* [ANN] yahns 1.12.2 -_- sleepy app server for Ruby
@ 2016-03-01 1:58 4% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2016-03-01 1:58 UTC (permalink / raw)
To: ruby-talk, yahns-public
A Free Software, multi-threaded, non-blocking network
application server designed for low _idle_ power consumption.
It is primarily optimized for applications with occasional users
which see little or no traffic. yahns currently hosts Rack/HTTP
applications, but may eventually support other application
types. Unlike some existing servers, yahns is extremely
sensitive to fatal bugs in the applications it hosts.
Changes:
yahns 1.12.2 - minor doc and TLS fixes
This release ensures OpenSSL::SSL::SSLContext#session_id_context
is always set for OpenSSL users. It won't overwrite existing
settings, but setting it to a random value is necessary to
ensure clients do not get aborted connections when attempting to
use a session cache.
No need to actually upgrade if you're on 1.12.1, you may add the
following to your yahns_config(5) file where
OpenSSL::SSL::SSLContext is configured:
# recommended, not required. This sets safer defaults
# provided by Ruby on top of what OpenSSL gives:
ssl_ctx.set_params
# required, and done by default in v1.12.2:
ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32)
yahns gives you full control of of how OpenSSL::SSL::SSLContext is
configured. To avoid bugs, yahns only ensures
OpenSSL::SSL::SSLContext#session_id_context is set (if not previously
set by the user) and calls OpenSSL::SSL::SSLContext#setup before
spawning threads to avoid race conditions. yahns itself does not and
will not enforce any opinion on the compatibility/performance/security
trade-offs regarding TLS configuration.
Note: keep in mind using an SSL session cache may be less useful
with yahns because HTTP/1.1 persistent connections may live
forever :)
3 bug/doc fixes on top of v1.12.1:
document OpenSSL::SSL::SSLContext#set_params use
ssl: ensure is session_id_context is always set
test/*: fix mktmpdir usage for 1.9.3
Please note the disclaimer:
yahns is extremely sensitive to fatal bugs in the apps it hosts. There
is no (and never will be) any built-in "watchdog"-type feature to kill
stuck processes/threads. Each yahns process may be handling thousands
of clients; unexpectedly killing the process will abort _all_ of those
connections. Lives may be lost!
yahns hackers are not responsible for your application/library bugs.
Use an application server which is tolerant of buggy applications
if you cannot be bothered to fix all your fatal bugs.
* git clone git://yhbt.net/yahns
* http://yahns.yhbt.net/README
* http://yahns.yhbt.net/NEWS.atom.xml
* we only accept plain-text email yahns-public@yhbt.net
* and archive all the mail we receive: http://yhbt.net/yahns-public/
* nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
^ permalink raw reply [relevance 4%]
* [PATCH] ssl: ensure is session_id_context is always set
@ 2016-02-29 5:45 7% Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2016-02-29 5:45 UTC (permalink / raw)
To: yahns-public
When a client attempts to reuse a session, we must have a
session_id_context set or else handshakes fail. This problem
manifests only with clients which attempt to reuse stored
sessions. This is irrespective of any session caching
configured (even if explicitly disabled) in the server.
The SSL_set_session_id_context(3SSL) manpage states:
If the session id context is not set on an SSL/TLS server and
client certificates are used, stored sessions will not be reused
but a fatal error will be flagged and the handshake will fail.
---
lib/yahns/server.rb | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/lib/yahns/server.rb b/lib/yahns/server.rb
index d6a03f3..ba2066b 100644
--- a/lib/yahns/server.rb
+++ b/lib/yahns/server.rb
@@ -386,6 +386,13 @@ def fdmap_init
env['HTTPS'] = 'on' # undocumented, but Rack::Request uses this
env['rack.url_scheme'] = 'https'
+ # avoid "session id context uninitialized" errors when a client
+ # attempts to reuse a cached SSL session. Server admins may
+ # configure their own cache and session_id_context if desired.
+ # 32 bytes is SSL_MAX_SSL_SESSION_ID_LENGTH and has been since
+ # the SSLeay days
+ ssl_ctx.session_id_context ||= OpenSSL::Random.random_bytes(32)
+
# call OpenSSL::SSL::SSLContext#setup explicitly here to detect
# errors and avoid race conditions. We avoid calling this in the
# parent process since
--
EW
^ permalink raw reply related [relevance 7%]
Results 1-2 of 2 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2016-02-14 22:37 [ANN] yahns 1.12.0 -_- sleepy app server for Ruby Eric Wong
2016-02-22 0:43 ` [ANN] yahns 1.12.1 " Eric Wong
2016-03-01 1:58 4% ` [ANN] yahns 1.12.2 " Eric Wong
2016-02-29 5:45 7% [PATCH] ssl: ensure is session_id_context is always set Eric Wong
Code repositories for project(s) associated with this public inbox
https://yhbt.net/yahns.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).