[rubygems/f15] Backport fix for insecure connection to SSL repository (bug 814718)
Mamoru Tasaka
mtasaka at fedoraproject.org
Fri Apr 20 18:34:04 UTC 2012
commit 47407a7661abf4a8d632fbc5150a7e65d9ef69a6
Author: Mamoru Tasaka <tasaka1 at localhost.localdomain>
Date: Sat Apr 21 03:34:00 2012 +0900
Backport fix for insecure connection to SSL repository (bug 814718)
rubygems-1.x.x-ssl-connection-don_t-revert.patch | 680 ++++++++++++++++++++++
rubygems.spec | 8 +-
2 files changed, 687 insertions(+), 1 deletions(-)
---
diff --git a/rubygems-1.x.x-ssl-connection-don_t-revert.patch b/rubygems-1.x.x-ssl-connection-don_t-revert.patch
new file mode 100644
index 0000000..46dfb80
--- /dev/null
+++ b/rubygems-1.x.x-ssl-connection-don_t-revert.patch
@@ -0,0 +1,680 @@
+commit c7d6c6efd2a9e813eb538d805a6f5780437d7006
+Author: Hiroshi Nakamura <nahi at ruby-lang.org>
+Date: Tue Mar 13 17:16:16 2012 +0900
+
+ Insecure connection to SSL repository
+
+ Fixes 2 SSL usage problems of RemoteFetcher.
+ - No verification
+ - Follows HTTPS -> HTTP redirection
+
+ For the first problem, RemoteFetcher must use OpenSSL::SSL::VERIFY_PEER
+ instead of VERIFY_NONE. And to enable SSL verification of
+ RemoteFetcher, we need to make trusted CA configurable. This commit
+ adds :ssl_verify_mode and :ssl_ca_cert to Gem::ConfigFile (normally
+ .gemrc). Both configurations are treated as same options in open-uri.
+
+ When :ssl_ca_cert is set, only the given path is treated as the trusted
+ CA certificate(s). If it's not set, OpenSSL's default store (sometimes
+ configured as /etc/ssl/certs by system) *AND*
+ lib/rubygems/ssl_certs/*.pem are trusted. lib/rubygems/ssl_certs/*.pem
+ are shipped to make sure all RubyGems clients can successfully access to
+ https://rubygems.org/.
+
+ At this moment, RubyGems.org uses 3 SSL servers (https://rubygems.org/,
+ https://s3.amazon.com/, and https://d2chzxaqi4y7f8.cloudfront.net/) and
+ each SSL certificate needs different root CA certificate. So
+ lib/rubygems/ssl_certs/ directory has 3 CA certificates in it.
+
+ For the second problem, this patch let RemoteFetcher raises
+ RemoteFetcher::FetchError if a server returns HTTPS -> HTTP redirection.
+ Other type of redirection, HTTP -> HTTP, HTTPS -> HTTPS and HTTP ->
+ HTTPS are allowed as before like open-uri.rb
+
+ The second issue is rather harmless because RemoteFetcher does not send
+ Cookie nor Referer to the server (Those resources for HTTPS site must
+ not be sent to HTTP site.) However, by following HTTPS -> HTTP
+ redirection, an attacker can inject malicious gem contents into the
+ user's environment who expected secure content download from HTTPS site
+ by using HTTPS repository.
+
+diff --git a/lib/rubygems/config_file.rb b/lib/rubygems/config_file.rb
+index d77dbd9..136e8b4 100644
+--- a/lib/rubygems/config_file.rb
++++ b/lib/rubygems/config_file.rb
+@@ -131,6 +131,16 @@ class Gem::ConfigFile
+ attr_reader :api_keys
+
+ ##
++ # openssl verify mode value, used for remote https connection
++
++ attr_reader :ssl_verify_mode
++
++ ##
++ # Path name of directory or file of openssl CA certificate, used for remote https connection
++
++ attr_reader :ssl_ca_cert
++
++ ##
+ # Create the config file object. +args+ is the list of arguments
+ # from the command line.
