add no_tlsv1_1 to binder, config, etc

2022-11-09 13:48:40 -05:00 · 2019-08-03 14:56:30 -05:00 · 2019-08-03 14:56:30 -05:00 · 35dbec0eaa
commit 35dbec0eaa
parent a119661736
5 changed files with 23 additions and 4 deletions
--- a/ext/puma_http11/org/jruby/puma/MiniSSL.java
+++ b/ext/puma_http11/org/jruby/puma/MiniSSL.java
@ -166,6 +166,10 @@ public class MiniSSL extends RubyObject {
        protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
    }

+    if(miniSSLContext.callMethod(threadContext, "no_tlsv1_1").isTrue()) {
+        protocols = new String[] { "TLSv1.2" };
+    }
+
    engine.setEnabledProtocols(protocols);
    engine.setUseClientMode(false);

--- a/lib/puma/binder.rb
+++ b/lib/puma/binder.rb
@ -195,6 +195,7 @@ module Puma
          end

          ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true'
+          ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true'

          if params['verify_mode']
            ctx.verify_mode = case params['verify_mode']
--- a/lib/puma/dsl.rb
+++ b/lib/puma/dsl.rb
@ -307,14 +307,15 @@ module Puma
    def ssl_bind(host, port, opts)
      verify = opts.fetch(:verify_mode, 'none')
      no_tlsv1 = opts.fetch(:no_tlsv1, 'false')
+      no_tlsv1_1 = opts.fetch(:no_tlsv1_1, 'false')
      ca_additions = "&ca=#{opts[:ca]}" if ['peer', 'force_peer'].include?(verify)

      if defined?(JRUBY_VERSION)
        keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
-        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}#{ca_additions}"
+        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
      else
        ssl_cipher_filter = "&ssl_cipher_filter=#{opts[:ssl_cipher_filter]}" if opts[:ssl_cipher_filter]
-        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}#{ssl_cipher_filter}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}#{ca_additions}"
+        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}#{ssl_cipher_filter}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
      end
    end

--- a/test/test_binder.rb
+++ b/test/test_binder.rb
@ -77,9 +77,22 @@ class TestBinderMRI < TestBinderBase
    refute ssl_context_for_binder(@binder).no_tlsv1
  end

-  def test_binder_parses_tlsv1_unspecified_defaults_to_enabled
+  def test_binder_parses_tlsv1_tlsv1_1_unspecified_defaults_to_enabled
    @binder.parse(["ssl://0.0.0.0?key=#{@key}&cert=#{@cert}"], @events)

    refute ssl_context_for_binder(@binder).no_tlsv1
+    refute ssl_context_for_binder(@binder).no_tlsv1_1
+  end
+
+  def test_binder_parses_tlsv1_1_disabled
+    @binder.parse(["ssl://0.0.0.0?key=#{@key}&cert=#{@cert}&no_tlsv1_1=true"], @events)
+
+    assert ssl_context_for_binder(@binder).no_tlsv1_1
+  end
+
+  def test_binder_parses_tlsv1_1_enabled
+    @binder.parse(["ssl://0.0.0.0?key=#{@key}&cert=#{@cert}&no_tlsv1_1=false"], @events)
+
+    refute ssl_context_for_binder(@binder).no_tlsv1_1
  end
 end
--- a/test/test_config.rb
+++ b/test/test_config.rb
@ -75,7 +75,7 @@ class TestConfigFile < TestConfigFileBase

    conf.load

-    ssl_binding = "ssl://0.0.0.0:9292?cert=/path/to/cert&key=/path/to/key&verify_mode=the_verify_mode&no_tlsv1=false"
+    ssl_binding = "ssl://0.0.0.0:9292?cert=/path/to/cert&key=/path/to/key&verify_mode=the_verify_mode&no_tlsv1=false&no_tlsv1_1=false"
    assert_equal [ssl_binding], conf.options[:binds]
  end