Add support for specifying ssl ciphers via :binds parameters

2022-11-09 13:48:40 -05:00 · 2017-11-25 00:14:23 +09:00 · 2017-11-25 00:14:23 +09:00 · c2f6803d00
commit c2f6803d00
parent e47e8ea040
4 changed files with 20 additions and 1 deletions
--- a/ext/puma_http11/mini_ssl.c
+++ b/ext/puma_http11/mini_ssl.c
@ -161,6 +161,9 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
  ID sym_verify_mode = rb_intern("verify_mode");
  VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);

+  ID sym_ssl_cipher_filter = rb_intern("ssl_cipher_filter");
+  VALUE ssl_cipher_filter = rb_funcall(mini_ssl_ctx, sym_ssl_cipher_filter, 0);
+
  ctx = SSL_CTX_new(SSLv23_server_method());
  conn->ctx = ctx;

@ -175,7 +178,13 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
  SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE | SSL_OP_NO_COMPRESSION);
  SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);

-  SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
+  if (!NIL_P(ssl_cipher_filter)) {
+    StringValue(ssl_cipher_filter);
+    SSL_CTX_set_cipher_list(ctx, RSTRING_PTR(ssl_cipher_filter));
+  }
+  else {
+    SSL_CTX_set_cipher_list(ctx, "HIGH:!aNULL@STRENGTH");
+  }

  DH *dh = get_dh1024();
  SSL_CTX_set_tmp_dh(ctx, dh);
--- a/ext/puma_http11/org/jruby/puma/MiniSSL.java
+++ b/ext/puma_http11/org/jruby/puma/MiniSSL.java
@ -170,6 +170,12 @@ public class MiniSSL extends RubyObject {
        engine.setNeedClientAuth(true);
    }

+    IRubyObject sslCipherListObject = miniSSLContext.callMethod(threadContext, "ssl_cipher_list");
+    if (!sslCipherListObject.isNil()) {
+      String[] sslCipherList = sslCipherListObject.convertToString().asJavaString().split(",");
+      engine.setEnabledCipherSuites(sslCipherList);
+    }
+
    SSLSession session = engine.getSession();
    inboundNetData = new MiniSSLBuffer(session.getPacketBufferSize());
    outboundAppData = new MiniSSLBuffer(session.getApplicationBufferSize());
--- a/lib/puma/binder.rb
+++ b/lib/puma/binder.rb
@ -162,6 +162,7 @@ module Puma
            end

            ctx.keystore_pass = params['keystore-pass']
+            ctx.ssl_cipher_list = params['ssl_cipher_list'] if params['ssl_cipher_list']
          else
            unless params['key']
              @events.error "Please specify the SSL key via 'key='"
@ -182,6 +183,7 @@ module Puma
            end

            ctx.ca = params['ca'] if params['ca']
+            ctx.ssl_cipher_filter = params['ssl_cipher_filter'] if params['ssl_cipher_filter']
          end

          if params['verify_mode']
--- a/lib/puma/minissl.rb
+++ b/lib/puma/minissl.rb
@ -172,6 +172,7 @@ module Puma
        # jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair
        attr_reader :keystore
        attr_accessor :keystore_pass
+        attr_accessor :ssl_cipher_list

        def keystore=(keystore)
          raise ArgumentError, "No such keystore file '#{keystore}'" unless File.exist? keystore
@ -187,6 +188,7 @@ module Puma
        attr_reader :key
        attr_reader :cert
        attr_reader :ca
+        attr_accessor :ssl_cipher_filter

        def key=(key)
          raise ArgumentError, "No such key file '#{key}'" unless File.exist? key