+ #
+@@ -192,6 +202,8 @@ class Gem::ConfigFile
+ @path = @hash[:gempath] if @hash.key? :gempath
+ @update_sources = @hash[:update_sources] if @hash.key? :update_sources
+ @verbose = @hash[:verbose] if @hash.key? :verbose
++ @ssl_verify_mode = @hash[:ssl_verify_mode] if @hash.key? :ssl_verify_mode
++ @ssl_ca_cert = @hash[:ssl_ca_cert] if @hash.key? :ssl_ca_cert
+
+ load_api_keys
+
+diff --git a/lib/rubygems/remote_fetcher.rb b/lib/rubygems/remote_fetcher.rb
+index e0d1298..0229637 100644
+--- a/lib/rubygems/remote_fetcher.rb
++++ b/lib/rubygems/remote_fetcher.rb
+@@ -210,6 +210,11 @@ class Gem::RemoteFetcher
+ raise FetchError.new('too many redirects', uri) if depth > 10
+
+ location = URI.parse response['Location']
++
++ if https?(uri) && !https?(location)
++ raise FetchError.new("redirecting to non-https resource: #{location}", uri)
++ end
++
+ fetch_http(location, last_modified, head, depth + 1)
+ else
+ raise FetchError.new("bad response #{response.message} #{response.code}", uri)
+@@ -313,18 +318,42 @@ class Gem::RemoteFetcher
+ connection = @connections[connection_id]
+
+ if uri.scheme == 'https' and not connection.started? then
+- require 'net/https'
+- connection.use_ssl = true
+- connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
++ configure_connection_for_https(connection)
+ end
+
+ connection.start unless connection.started?
+
+ connection
+- rescue Errno::EHOSTDOWN => e
++ rescue OpenSSL::SSL::SSLError, Errno::EHOSTDOWN => e
+ raise FetchError.new(e.message, uri)
+ end
+
++ def configure_connection_for_https(connection)
++ require 'net/https'
++ connection.use_ssl = true
++ connection.verify_mode =
++ Gem.configuration.ssl_verify_mode || OpenSSL::SSL::VERIFY_PEER
++ store = OpenSSL::X509::Store.new
++ if Gem.configuration.ssl_ca_cert
++ if File.directory? Gem.configuration.ssl_ca_cert
++ store.add_path Gem.configuration.ssl_ca_cert
++ else
++ store.add_file Gem.configuration.ssl_ca_cert
++ end
++ else
++ store.set_default_paths
++ add_rubygems_trusted_certs(store)
++ end
++ connection.cert_store = store
++ end
++
++ def add_rubygems_trusted_certs(store)
++ pattern = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__))
++ Dir.glob(pattern).each do |ssl_cert_file|
++ store.add_file ssl_cert_file
++ end
++ end
++
+ def correct_for_windows_path(path)
+ if path[0].chr == '/' && path[1].chr =~ /[a-z]/i && path[2].chr == ':'
+ path = path[1..-1]
+@@ -465,5 +494,9 @@ class Gem::RemoteFetcher
+ ua
+ end
+
++ def https?(uri)
++ uri.scheme.downcase == 'https'
++ end
++
+ end
+
+diff --git a/lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem b/lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem
+new file mode 100644
+index 0000000..580158f
+--- /dev/null
++++ b/lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem
+@@ -0,0 +1,90 @@
++This CA certificate is for verifying HTTPS connection to;
++ - https://rubygems.org/ (obtained by RubyGems team)
++
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Serial Number: 1 (0x1)
++ Signature Algorithm: sha1WithRSAEncryption
++ Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
++ Validity
++ Not Before: May 30 10:48:38 2000 GMT
++ Not After : May 30 10:48:38 2020 GMT
++ Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
++ Subject Public Key Info:
++ Public Key Algorithm: rsaEncryption
++ Public-Key: (2048 bit)
++ Modulus:
++ 00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
++ 1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
++ a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
++ cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
++ 2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
++ 56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
++ 5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
++ 87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
++ 71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
++ 69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
++ ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
++ 6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
++ 37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
++ 45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
++ c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
++ a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
++ b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
++ 5a:27
++ Exponent: 65537 (0x10001)
++ X509v3 extensions:
++ X509v3 Subject Key Identifier:
++ AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
++ X509v3 Key Usage:
