diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2017-10-22 05:24:05 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2017-10-22 12:29:28 +0900 |
commit | 62af0446569ae842de67b636b0bd0bb84ec2c8be (patch) | |
tree | d8d0ac33db7d91e42a0bb7125df19914136370d1 /lib | |
parent | d1018a1c5dd37c32b52aca485a2281b892f1d736 (diff) | |
download | ruby-openssl-62af0446569ae842de67b636b0bd0bb84ec2c8be.tar.gz |
ssl: fix conflict of options in SSLContext#set_paramsky/ssl-version-min-max
Make SSLContext#set_params call #options= first.
SSLContext#set_params by default disables SSL 2.0 and SSL 3.0 by calling
SSLContext#min_version=. After that, it sets the SSL option flags by
calling SSLContext#options=.
This is problematic when built with OpenSSL before 1.1.0 because
SSLContext#min_version= achieves its goal using the SSL_OP_NO_{SSL,TLS}*
options. Since the subsequent SSLContext#options= call replaces the
flags rather than OR together, this results in effectively disabling
min_version setting in SSLContext::DEFAULT_PARAMS.
The issue was first fixed in Ruby trunk tree, as part of r60310 ("fix
OpenSSL::SSL::SSLContext#min_version doesn't work", 2017-10-21).
Diffstat (limited to 'lib')
-rw-r--r-- | lib/openssl/ssl.rb | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index fb143c94..6a6f2b94 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -136,6 +136,7 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 # used. def set_params(params={}) params = DEFAULT_PARAMS.merge(params) + self.options = params.delete(:options) # set before min_version/max_version params.each{|name, value| self.__send__("#{name}=", value) } if self.verify_mode != OpenSSL::SSL::VERIFY_NONE unless self.ca_file or self.ca_path or self.cert_store |