diff --git a/lib/restclient/request.rb b/lib/restclient/request.rb index 67b69e2..144c3fe 100644 --- a/lib/restclient/request.rb +++ b/lib/restclient/request.rb @@ -52,67 +52,6 @@ module RestClient new(args).execute(& block) end - # This is similar to the list now in ruby core, but adds HIGH for better - # compatibility (similar to Firefox) and moves AES-GCM cipher suites above - # DHE/ECDHE CBC suites (similar to Chromium). - # https://github.com/ruby/ruby/commit/699b209cf8cf11809620e12985ad33ae33b119ee - # - # This list will be used by default if the Ruby global OpenSSL default - # ciphers appear to be a weak list. - # - # TODO: either remove this code or always use it, since Ruby uses a decent - # cipher list in versions >= 2.0. - # - DefaultCiphers = %w{ - !aNULL - !eNULL - !EXPORT - !SSLV2 - !LOW - - ECDHE-ECDSA-AES128-GCM-SHA256 - ECDHE-RSA-AES128-GCM-SHA256 - ECDHE-ECDSA-AES256-GCM-SHA384 - ECDHE-RSA-AES256-GCM-SHA384 - DHE-RSA-AES128-GCM-SHA256 - DHE-DSS-AES128-GCM-SHA256 - DHE-RSA-AES256-GCM-SHA384 - DHE-DSS-AES256-GCM-SHA384 - AES128-GCM-SHA256 - AES256-GCM-SHA384 - ECDHE-ECDSA-AES128-SHA256 - ECDHE-RSA-AES128-SHA256 - ECDHE-ECDSA-AES128-SHA - ECDHE-RSA-AES128-SHA - ECDHE-ECDSA-AES256-SHA384 - ECDHE-RSA-AES256-SHA384 - ECDHE-ECDSA-AES256-SHA - ECDHE-RSA-AES256-SHA - DHE-RSA-AES128-SHA256 - DHE-RSA-AES256-SHA256 - DHE-RSA-AES128-SHA - DHE-RSA-AES256-SHA - DHE-DSS-AES128-SHA256 - DHE-DSS-AES256-SHA256 - DHE-DSS-AES128-SHA - DHE-DSS-AES256-SHA - AES128-SHA256 - AES256-SHA256 - AES128-SHA - AES256-SHA - ECDHE-ECDSA-RC4-SHA - ECDHE-RSA-RC4-SHA - RC4-SHA - - HIGH - +RC4 - }.join(":") - - # A set of weak default ciphers that we will override by default. - WeakDefaultCiphers = Set.new([ - "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", - ]) - SSLOptionList = %w{client_cert client_key ca_file ca_path cert_store version ciphers verify_callback verify_callback_warnings} @@ -190,15 +129,6 @@ module RestClient if !ssl_ca_file && !ssl_ca_path && !@ssl_opts.include?(:cert_store) @ssl_opts[:cert_store] = self.class.default_ssl_cert_store end - - unless @ssl_opts.include?(:ciphers) - # If we're on a Ruby version that has insecure default ciphers, - # override it with our default list. - if WeakDefaultCiphers.include?( - OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.fetch(:ciphers)) - @ssl_opts[:ciphers] = DefaultCiphers - end - end end @tf = nil # If you are a raw request, this is your tempfile diff --git a/spec/unit/request_spec.rb b/spec/unit/request_spec.rb index d091ae0..fbce5ee 100644 --- a/spec/unit/request_spec.rb +++ b/spec/unit/request_spec.rb @@ -926,56 +926,6 @@ describe RestClient::Request, :include_helpers do @request.send(:transmit, @uri, 'req', 'payload') end - it "should override ssl_ciphers with better defaults with weak default ciphers" do - stub_const( - '::OpenSSL::SSL::SSLContext::DEFAULT_PARAMS', - { - :ssl_version=>"SSLv23", - :verify_mode=>1, - :ciphers=>"ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", - :options=>-2147480577, - } - ) - - @request = RestClient::Request.new( - :method => :put, - :url => 'https://some/resource', - :payload => 'payload', - ) - - expect(@net).to receive(:ciphers=).with(RestClient::Request::DefaultCiphers) - - allow(@http).to receive(:request) - allow(@request).to receive(:process_result) - allow(@request).to receive(:response_log) - @request.send(:transmit, @uri, 'req', 'payload') - end - - it "should not override ssl_ciphers with better defaults with different default ciphers" do - stub_const( - '::OpenSSL::SSL::SSLContext::DEFAULT_PARAMS', - { - :ssl_version=>"SSLv23", - :verify_mode=>1, - :ciphers=>"HIGH:!aNULL:!eNULL:!EXPORT:!LOW:!MEDIUM:!SSLv2", - :options=>-2147480577, - } - ) - - @request = RestClient::Request.new( - :method => :put, - :url => 'https://some/resource', - :payload => 'payload', - ) - - expect(@net).not_to receive(:ciphers=) - - allow(@http).to receive(:request) - allow(@request).to receive(:process_result) - allow(@request).to receive(:response_log) - @request.send(:transmit, @uri, 'req', 'payload') - end - it "should set the ssl_client_cert if provided" do @request = RestClient::Request.new( :method => :put,