++ Certificate Sign, CRL Sign
++ X509v3 Basic Constraints: critical
++ CA:TRUE
++ X509v3 Authority Key Identifier:
++ keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
++ DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
++ serial:01
++
++ Signature Algorithm: sha1WithRSAEncryption
++ b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
++ 84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
++ 6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
++ bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
++ de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
++ 14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
++ 93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
++ 63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
++ a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
++ 45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
++ 91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
++ 8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
++ 60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
++ 0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
++ 8f:4e:86:04
++
++-----BEGIN CERTIFICATE-----
++MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
++MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
++IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
++MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
++FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
++bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
++dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
++H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
++uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
++mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
++a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
++E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
++WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
++VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
++Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
++cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
++IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
++AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
++YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
++6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
++Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
++c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
++mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
++-----END CERTIFICATE-----
+diff --git a/lib/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem b/lib/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem
+new file mode 100644
+index 0000000..b48d9cd
+--- /dev/null
++++ b/lib/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem
+@@ -0,0 +1,90 @@
++This CA certificate is for verifying HTTPS connection to;
++ - https://d2chzxaqi4y7f8.cloudfront.net/ (prepared by AWS)
++
++Certificate:
++ Data:
++ Version: 3 (0x2)
++ Serial Number: 927650371 (0x374ad243)
++ Signature Algorithm: sha1WithRSAEncryption
++ Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
++ Validity
++ Not Before: May 25 16:09:40 1999 GMT
++ Not After : May 25 16:39:40 2019 GMT
++ Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
++ Subject Public Key Info:
++ Public Key Algorithm: rsaEncryption
++ Public-Key: (1024 bit)
++ Modulus:
++ 00:cd:28:83:34:54:1b:89:f3:0f:af:37:91:31:ff:
++ af:31:60:c9:a8:e8:b2:10:68:ed:9f:e7:93:36:f1:
++ 0a:64:bb:47:f5:04:17:3f:23:47:4d:c5:27:19:81:
++ 26:0c:54:72:0d:88:2d:d9:1f:9a:12:9f:bc:b3:71:
++ d3:80:19:3f:47:66:7b:8c:35:28:d2:b9:0a:df:24:
++ da:9c:d6:50:79:81:7a:5a:d3:37:f7:c2:4a:d8:29:
++ 92:26:64:d1:e4:98:6c:3a:00:8a:f5:34:9b:65:f8:
++ ed:e3:10:ff:fd:b8:49:58:dc:a0:de:82:39:6b:81:
++ b1:16:19:61:b9:54:b6:e6:43
++ Exponent: 3 (0x3)
++ X509v3 extensions:
++ Netscape Cert Type:
++ SSL CA, S/MIME CA, Object Signing CA
++ X509v3 CRL Distribution Points:
++
++ Full Name:
++ DirName: C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Secure Server Certification Authority, CN = CRL1
++
++ Full Name:
++ URI:http://www.entrust.net/CRL/net1.crl
++
++ X509v3 Private Key Usage Period:
++ Not Before: May 25 16:09:40 1999 GMT, Not After: May 25 16:09:40 2019 GMT
++ X509v3 Key Usage:
++ Certificate Sign, CRL Sign
++ X509v3 Authority Key Identifier:
++ keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
++
++ X509v3 Subject Key Identifier:
++ F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
++ X509v3 Basic Constraints:
++ CA:TRUE
++ 1.2.840.113533.7.65.0:
++ 0
++..V4.0....
