diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2017-08-28 22:20:51 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-09-03 11:22:54 +0900 |
| commit | 5653599e150bd92d8631858fe6e0def1f9a3c33d (patch) | |
| tree | a257929b8e5e099f6a9fcd02790d76e065a26597 /lib | |
| parent | 18603949d3161e109803b7c379936c3a487ef8d0 (diff) | |
| download | ruby-openssl-5653599e150bd92d8631858fe6e0def1f9a3c33d.tar.gz | |
ssl: rework SSLContext#ssl_version=
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.
SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.
As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.
OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/openssl/ssl.rb | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 04238a4e..a628648e 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -181,6 +181,51 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 set_minmax_proto_version(@min_proto_version ||= nil, version) @max_proto_version = version end + + # call-seq: + # ctx.ssl_version = :TLSv1 + # ctx.ssl_version = "SSLv23" + # + # Sets the SSL/TLS protocol version for the context. This forces + # connections to use only the specified protocol version. This is + # deprecated and only provided for backwards compatibility. Use + # #min_version= and #max_version= instead. + # + # === History + # As the name hints, this used to call the SSL_CTX_set_ssl_version() + # function which sets the SSL method used for connections created from + # the context. As of Ruby/OpenSSL 2.1, this accessor method is + # implemented to call #min_version= and #max_version= instead. + def ssl_version=(meth) + meth = meth.to_s if meth.is_a?(Symbol) + if /(?<type>_client|_server)\z/ =~ meth + meth = $` + if $VERBOSE + warn "#{caller(1)[0]}: method type #{type.inspect} is ignored" + end + end + version = METHODS_MAP[meth.intern] or + raise ArgumentError, "unknown SSL method `%s'" % meth + set_minmax_proto_version(version, version) + @min_proto_version = @max_proto_version = version + end + + METHODS_MAP = { + SSLv23: 0, + SSLv2: OpenSSL::SSL::SSL2_VERSION, + SSLv3: OpenSSL::SSL::SSL3_VERSION, + TLSv1: OpenSSL::SSL::TLS1_VERSION, + TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION, + TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION, + }.freeze + private_constant :METHODS_MAP + + # The list of available SSL/TLS methods. This constant is only provided + # for backwards compatibility. + METHODS = METHODS_MAP.flat_map { |name,| + [name, :"#{name}_client", :"#{name}_server"] + }.freeze + deprecate_constant :METHODS end module SocketForwarder |