From 84f1dae9d637a2038d1b395bcc2f22404770d2d7 Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Tue, 18 Dec 2012 02:02:43 +0000
Subject: * ext/openssl/lib/ssl.rb: Enable insertion of empty fragments as a  
 countermeasure for the BEAST attack by default. The default options   of
 OpenSSL::SSL:SSLContext are now:   OpenSSL::SSL::OP_ALL &
 ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS   [Bug #5353] [ruby-core:39673]

* test/openssl/test_ssl.rb: Adapt tests to new SSLContext default.

* NEWS: Announce the new default.



git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@38433 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ext/openssl/lib/openssl/ssl.rb | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'ext/openssl/lib')

diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index 268e8e9d67..bc3b781e64 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -24,7 +24,9 @@ module OpenSSL
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
         :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
-        :options => OpenSSL::SSL::OP_ALL,
+        :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
+          OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
+          OpenSSL::SSL::OP_ALL,
       }
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
-- 
cgit v1.2.3