++ Signature Algorithm: sha1WithRSAEncryption
++ 90:dc:30:02:fa:64:74:c2:a7:0a:a5:7c:21:8d:34:17:a8:fb:
++ 47:0e:ff:25:7c:8d:13:0a:fb:e4:98:b5:ef:8c:f8:c5:10:0d:
++ f7:92:be:f1:c3:d5:d5:95:6a:04:bb:2c:ce:26:36:65:c8:31:
++ c6:e7:ee:3f:e3:57:75:84:7a:11:ef:46:4f:18:f4:d3:98:bb:
++ a8:87:32:ba:72:f6:3c:e2:3d:9f:d7:1d:d9:c3:60:43:8c:58:
++ 0e:22:96:2f:62:a3:2c:1f:ba:ad:05:ef:ab:32:78:87:a0:54:
++ 73:19:b5:5c:05:f9:52:3e:6d:2d:45:0b:f7:0a:93:ea:ed:06:
++ f9:b2
++
++-----BEGIN CERTIFICATE-----
++MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
++VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
++ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
++KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
++ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
++MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
++ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
++b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
++bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
++U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
++A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
++I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
++wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
++AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
++oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
++BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
++dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
++MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
++b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
++dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
++MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
++E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
++MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
++hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
++95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
++2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
++-----END CERTIFICATE-----
+diff --git a/lib/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem b/lib/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem
+new file mode 100644
+index 0000000..43bad3e
+--- /dev/null
++++ b/lib/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem
+@@ -0,0 +1,57 @@
++This CA certificate is for verifying HTTPS connection to;
++ - https://s3.amazon.com/ (prepared by AWS)
++
++Certificate:
++ Data:
++ Version: 1 (0x0)
++ Serial Number:
++ 7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
++ Signature Algorithm: sha1WithRSAEncryption
++ Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
++ Validity
++ Not Before: May 18 00:00:00 1998 GMT
++ Not After : Aug 1 23:59:59 2028 GMT
++ Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
++ Subject Public Key Info:
++ Public Key Algorithm: rsaEncryption
++ Public-Key: (1024 bit)
++ Modulus:
++ 00:cc:5e:d1:11:5d:5c:69:d0:ab:d3:b9:6a:4c:99:
++ 1f:59:98:30:8e:16:85:20:46:6d:47:3f:d4:85:20:
++ 84:e1:6d:b3:f8:a4:ed:0c:f1:17:0f:3b:f9:a7:f9:
++ 25:d7:c1:cf:84:63:f2:7c:63:cf:a2:47:f2:c6:5b:
++ 33:8e:64:40:04:68:c1:80:b9:64:1c:45:77:c7:d8:
++ 6e:f5:95:29:3c:50:e8:34:d7:78:1f:a8:ba:6d:43:
++ 91:95:8f:45:57:5e:7e:c5:fb:ca:a4:04:eb:ea:97:
++ 37:54:30:6f:bb:01:47:32:33:cd:dc:57:9b:64:69:
++ 61:f8:9b:1d:1c:89:4f:5c:67
++ Exponent: 65537 (0x10001)
++ Signature Algorithm: sha1WithRSAEncryption
