ruby-changes:40008
From: sorah <ko1@a...>
Date: Fri, 9 Oct 2015 14:20:59 +0900 (JST)
Subject: [ruby-changes:40008] sorah:r52089 (trunk): * ext/openssl/lib/openssl/ssl.rb: Revert r52082 because it was
sorah 2015-10-09 14:20:50 +0900 (Fri, 09 Oct 2015) New Revision: 52089 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=revision&revision=52089 Log: * ext/openssl/lib/openssl/ssl.rb: Revert r52082 because it was dropping TLS v1.1 support too. Supporting only TLS v1.2 is too early, because many popular websites still don't support it. For instance, Servers where aws-sdk connects to still don't support TLS v1.2 and it became broken. We should consider more carefully about this. [Fix GH-873] [Feature #11524] Modified files: trunk/ChangeLog trunk/NEWS trunk/ext/openssl/lib/openssl/ssl.rb Index: ChangeLog =================================================================== --- ChangeLog (revision 52088) +++ ChangeLog (revision 52089) @@ -1,3 +1,16 @@ https://github.com/ruby/ruby/blob/trunk/ChangeLog#L1 +Fri Oct 9 14:12:35 2015 Shota Fukumori (sora_h) <her@s...> + + * ext/openssl/lib/openssl/ssl.rb: Revert r52082 because it was + dropping TLS v1.1 support too. Supporting only TLS v1.2 is too + early, because many popular websites still don't support it. + + For instance, Servers where aws-sdk connects to still don't support + TLS v1.2 and it became broken. + + We should consider more carefully about this. + + [Fix GH-873] [Feature #11524] + Fri Oct 9 12:52:08 2015 Shugo Maeda <shugo@r...> * compile.c (iseq_compile_each): Dynamic string literals (e.g., Index: ext/openssl/lib/openssl/ssl.rb =================================================================== --- ext/openssl/lib/openssl/ssl.rb (revision 52088) +++ ext/openssl/lib/openssl/ssl.rb (revision 52089) @@ -16,7 +16,7 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L16 module SSL class SSLContext DEFAULT_PARAMS = { - :ssl_version => "TLSv1_2", + :ssl_version => "SSLv23", :verify_mode => OpenSSL::SSL::VERIFY_PEER, :ciphers => %w{ ECDHE-ECDSA-AES128-GCM-SHA256 @@ -59,7 +59,6 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L59 opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) - opts |= OpenSSL::SSL::OP_NO_TLSv1 if defined?(OpenSSL::SSL::OP_NO_TLSv1) opts }.call } @@ -90,7 +89,7 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L89 attr_accessor :tmp_dh_callback - if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME + if ExtConfig::HAVE_TLSEXT_HOST_NAME # A callback invoked at connect time to distinguish between multiple # server names. # @@ -250,10 +249,10 @@ module OpenSSL https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L249 include Buffering include SocketForwarder - if OpenSSL::ExtConfig::OPENSSL_NO_SOCK + if ExtConfig::OPENSSL_NO_SOCK def initialize(io, ctx = nil); raise NotImplmentedError; end else - if OpenSSL::ExtConfig::HAVE_TLSEXT_HOST_NAME + if ExtConfig::HAVE_TLSEXT_HOST_NAME attr_accessor :hostname end Index: NEWS =================================================================== --- NEWS (revision 52088) +++ NEWS (revision 52089) @@ -129,8 +129,6 @@ with all sufficient information, see the https://github.com/ruby/ruby/blob/trunk/NEWS#L129 * OpenSSL * OpenSSL::SSL::SSLSocket#accept_nonblock and OpenSSL::SSL::SSLSocket#connect_nonblock supports `exception: false`. - * OpenSSL::SSL::SSLContext defaults to TLS v1.2. - Please use `ctx.ssl_version = :TLSv1` or `:SSLv23` at your own risk. * Pathname * Pathname#descend and Pathname#ascend supported blockless form. -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/