is a 1.9.3). Yesterday's commit 89fd389 should make git head work again for older Rubies.
AFAICT 3.24.1 has enough fallback code to survive with Ruby 1.9 that doesn't provide TLSv1_2 - in weakened mode. Upcoming releases will require Ruby >= 2.0 to overcome this.
Issue considered resolved. Leaving open for documentation purposes.
GeoToad 3.24.1 doesn't work for me (official Windows build). I get the following error:
[0] => C:/WINDOWS/TEMP/ocr69D7.tmp/src/lib/shadowget.rb:257:in fetchRemote': undefined method
length' for nil:NilClass (NoMethodError)
[1] => from C:/WINDOWS/TEMP/ocr69D7.tmp/src/lib/shadowget.rb:169:in fetch' [2] => from C:/WINDOWS/TEMP/ocr69D7.tmp/src/geotoad.rb:215:in
versionCheck'
[3] => from C:/WINDOWS/TEMP/ocr69D7.tmp/src/geotoad.rb:1007:in `'
[4] => (===) GeoToad 3.24.1 (Ruby 2.0.0p645/2015-04-13 on i386-mingw32)
[5] => *\ Cannot connect to raw.githubusercontent.com:443: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
[6] => ( - ) Offline mode: not fetching https://raw.githubusercontent.com/wiki/steve8x8/geotoad/CurrentVersion.md
That's bad news. OTOH, since I seem to be unable to set up a working Windows VM that can run Ruby >= 2.1, 3.24.0 (which had no such reports, but an insecure HTTPS connection) may be the last release with a pre-built Windows installer for now :( (See issue #301 as well.) There's always the option to visit http://rubyinstaller.org (no www. prefixed!), install your favourite and latest bug-fixed version, and use the tarball to run. There have been various complaints for a long time that the Windows executable would cause security issues (because it's run from a temporary directory), which would be another reason to drop the Installer. Looks like the WayToGo - Issue #327 has been created to cover this.
Since this seems to be (yet unconfirmed though) a Windows-only issue (Unixoid OSes handle certificates in a more consistent way), the discussion continues in Issue #329, closing here.
Although user credentials are sent over http after logging in, it might be a useful exercise to harden the https part. Remove rc4 ciphers (and perhaps everything with too short a key), verify peer, etc. This may seriously break on platforms I cannot test on. Volunteers wanted, patch will be provided.