++ 51:4d:cd:be:5c:cb:98:19:9c:15:b2:01:39:78:2e:4d:0f:67:
++ 70:70:99:c6:10:5a:94:a4:53:4d:54:6d:2b:af:0d:5d:40:8b:
++ 64:d3:d7:ee:de:56:61:92:5f:a6:c4:1d:10:61:36:d3:2c:27:
++ 3c:e8:29:09:b9:11:64:74:cc:b5:73:9f:1c:48:a9:bc:61:01:
++ ee:e2:17:a6:0c:e3:40:08:3b:0e:e7:eb:44:73:2a:9a:f1:69:
++ 92:ef:71:14:c3:39:ac:71:a7:91:09:6f:e4:71:06:b3:ba:59:
++ 57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69:
++ 91:fd
++
++-----BEGIN CERTIFICATE-----
++MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
++BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
++c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
++MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
++emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
++DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
++FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
++UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
++YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
++MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
++AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
++pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
++13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
++AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
++U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
++F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
++oJ2daZH9
++-----END CERTIFICATE-----
+diff --git a/test/rubygems/ca_cert.pem b/test/rubygems/ca_cert.pem
+new file mode 100644
+index 0000000..5acdcf8
+--- /dev/null
++++ b/test/rubygems/ca_cert.pem
+@@ -0,0 +1,45 @@
++-----BEGIN CERTIFICATE-----
++MIID0DCCArigAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
++MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
++DTA0MDEzMDAwNDIzMloXDTM2MDEyMjAwNDIzMlowPDELMAkGA1UEBgwCSlAxEjAQ
++BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQswCQYDVQQDDAJDQTCCASIw
++DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbv0x42BTKFEQOE+KJ2XmiSdZpR
++wjzQLAkPLRnLB98tlzs4xo+y4RyY/rd5TT9UzBJTIhP8CJi5GbS1oXEerQXB3P0d
++L5oSSMwGGyuIzgZe5+vZ1kgzQxMEKMMKlzA73rbMd4Jx3u5+jdbP0EDrPYfXSvLY
++bS04n2aX7zrN3x5KdDrNBfwBio2/qeaaj4+9OxnwRvYP3WOvqdW0h329eMfHw0pi
++JI0drIVdsEqClUV4pebT/F+CPUPkEh/weySgo9wANockkYu5ujw2GbLFcO5LXxxm
++dEfcVr3r6t6zOA4bJwL0W/e6LBcrwiG/qPDFErhwtgTLYf6Er67SzLyA66UCAwEA
++AaOB3DCB2TAPBgNVHRMBAf8EBTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09w
++ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJ7Xd380KzBV7f
++USKIQ+O/vKbhDzAOBgNVHQ8BAf8EBAMCAQYwZAYDVR0jBF0wW4AUSe13d/NCswVe
++31EiiEPjv7ym4Q+hQKQ+MDwxCzAJBgNVBAYMAkpQMRIwEAYDVQQKDAlKSU4uR1Iu
++SlAxDDAKBgNVBAsMA1JSUjELMAkGA1UEAwwCQ0GCAQAwDQYJKoZIhvcNAQEFBQAD
++ggEBAIu/mfiez5XN5tn2jScgShPgHEFJBR0BTJBZF6xCk0jyqNx/g9HMj2ELCuK+
++r/Y7KFW5c5M3AQ+xWW0ZSc4kvzyTcV7yTVIwj2jZ9ddYMN3nupZFgBK1GB4Y05GY
++MJJFRkSu6d/Ph5ypzBVw2YMT/nsOo5VwMUGLgS7YVjU+u/HNWz80J3oO17mNZllj
++PvORJcnjwlroDnS58KoJ7GDgejv3ESWADvX1OHLE4cRkiQGeLoEU4pxdCxXRqX0U
++PbwIkZN9mXVcrmPHq8MWi4eC/V7hnbZETMHuWhUoiNdOEfsAXr3iP4KjyyRdwc7a
++d/xgcK06UVQRL/HbEYGiQL056mc=
++-----END CERTIFICATE-----
++
++-----BEGIN CERTIFICATE-----
++MIIDaDCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
++MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
++DTA0MDEzMDAwNDMyN1oXDTM1MDEyMjAwNDMyN1owPzELMAkGA1UEBgwCSlAxEjAQ
++BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQ4wDAYDVQQDDAVTdWJDQTCC
++ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0Ou7AyRcRXnB/kVHv/6kwe
++ANzgg/DyJfsAUqW90m7Lu1nqyug8gK0RBd77yU0w5HOAMHTVSdpjZK0g2sgx4Mb1
++d/213eL9TTl5MRVEChTvQr8q5DVG/8fxPPE7fMI8eOAzd98/NOAChk+80r4Sx7fC
++kGVEE1bKwY1MrUsUNjOY2d6t3M4HHV3HX1V8ShuKfsHxgCmLzdI8U+5CnQedFgkm
++3e+8tr8IX5RR1wA1Ifw9VadF7OdI/bGMzog/Q8XCLf+WPFjnK7Gcx6JFtzF6Gi4x
++4dp1Xl45JYiVvi9zQ132wu8A1pDHhiNgQviyzbP+UjcB/tsOpzBQF8abYzgEkWEC
++AwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAxBglghkgBhvhCAQ0EJBYiUnVieS9P
++cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUlCjXWLsReYzH
++LzsxwVnCXmKoB/owCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCJ/OyN
++rT8Cq2Y+G2yA/L1EMRvvxwFBqxavqaqHl/6rwsIBFlB3zbqGA/0oec6MAVnYynq4
++c4AcHTjx3bQ/S4r2sNTZq0DH4SYbQzIobx/YW8PjQUJt8KQdKMcwwi7arHP7A/Ha
++LKu8eIC2nsUBnP4NhkYSGhbmpJK+PFD0FVtD0ZIRlY/wsnaZNjWWcnWF1/FNuQ4H
++ySjIblqVQkPuzebv3Ror6ZnVDukn96Mg7kP4u6zgxOeqlJGRe1M949SS9Vudjl8X
++SF4aZUUB9pQGhsqQJVqaz2OlhGOp9D0q54xko/rekjAIcuDjl1mdX4F2WRrzpUmZ
++uY/bPeOBYiVsOYVe
++-----END CERTIFICATE-----
+diff --git a/test/rubygems/ssl_cert.pem b/test/rubygems/ssl_cert.pem
+new file mode 100644
+index 0000000..998ccc5
+--- /dev/null
++++ b/test/rubygems/ssl_cert.pem
+@@ -0,0 +1,19 @@
++-----BEGIN CERTIFICATE-----
++MIIC/zCCAeegAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGDAJKUDES
++MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxDjAMBgNVBAMMBVN1YkNB
++MB4XDTA0MDEzMTAzMTMxNloXDTMzMDEyMzAzMTMxNlowQzELMAkGA1UEBgwCSlAx
++EjAQBgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMRIwEAYDVQQDDAlsb2Nh
++bGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFJTxWqup3nV9dsJAku
++p+WaXnPNIzcpAA3qMGZDJTJsfa8Du7ZxTP0XJK5mETttBrn711cJxAuP3KjqnW9S
++vtZ9lY2sXJ6Zj62sN5LwG3VVe25dI28yR1EsbHjJ5Zjf9tmggMC6am52dxuHbt5/
++vHo4ngJuKE/U+eeGRivMn6gFAgMBAAGjgYUwgYIwDAYDVR0TAQH/BAIwADAxBglg
++hkgBhvhCAQ0EJBYiUnVieS9PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
++BgNVHQ4EFgQUpZIyygD9JxFYHHOTEuWOLbCKfckwCwYDVR0PBAQDAgWgMBMGA1Ud
++JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBwAIj5SaBHaA5X31IP
++CFCJiep96awfp7RANO0cuUj+ZpGoFn9d6FXY0g+Eg5wAkCNIzZU5NHN9xsdOpnUo
++zIBbyTfQEPrge1CMWMvL6uGaoEXytq84VTitF/xBTky4KtTn6+es4/e7jrrzeUXQ
++RC46gkHObmDT91RkOEGjHLyld2328jo3DIN/VTHIryDeVHDWjY5dENwpwdkhhm60
++DR9IrNBbXWEe9emtguNXeN0iu1ux0lG1Hc6pWGQxMlRKNvGh0yZB9u5EVe38tOV0
++jQaoNyL7qzcQoXD3Dmbi1p0iRmg/+HngISsz8K7k7MBNVsSclztwgCzTZOBiVtkM
++rRlQ
++-----END CERTIFICATE-----
+diff --git a/test/rubygems/ssl_key.pem b/test/rubygems/ssl_key.pem
+new file mode 100644
+index 0000000..9ba2218
+--- /dev/null
++++ b/test/rubygems/ssl_key.pem
+@@ -0,0 +1,15 @@
++-----BEGIN RSA PRIVATE KEY-----
++MIICXQIBAAKBgQDRSU8Vqrqd51fXbCQJLqflml5zzSM3KQAN6jBmQyUybH2vA7u2
++cUz9FySuZhE7bQa5+9dXCcQLj9yo6p1vUr7WfZWNrFyemY+trDeS8Bt1VXtuXSNv
++MkdRLGx4yeWY3/bZoIDAumpudncbh27ef7x6OJ4CbihP1PnnhkYrzJ+oBQIDAQAB
++AoGBAIf4CstW2ltQO7+XYGoex7Hh8s9lTSW/G2vu5Hbr1LTHy3fzAvdq8MvVR12O
++rk9fa+lU9vhzPc0NMB0GIDZ9GcHuhW5hD1Wg9OSCbTOkZDoH3CAFqonjh4Qfwv5W
++IPAFn9KHukdqGXkwEMdErsUaPTy9A1V/aROVEaAY+HJgq/eZAkEA/BP1QMV04WEZ
++Oynzz7/lLizJGGxp2AOvEVtqMoycA/Qk+zdKP8ufE0wbmCE3Qd6GoynavsHb6aGK
++gQobb8zDZwJBANSK6MrXlrZTtEaeZuyOB4mAmRzGzOUVkUyULUjEx2GDT93ujAma
++qm/2d3E+wXAkNSeRpjUmlQXy/2oSqnGvYbMCQQDRM+cYyEcGPUVpWpnj0shrF/QU
++9vSot/X1G775EMTyaw6+BtbyNxVgOIu2J+rqGbn3c+b85XqTXOPL0A2RLYkFAkAm
++syhSDtE9X55aoWsCNZY/vi+i4rvaFoQ/WleogVQAeGVpdo7/DK9t9YWoFBIqth0L
