From a504359950f86f96ef2477920b56027f5b7f4fb2 Mon Sep 17 00:00:00 2001
From: Zachary Scott <e@zzak.io>
Date: Thu, 8 Oct 2015 14:08:27 +0900
Subject: Prefer TLS v1.2 to follow "secure defaults" and disable TLS v1.0 and
 v1.1

See ruby/ruby#873.
---
 lib/openssl/ssl.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'lib')

diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
index ed19e09a..308152e5 100644
--- a/lib/openssl/ssl.rb
+++ b/lib/openssl/ssl.rb
@@ -16,7 +16,7 @@ module OpenSSL
   module SSL
     class SSLContext
       DEFAULT_PARAMS = {
-        :ssl_version => "SSLv23",
+        :ssl_version => "TLSv1_2",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
         :ciphers => %w{
           ECDHE-ECDSA-AES128-GCM-SHA256
@@ -59,6 +59,7 @@ module OpenSSL
           opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
           opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
           opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+          opts |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)
           opts
         }.call
       }
-- 
cgit v1.2.3