From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: X-Spam-Status: No, score=-2.9 required=3.0 tests=ALL_TRUSTED,BAYES_00, URIBL_BLOCKED shortcircuit=no autolearn=unavailable version=3.3.2 X-Original-To: yahns-public@yhbt.net Received: from localhost (dcvr.yhbt.net [127.0.0.1]) by dcvr.yhbt.net (Postfix) with ESMTP id DB1A91F5D9; Tue, 2 Dec 2014 07:37:29 +0000 (UTC) Date: Tue, 2 Dec 2014 07:37:29 +0000 From: Eric Wong To: yahns-public@yhbt.net Subject: Re: [RFC] initial cut at OpenSSL support Message-ID: <20141202073729.GA16033@dcvr.yhbt.net> References: <20141129040854.GA14399@dcvr.yhbt.net> <20141130042131.GA23176@dcvr.yhbt.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20141130042131.GA23176@dcvr.yhbt.net> List-Id: Pushed OpenSSL support with a few (unrelated) minor fixes and cleanups Eric Wong (4): extras/autoindex: simplify checking non-.gz Rakefile: kill more useless gsub use initial cut at OpenSSL support test/test_ssl: skip test if SSL on older Rubies Rakefile | 4 +-- extras/autoindex.rb | 4 ++- lib/yahns/config.rb | 2 ++ lib/yahns/openssl_client.rb | 52 +++++++++++++++++++++++++++++ lib/yahns/openssl_server.rb | 21 ++++++++++++ lib/yahns/server.rb | 15 +++++---- lib/yahns/socket_helper.rb | 17 +++++++--- test/server_helper.rb | 6 ++-- test/test_ssl.rb | 79 +++++++++++++++++++++++++++++++++++++++++++++ 9 files changed, 183 insertions(+), 17 deletions(-) commit 71aea810c6e15ba8af662698adbcb28be7e2c395 Author: Eric Wong Date: Tue Dec 2 02:21:15 2014 +0000 test/test_ssl: skip test if SSL on older Rubies We rely on exception-free non-blocking I/O for performance, so it is easier for us to avoid supporting new features on old Rubies. commit 65a903181cd5cdd78b4df7eacc1c574f0ef8e95c Author: Eric Wong Date: Sat Nov 29 04:08:54 2014 +0000 initial cut at OpenSSL support The current CA model and code quality of OpenSSL have long put me off from supporting TLS; however but efforts such as "Let's Encrypt" and the fallout from Heartbleed give me hope for the future. This implements, as much as possible, a "hands-off" approach to TLS support via OpenSSL. This implementation allows us to shift responsibility away from us to users and upstreams (the Ruby 'openssl' extension maintainers, software packagers, and OpenSSL project itself). This is also perhaps the easiest way for now for us, while being most powerful for users. It requires users to configure their own OpenSSL context object which we'll use as-is. This context object is used as the :ssl_ctx parameter to the "listen" directive in the yahns configuration file: require 'openssl' # we will not do this for the user, even ctx = OpenSSL::SSL::SSLContext.new # user must configure ctx here... listen 443, ssl_ctx: ctx This way, in case we support GnuTLS or other TLS libraries, there'll be less confusion as to what a user is actually using. Note: this feature requires Ruby 2.1 and later for non-kgio {read,write}_nonblock(.. exception: false) support. commit a1dba8aa91a533870c44ec0b695391f16be9a71f Author: Eric Wong Date: Tue Dec 2 01:56:31 2014 +0000 Rakefile: kill more useless gsub use It's wrong to use gsub when stripping text in those cases. commit 7a552121db4937f00d2b9a8586a475d02a8f833c Author: Eric Wong Date: Tue Dec 2 01:47:52 2014 +0000 extras/autoindex: simplify checking non-.gz We only want to strip one ".gz" suffix to check for the original, so avoid a needless use of gsub! and use sub! instead. While we're at it, note the use of "dup.sub!" (vs plain "sub") to ensure we only handle files with a .gz suffix.