++mGSYFu9ZhvZkvQNV8eYrAkBJ+rOIaLDsmbrgkeDruH+B/9yrm4McDtQ/rgnOGYnH
++LjLpLLOrgUxqpzLWe++EwSLwK2//dHO+SPsQJ4xsyQJy
++-----END RSA PRIVATE KEY-----
+diff --git a/test/rubygems/test_gem_config_file.rb b/test/rubygems/test_gem_config_file.rb
+index 34c1953..702ac95 100644
+--- a/test/rubygems/test_gem_config_file.rb
++++ b/test/rubygems/test_gem_config_file.rb
+@@ -52,6 +52,8 @@ class TestGemConfigFile < Gem::TestCase
+ fp.puts ":gempath:"
+ fp.puts "- /usr/ruby/1.8/lib/ruby/gems/1.8"
+ fp.puts "- /var/ruby/1.8/gem_home"
++ fp.puts ":ssl_verify_mode: 0"
++ fp.puts ":ssl_ca_cert: /etc/ssl/certs"
+ end
+
+ util_config_file
+@@ -65,6 +67,8 @@ class TestGemConfigFile < Gem::TestCase
+ assert_equal '--wrappers', @cfg[:install]
+ assert_equal(['/usr/ruby/1.8/lib/ruby/gems/1.8', '/var/ruby/1.8/gem_home'],
+ @cfg.path)
++ assert_equal 0, @cfg.ssl_verify_mode
++ assert_equal '/etc/ssl/certs', @cfg.ssl_ca_cert
+ end
+
+ def test_initialize_handle_arguments_config_file
+@@ -291,6 +295,22 @@ class TestGemConfigFile < Gem::TestCase
+ :other => 'a5fdbb6ba150cbb83aad2bb2fede64c'}, @cfg.api_keys)
+ end
+
++ def test_load_ssl_verify_mode_from_config
++ File.open @temp_conf, 'w' do |fp|
++ fp.puts ":ssl_verify_mode: 1"
++ end
++ util_config_file
++ assert_equal(1, @cfg.ssl_verify_mode)
++ end
++
++ def test_load_ssl_ca_cert_from_config
++ File.open @temp_conf, 'w' do |fp|
++ fp.puts ":ssl_ca_cert: /home/me/certs"
++ end
++ util_config_file
++ assert_equal('/home/me/certs', @cfg.ssl_ca_cert)
++ end
++
+ def util_config_file(args = @cfg_args)
+ @cfg = Gem::ConfigFile.new args
+ end
+diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
+index 3bdba5e..6d370cf 100644
+--- a/test/rubygems/test_gem_remote_fetcher.rb
++++ b/test/rubygems/test_gem_remote_fetcher.rb
+@@ -1,6 +1,7 @@
+ require 'rubygems/test_case'
+ require 'ostruct'
+ require 'webrick'
++require 'webrick/https'
+ require 'rubygems/remote_fetcher'
+ require 'rubygems/format'
+
+@@ -73,6 +74,8 @@ gems:
+ PROXY_PORT = process_based_port + 100 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
+ SERVER_PORT = process_based_port + 200 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
+
++ DIR = File.expand_path(File.dirname(__FILE__))
++
+ def setup
+ super
+ self.class.start_servers
+@@ -740,6 +743,53 @@ gems:
+ end
+ end
+
++ def test_ssl_connection
++ ssl_server = self.class.start_ssl_server
++ temp_ca_cert = File.join(DIR, 'ca_cert.pem')
++ with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
++ fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
++ end
++ end
++
++ def test_do_not_allow_insecure_ssl_connection_by_default
++ ssl_server = self.class.start_ssl_server
++ with_configured_fetcher do |fetcher|
++ assert_raises Gem::RemoteFetcher::FetchError do
++ fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
++ end
++ end
++ end
++
++ def test_ssl_connection_allow_verify_none
++ ssl_server = self.class.start_ssl_server
++ with_configured_fetcher(":ssl_verify_mode: 0") do |fetcher|
++ fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
++ end
++ end
++
++ def test_do_not_follow_insecure_redirect
++ ssl_server = self.class.start_ssl_server
++ temp_ca_cert = File.join(DIR, 'ca_cert.pem'),
++ with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
++ assert_raises Gem::RemoteFetcher::FetchError do
++ fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/insecure_redirect?to=#{@server_uri}")
