ruby-changes:40001
From: zzak <ko1@a...>
Date: Thu, 8 Oct 2015 14:26:56 +0900 (JST)
Subject: [ruby-changes:40001] zzak:r52082 (trunk): * ext/openssl/lib/openssl/ssl.rb: Default to TLSv1.2 and drop TLS v1
zzak 2015-10-08 14:26:44 +0900 (Thu, 08 Oct 2015) New Revision: 52082 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=52082 Log: * ext/openssl/lib/openssl/ssl.rb: Default to TLSv1.2 and drop TLS v1 Patch provided by @claudijd [Fixes GH-873] [Feature #11524]: https://github.com/ruby/ruby/pull/873 Modified files: trunk/ChangeLog trunk/NEWS trunk/ext/openssl/lib/openssl/ssl.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 52081) +++ ChangeLog (revision 52082) @@ -1,3 +1,9 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Thu Oct 8 14:10:45 2015 Zachary Scott <zzak@r...> + + * ext/openssl/lib/openssl/ssl.rb: Default to TLSv1.2 and drop TLS v1 + Patch provided by @claudijd [Fixes GH-873] [Feature #11524]: + https://github.com/ruby/ruby/pull/873 + Wed Oct 7 22:55:02 2015 Nobuyoshi Nakada <nobu@r...> * test/minitest/metametameta.rb (with_output): restore output to Index: ext/openssl/lib/openssl/ssl.rb =================================================================== --- ext/openssl/lib/openssl/ssl.rb (revision 52081) +++ ext/openssl/lib/openssl/ssl.rb (revision 52082) @@ -16,7 +16,7 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L16 module SSL class SSLContext DEFAULT_PARAMS = { - :ssl_version => "SSLv23", + :ssl_version => "TLSv1_2", :verify_mode => OpenSSL::SSL::VERIFY_PEER, :ciphers => %w{ ECDHE-ECDSA-AES128-GCM-SHA256 @@ -59,6 +59,7 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L59 opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) + opts |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1) opts }.call } @@ -89,7 +90,7 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L90 attr_accessor :tmp_dh_callback - if ExtConfig::HAVE_TLSEXT_HOST_NAME + if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME # A callback invoked at connect time to distinguish between multiple # server names. # @@ -249,10 +250,10 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L250 include Buffering include SocketForwarder - if ExtConfig::OPENSSL_NO_SOCK + if OpenSSL::ExtConfig::OPENSSL_NO_SOCK def initialize(io, ctx = nil); raise NotImplmentedError; end else - if ExtConfig::HAVE_TLSEXT_HOST_NAME + if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME attr_accessor :hostname end Index: NEWS =================================================================== --- NEWS (revision 52081) +++ NEWS (revision 52082) @@ -129,6 +129,8 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L129 * OpenSSL * OpenSSL::SSL::SSLSocket#accept_nonblock and OpenSSL::SSL::SSLSocket#connect_nonblock supports `exception: false`. + * OpenSSL::SSL::SSLContext defaults to TLS v1.2. + Please use `ctx.ssl_version = :TLSv1` or `:SSLv23` at your own risk. * Pathname * Pathname#descend and Pathname#ascend supported blockless form. -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/