* ext/openssl/lib/openssl/ssl.rb: Default to TLSv1.2 and drop TLS v1

Patch provided by @claudijd [Fixes GH-873] [Feature #11524]: https://github.com/ruby/ruby/pull/873 git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@52082 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
2022-11-09 12:17:21 -05:00 · 2015-10-08 05:26:44 +00:00 · 2015-10-08 05:26:44 +00:00 · 4b395bb4ce
commit 4b395bb4ce
parent 25a8b98e3a
3 changed files with 13 additions and 4 deletions
--- a/6
+++ b/6
@ -1,3 +1,9 @@
+Thu Oct  8 14:10:45 2015  Zachary Scott  <zzak@ruby-lang.org>
+
+	* ext/openssl/lib/openssl/ssl.rb: Default to TLSv1.2 and drop TLS v1
+	  Patch provided by @claudijd [Fixes GH-873] [Feature #11524]:
+	  https://github.com/ruby/ruby/pull/873
+
 Wed Oct  7 22:55:02 2015  Nobuyoshi Nakada  <nobu@ruby-lang.org>

 	* test/minitest/metametameta.rb (with_output): restore output to
--- a/2
+++ b/2
@ -129,6 +129,8 @@ with all sufficient information, see the ChangeLog file.
 * OpenSSL
  * OpenSSL::SSL::SSLSocket#accept_nonblock and
    OpenSSL::SSL::SSLSocket#connect_nonblock supports `exception: false`.
+  * OpenSSL::SSL::SSLContext defaults to TLS v1.2.
+    Please use `ctx.ssl_version = :TLSv1` or `:SSLv23` at your own risk.

 * Pathname
  * Pathname#descend and Pathname#ascend supported blockless form.
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@ -16,7 +16,7 @@ module OpenSSL
  module SSL
    class SSLContext
      DEFAULT_PARAMS = {
-        :ssl_version => "SSLv23",
+        :ssl_version => "TLSv1_2",
        :verify_mode => OpenSSL::SSL::VERIFY_PEER,
        :ciphers => %w{
          ECDHE-ECDSA-AES128-GCM-SHA256
@ -59,6 +59,7 @@ module OpenSSL
          opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
          opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
          opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+          opts |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1)
          opts
        }.call
      }
@ -89,7 +90,7 @@ module OpenSSL

      attr_accessor :tmp_dh_callback

-      if ExtConfig::HAVE_TLSEXT_HOST_NAME
+      if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME
        # A callback invoked at connect time to distinguish between multiple
        # server names.
        #
@ -249,10 +250,10 @@ module OpenSSL
      include Buffering
      include SocketForwarder

-      if ExtConfig::OPENSSL_NO_SOCK
+      if OpenSSL::ExtConfig::OPENSSL_NO_SOCK
        def initialize(io, ctx = nil); raise NotImplmentedError; end
      else
-        if ExtConfig::HAVE_TLSEXT_HOST_NAME
+        if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME
          attr_accessor :hostname
        end