File 0002-add-no_tlsv1_1-to-binder-config-etc.patch of Package rubygem-puma.16022
From 075606f57b588f5edf6c04f7ff42e69f4b3a9cf9 Mon Sep 17 00:00:00 2001
From: dmaiocchi <dmaiocchi@suse.com>
Date: Fri, 31 Jul 2020 18:12:26 +0200
Subject: [PATCH] add no_tlsv1_1 to binder, config, etc
---
ext/puma_http11/org/jruby/puma/MiniSSL.java | 4 +
lib/puma/binder.rb | 1 +
lib/puma/dsl.rb | 68 ++++++++-
test/test_binder.rb | 85 +++++++++--
test/test_config.rb | 159 ++++++++++++++------
5 files changed, 259 insertions(+), 58 deletions(-)
diff --git a/ext/puma_http11/org/jruby/puma/MiniSSL.java b/ext/puma_http11/org/jruby/puma/MiniSSL.java
index 830e5699..82464255 100644
--- a/ext/puma_http11/org/jruby/puma/MiniSSL.java
+++ b/ext/puma_http11/org/jruby/puma/MiniSSL.java
@@ -165,6 +165,10 @@ public class MiniSSL extends RubyObject {
protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
}
+ if(miniSSLContext.callMethod(threadContext, "no_tlsv1_1").isTrue()) {
+ protocols = new String[] { "TLSv1.2" };
+ }
+
engine.setEnabledProtocols(protocols);
engine.setUseClientMode(false);
diff --git a/lib/puma/binder.rb b/lib/puma/binder.rb
index 5a2c618c..b794446e 100644
--- a/lib/puma/binder.rb
+++ b/lib/puma/binder.rb
@@ -185,6 +185,7 @@ module Puma
end
ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true'
+ ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true'
if params['verify_mode']
ctx.verify_mode = case params['verify_mode']
diff --git a/lib/puma/dsl.rb b/lib/puma/dsl.rb
index 8f78afba..73862845 100644
--- a/lib/puma/dsl.rb
+++ b/lib/puma/dsl.rb
@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'puma/const'
+
module Puma
# The methods that are available for use inside the config file.
# These same methods are used in Puma cli and the rack handler
@@ -55,6 +59,14 @@ module Puma
@plugins.clear
end
+ def set_default_host(host)
+ @options[:default_host] = host
+ end
+
+ def default_host
+ @options[:default_host] || Configuration::DefaultTCPHost
+ end
+
def inject(&blk)
instance_eval(&blk)
end
@@ -93,7 +105,12 @@ module Puma
end
if opts[:no_token]
- auth_token = :none
+ # We need to use 'none' rather than :none because this value will be
+ # passed on to an instance of OptionParser, which doesn't support
+ # symbols as option values.
+ #
+ # See: https://github.com/puma/puma/issues/1193#issuecomment-305995488
+ auth_token = 'none'
else
auth_token = opts[:auth_token]
auth_token ||= Configuration.random_token
@@ -138,7 +155,7 @@ module Puma
# Define the TCP port to bind to. Use +bind+ for more advanced options.
#
def port(port, host=nil)
- host ||= Configuration::DefaultTCPHost
+ host ||= default_host
bind "tcp://#{host}:#{port}"
end
@@ -265,6 +282,10 @@ module Puma
@options[:redirect_append] = append
end
+ def log_formatter(&block)
+ @options[:log_formatter] = block
+ end
+
# Configure +min+ to be the minimum number of threads to use to answer
# requests and +max+ the maximum.
#
@@ -286,12 +307,15 @@ module Puma
def ssl_bind(host, port, opts)
verify = opts.fetch(:verify_mode, 'none')
no_tlsv1 = opts.fetch(:no_tlsv1, 'false')
+ no_tlsv1_1 = opts.fetch(:no_tlsv1_1, 'false')
+ ca_additions = "&ca=#{opts[:ca]}" if ['peer', 'force_peer'].include?(verify)
if defined?(JRUBY_VERSION)
keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
- bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}"
+ bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
else
- bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}"
+ ssl_cipher_filter = "&ssl_cipher_filter=#{opts[:ssl_cipher_filter]}" if opts[:ssl_cipher_filter]
+ bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}#{ssl_cipher_filter}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
end
end
@@ -366,6 +390,21 @@ module Puma
alias_method :after_worker_boot, :after_worker_fork
+ # Code to run out-of-band when the worker is idle.
+ # These hooks run immediately after a request has finished
+ # processing and there are no busy threads on the worker.
+ # The worker doesn't accept new requests until this code finishes.
+ #
+ # This hook is useful for running out-of-band garbage collection
+ # or scheduling asynchronous tasks to execute after a response.
+ #
+ # This can be called multiple times to add hooks.
+ #
+ def out_of_band(&block)
+ @options[:out_of_band] ||= []
+ @options[:out_of_band] << block
+ end
+
# The directory to operate out of.
def directory(dir)
@options[:directory] = dir.to_s
@@ -415,6 +454,16 @@ module Puma
@options[:prune_bundler] = answer
end
+ # In environments where SIGTERM is something expected, instructing
+ # puma to shutdown gracefully ( for example in Kubernetes, where
+ # rolling restart is guaranteed usually on infrastructure level )
+ # SignalException should not be raised for SIGTERM
+ #
+ # When set to false, if puma process receives SIGTERM, it won't raise SignalException
+ def raise_exception_on_sigterm(answer=true)
+ @options[:raise_exception_on_sigterm] = answer
+ end
+
# Additional text to display in process listing
def tag(string)
@options[:tag] = string.to_s
@@ -425,7 +474,14 @@ module Puma
# that have not checked in within the given +timeout+.
# This mitigates hung processes. Default value is 60 seconds.
def worker_timeout(timeout)
- @options[:worker_timeout] = Integer(timeout)
+ timeout = Integer(timeout)
+ min = Const::WORKER_CHECK_INTERVAL
+
+ if timeout <= min
+ raise "The minimum worker_timeout must be greater than the worker reporting interval (#{min})"
+ end
+
+ @options[:worker_timeout] = timeout
end
# *Cluster mode only* Set the timeout for workers to boot
@@ -494,7 +550,7 @@ module Puma
when Hash
if hdr = val[:header]
@options[:remote_address] = :header
- @options[:remote_address_header] = "HTTP_" + hdr.upcase.gsub("-", "_")
+ @options[:remote_address_header] = "HTTP_" + hdr.upcase.tr("-", "_")
else
raise "Invalid value for set_remote_address - #{val.inspect}"
end
--
2.26.2
