diff options
author | aeris <aeris@imirhil.fr> | 2017-10-29 15:25:33 +0100 |
---|---|---|
committer | aeris <aeris@imirhil.fr> | 2017-11-03 19:00:20 +0100 |
commit | 7c4028a6ceb864df6392881b2e4a21b3200b0b77 (patch) | |
tree | 356ad0baa5bdd4ad85c39887dfd4ff9e28b1a264 /ext/openssl/ossl_ssl.c | |
parent | d834e8614b9847c442c4ccd2cd7db322aa25a0d1 (diff) | |
download | ruby-openssl-7c4028a6ceb864df6392881b2e4a21b3200b0b77.tar.gz |
TLS Fallback Signaling Cipher Suite Value
Support for fallback SCSV [RFC 7507](https://tools.ietf.org/html/rfc7507).
Expected behaviour is to refuse connection if the client signals a protocol with
the fallback flag but the server supports a better one (downgrade attack detection).
Diffstat (limited to 'ext/openssl/ossl_ssl.c')
-rw-r--r-- | ext/openssl/ossl_ssl.c | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/ext/openssl/ossl_ssl.c b/ext/openssl/ossl_ssl.c index 59723dc6..8e3c0c42 100644 --- a/ext/openssl/ossl_ssl.c +++ b/ext/openssl/ossl_ssl.c @@ -1193,6 +1193,26 @@ ossl_sslctx_set_security_level(VALUE self, VALUE value) return value; } +#ifdef SSL_MODE_SEND_FALLBACK_SCSV +/* + * call-seq: + * ctx.enable_fallback_scsv() => nil + * + * Activate TLS_FALLBACK_SCSV for this context. + * See RFC 7507. + */ +static VALUE +ossl_sslctx_enable_fallback_scsv(VALUE self) +{ + SSL_CTX *ctx; + + GetSSLCTX(self, ctx); + SSL_CTX_set_mode(ctx, SSL_MODE_SEND_FALLBACK_SCSV); + + return Qnil; +} +#endif + /* * call-seq: * ctx.session_add(session) -> true | false @@ -2558,6 +2578,9 @@ Init_ossl_ssl(void) rb_define_method(cSSLContext, "ecdh_curves=", ossl_sslctx_set_ecdh_curves, 1); rb_define_method(cSSLContext, "security_level", ossl_sslctx_get_security_level, 0); rb_define_method(cSSLContext, "security_level=", ossl_sslctx_set_security_level, 1); +#ifdef SSL_MODE_SEND_FALLBACK_SCSV + rb_define_method(cSSLContext, "enable_fallback_scsv", ossl_sslctx_enable_fallback_scsv, 0); +#endif rb_define_method(cSSLContext, "setup", ossl_sslctx_setup, 0); rb_define_alias(cSSLContext, "freeze", "setup"); |