Add :ssl_min_version and :ssl_max_version options

Replace :ssl_version option with these two new options. These provide access to OpenSSL::SSL::SSLContext#{min,max}_version=, which is the recommended way to specify SSL/TLS protocol versions.
2022-10-08 01:54:35 +09:00 · 2022-10-08 01:54:35 +09:00 · 4e29ca0c40
parent ced1d17280
commit 4e29ca0c40
2 changed files with 37 additions and 23 deletions
--- a/lib/open-uri.rb
+++ b/lib/open-uri.rb
@ -99,7 +99,8 @@ module OpenURI
    :open_timeout => true,
    :ssl_ca_cert => nil,
    :ssl_verify_mode => nil,
-    :ssl_version => nil,
+    :ssl_min_version => nil,
+    :ssl_max_version => nil,
    :ftp_active_mode => false,
    :redirect => true,
    :encoding => nil,
@ -299,8 +300,8 @@ module OpenURI
      require 'net/https'
      http.use_ssl = true
      http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
-      http.ssl_version = options[:ssl_version] if options[:ssl_version] &&
-                                    OpenSSL::SSL::SSLContext::METHODS.include?(options[:ssl_version])
+      http.min_version = options[:ssl_min_version]
+      http.max_version = options[:ssl_max_version]
      store = OpenSSL::X509::Store.new
      if options[:ssl_ca_cert]
        Array(options[:ssl_ca_cert]).each do |cert|
@ -702,6 +703,20 @@ module OpenURI
    #
    #  :ssl_verify_mode is used to specify openssl verify mode.
    #
+    # [:ssl_min_version]
+    #  Synopsis:
+    #    :ssl_min_version=>:TLS1_2
+    #
+    #  :ssl_min_version option specifies the minimum allowed SSL/TLS protocol
+    #  version.  See also OpenSSL::SSL::SSLContext#min_version=.
+    #
+    # [:ssl_max_version]
+    #  Synopsis:
+    #    :ssl_max_version=>:TLS1_2
+    #
+    #  :ssl_max_version option specifies the maximum allowed SSL/TLS protocol
+    #  version.  See also OpenSSL::SSL::SSLContext#max_version=.
+    #
    # [:ftp_active_mode]
    #  Synopsis:
    #    :ftp_active_mode=>bool
--- a/test/open-uri/test_ssl.rb
+++ b/test/open-uri/test_ssl.rb
@ -92,26 +92,6 @@ class TestOpenURISSL
    }
  end

-  def test_validation_ssl_version
-    with_https {|srv, dr, url|
-      setup_validation(srv, dr)
-      URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLSv1_2) {|f|
-        assert_equal("200", f.status[0])
-        assert_equal("ddd", f.read)
-      }
-    }
-  end
-
-  def test_validate_bad_ssl_version_silently
-    with_https {|srv, dr, url|
-      setup_validation(srv, dr)
-      URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLS_no_such_version) {|f|
-        assert_equal("200", f.status[0])
-        assert_equal("ddd", f.read)
-      }
-    }
-  end
-
  def test_validation_failure
    unless /mswin|mingw/ =~ RUBY_PLATFORM
      # on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by
@ -127,6 +107,25 @@ class TestOpenURISSL
    }
  end

+  def test_ssl_min_version
+    with_https {|srv, dr, url|
+      setup_validation(srv, dr)
+      URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS1_2) {|f|
+        assert_equal("200", f.status[0])
+        assert_equal("ddd", f.read)
+      }
+    }
+  end
+
+  def test_bad_ssl_version
+    with_https(nil) {|srv, dr, url|
+      setup_validation(srv, dr)
+      assert_raise(ArgumentError) {
+        URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS_no_such_version) {}
+      }
+    }
+  end
+
  def with_https_proxy(proxy_log_tester=lambda {|proxy_log, proxy_access_log| assert_equal([], proxy_log) })
    proxy_log = []
    proxy_logger = WEBrick::Log.new(proxy_log, WEBrick::BasicLog::WARN)