* [ANN] yahns 1.5.0 - initial OpenSSL support and bugfixes
@ 2014-12-21 2:25 5% Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2014-12-21 2:25 UTC (permalink / raw)
To: yahns-public
This release adds basic OpenSSL support for HTTPS connections.
Users must supply a OpenSSL::SSL::SSLContext object which yahns will use
as-is. yahns will only support HTTPS on Ruby 2.1 and later, as we rely
on "exception: false" in the read_nonblock and write_nonblock methods in
OpenSSL::SSL::SSLSocket.
See the Ruby standard library documentation on how to configure
OpenSSL::SSL::SSLContext objects to pass to the yahns "listen" directive
Editing the yahns config file to use OpenSSL goes something like this:
require 'openssl' # we will not do this for the user, even
ctx = OpenSSL::SSL::SSLContext.new
# user must configure ctx here...
listen 443, ssl_ctx: ctx
Note: yahns developers are not responsible for bugs in OpenSSL itself
or misconfigured SSLContext objects created by users. However, our
support of OpenSSL sockets is barely-tested and likely buggy, too.
Furthermore, the "sendfile" (or "kgio-sendfile") gem is no longer a
required dependency. It is currently impossible to use zero-copy
system calls with TLS sockets.
There are also minor cleanups and a bugfix to ensure body#close is
called for folks using body#to_path where `body' is the Rack
response body. This bug affected logging using the 'clogger' gem
when serving static files.
Shortlog of changes since 1.4.0
save around 1500 bytes of memory on x86-64
http_response: remove arg for Array#join
remove unused client_max_header_size config
config: use literal symbol array for now
http_response: reduce constants for 100 responses
favor Array#map! for freshly-split arrays
sendfile_compat: remove dependency on pread
extras/autoindex: simplify checking non-.gz
Rakefile: kill more useless gsub use
initial cut at OpenSSL support
test/test_ssl: skip test if SSL on older Rubies
wbuf_common: close body proxies on sendfile abort
bump published Ruby version requirement to 2.0
make sendfile an optional dependency
openssl_client: ignore SSL_accept errors during negotiation
Disclaimer: the yahns project does not and will never endorse
any commercial entities, including certificate authorities.
Shpx Nhgubevgl.
--
EW
^ permalink raw reply [relevance 5%]
* Re: [RFC] initial cut at OpenSSL support
@ 2014-12-02 7:37 7% ` Eric Wong
0 siblings, 0 replies; 2+ results
From: Eric Wong @ 2014-12-02 7:37 UTC (permalink / raw)
To: yahns-public
Pushed OpenSSL support with a few (unrelated) minor fixes and cleanups
Eric Wong (4):
extras/autoindex: simplify checking non-.gz
Rakefile: kill more useless gsub use
initial cut at OpenSSL support
test/test_ssl: skip test if SSL on older Rubies
Rakefile | 4 +--
extras/autoindex.rb | 4 ++-
lib/yahns/config.rb | 2 ++
lib/yahns/openssl_client.rb | 52 +++++++++++++++++++++++++++++
lib/yahns/openssl_server.rb | 21 ++++++++++++
lib/yahns/server.rb | 15 +++++----
lib/yahns/socket_helper.rb | 17 +++++++---
test/server_helper.rb | 6 ++--
test/test_ssl.rb | 79 +++++++++++++++++++++++++++++++++++++++++++++
9 files changed, 183 insertions(+), 17 deletions(-)
commit 71aea810c6e15ba8af662698adbcb28be7e2c395
Author: Eric Wong <e@80x24.org>
Date: Tue Dec 2 02:21:15 2014 +0000
test/test_ssl: skip test if SSL on older Rubies
We rely on exception-free non-blocking I/O for performance,
so it is easier for us to avoid supporting new features on
old Rubies.
commit 65a903181cd5cdd78b4df7eacc1c574f0ef8e95c
Author: Eric Wong <e@80x24.org>
Date: Sat Nov 29 04:08:54 2014 +0000
initial cut at OpenSSL support
The current CA model and code quality of OpenSSL have long put me off
from supporting TLS; however but efforts such as "Let's Encrypt"
and the fallout from Heartbleed give me hope for the future.
This implements, as much as possible, a "hands-off" approach to TLS
support via OpenSSL. This implementation allows us to shift
responsibility away from us to users and upstreams (the Ruby 'openssl'
extension maintainers, software packagers, and OpenSSL project itself).
This is also perhaps the easiest way for now for us, while being most
powerful for users. It requires users to configure their own OpenSSL
context object which we'll use as-is.
This context object is used as the :ssl_ctx parameter to the "listen"
directive in the yahns configuration file:
require 'openssl' # we will not do this for the user, even
ctx = OpenSSL::SSL::SSLContext.new
# user must configure ctx here...
listen 443, ssl_ctx: ctx
This way, in case we support GnuTLS or other TLS libraries, there'll
be less confusion as to what a user is actually using.
Note: this feature requires Ruby 2.1 and later for non-kgio
{read,write}_nonblock(.. exception: false) support.
commit a1dba8aa91a533870c44ec0b695391f16be9a71f
Author: Eric Wong <e@80x24.org>
Date: Tue Dec 2 01:56:31 2014 +0000
Rakefile: kill more useless gsub use
It's wrong to use gsub when stripping text in those cases.
commit 7a552121db4937f00d2b9a8586a475d02a8f833c
Author: Eric Wong <e@80x24.org>
Date: Tue Dec 2 01:47:52 2014 +0000
extras/autoindex: simplify checking non-.gz
We only want to strip one ".gz" suffix to check for the
original, so avoid a needless use of gsub! and use sub!
instead.
While we're at it, note the use of "dup.sub!" (vs plain "sub")
to ensure we only handle files with a .gz suffix.
^ permalink raw reply [relevance 7%]
Results 1-2 of 2 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2014-11-29 4:08 [RFC] initial cut at OpenSSL support Eric Wong
2014-11-30 4:21 ` Eric Wong
2014-12-02 7:37 7% ` Eric Wong
2014-12-21 2:25 5% [ANN] yahns 1.5.0 - initial OpenSSL support and bugfixes Eric Wong
Code repositories for project(s) associated with this public inbox
https://yhbt.net/yahns.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).