++ end
++ end
++ end
++
++ def with_configured_fetcher(config_str = nil, &block)
++ if config_str
++ temp_conf = File.join @tempdir, '.gemrc'
++ File.open temp_conf, 'w' do |fp|
++ fp.puts config_str
++ end
++ Gem.configuration = Gem::ConfigFile.new %W[--config-file #{temp_conf}]
++ end
++ yield Gem::RemoteFetcher.new
++ ensure
++ Gem.configuration = nil
++ end
++
+ def util_stub_connection_for hash
+ def @fetcher.connection= conn
+ @conn = conn
+@@ -802,6 +852,49 @@ gems:
+ @enable_zip = false
+ end
+
++ DIR = File.expand_path(File.dirname(__FILE__))
++ DH_PARAM = OpenSSL::PKey::DH.new(128)
++
++ def start_ssl_server(config = {})
++ null_logger = NilLog.new
++ server = WEBrick::HTTPServer.new({
++ :Port => 0,
++ :Logger => null_logger,
++ :AccessLog => [],
++ :SSLEnable => true,
++ :SSLCACertificateFile => File.join(DIR, 'ca_cert.pem'),
++ :SSLCertificate => cert('ssl_cert.pem'),
++ :SSLPrivateKey => key('ssl_key.pem'),
++ :SSLVerifyClient => nil,
++ :SSLCertName => nil
++ }.merge(config))
++ server.mount_proc("/yaml") { |req, res|
++ res.body = "--- true\n"
++ }
++ server.mount_proc("/insecure_redirect") { |req, res|
++ res.set_redirect(WEBrick::HTTPStatus::MovedPermanently, req.query['to'])
++ }
++ server.ssl_context.tmp_dh_callback = proc { DH_PARAM }
++ t = Thread.new do
++ begin
++ server.start
++ rescue Exception => ex
++ abort ex.message
++ puts "ERROR during server thread: #{ex.message}"
++ end
++ end
++ while server.status != :Running
++ sleep 0.1
++ unless t.alive?
++ t.join
++ raise
++ end
++ end
++ server
++ end
++
++
++
+ private
+
+ def start_server(port, data)
+@@ -844,6 +937,14 @@ gems:
+ end
+ sleep 0.2 # Give the servers time to startup
+ end
++
++ def cert(filename)
++ OpenSSL::X509::Certificate.new(File.read(File.join(DIR, filename)))
++ end
++
++ def key(filename)
++ OpenSSL::PKey::RSA.new(File.read(File.join(DIR, filename)))
++ end
+ end
+
+ def test_correct_for_windows_path
diff --git a/rubygems.spec b/rubygems.spec
index a8a68a4..4390a27 100644
--- a/rubygems.spec
+++ b/rubygems.spec
@@ -15,7 +15,7 @@
Summary: The Ruby standard for packaging ruby libraries
Name: rubygems
Version: 1.7.2
-Release: 4%{?dist}
+Release: 5%{?dist}
Group: Development/Libraries
# No GPL version is specified.
License: Ruby or GPL+
@@ -39,6 +39,8 @@ Patch5: rubygems-1.7.2-read-gemspec-with-Z-dateformat.patch
Patch6: rubygems-1.7.2-escape-string.patch
# ... and spec_file is not supported yet
Patch7: rubygems-1.7.2-escape-string-skip-test.patch
+# Insecure connection to SSL repository fix
+Patch10: rubygems-1.x.x-ssl-connection-don_t-revert.patch
Requires: ruby(abi) = 1.8
Requires: ruby >= 1.8.7
@@ -78,6 +80,7 @@ Macros and development tools for packagin RubyGems.
%patch5 -p1 -b .readZ
%patch6 -p1 -b .esc
%patch7 -p1 -b .esc.skip
+%patch10 -p1 -b .ssl
# Some of the library files start with #! which rpmlint doesn't like
# and doesn't make much sense
@@ -149,6 +152,9 @@ rake test || :
%config(noreplace) %{_sysconfdir}/rpm/macros.rubygems
%changelog
+* Sat Apr 21 2012 Mamoru Tasaka <mtasaka at fedoraproject.org> - 1.7.2-5
+- Backport fix for insecure connection to SSL repository (bug 814718)
+
* Thu Jan 26 2012 Mamoru Tasaka <mtasaka at fedoraproject.org> - 1.7.2-4
- Provide -devel package except for %%gem_extdir
More information about the scm-commits
mailing list