ruby-changes:73955
From: Kazuki <ko1@a...>
Date: Wed, 12 Oct 2022 10:37:07 +0900 (JST)
Subject: [ruby-changes:73955] 4e29ca0c40 (master): Add :ssl_min_version and :ssl_max_version options
https://git.ruby-lang.org/ruby.git/commit/?id=4e29ca0c40 From 4e29ca0c4093133838eda852879b23ed4fad56b5 Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Sat, 8 Oct 2022 01:54:35 +0900 Subject: Add :ssl_min_version and :ssl_max_version options Replace :ssl_version option with these two new options. These provide access to OpenSSL::SSL::SSLContext#{min,max}_version=, which is the recommended way to specify SSL/TLS protocol versions. --- lib/open-uri.rb | 21 ++++++++++++++++++--- test/open-uri/test_ssl.rb | 37 ++++++++++++++++++------------------- 2 files changed, 36 insertions(+), 22 deletions(-) diff --git a/lib/open-uri.rb b/lib/open-uri.rb index 2f73710392..93e8cfcdb7 100644 --- a/lib/open-uri.rb +++ b/lib/open-uri.rb @@ -99,7 +99,8 @@ module OpenURI https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb#L99 :open_timeout => true, :ssl_ca_cert => nil, :ssl_verify_mode => nil, - :ssl_version => nil, + :ssl_min_version => nil, + :ssl_max_version => nil, :ftp_active_mode => false, :redirect => true, :encoding => nil, @@ -299,8 +300,8 @@ module OpenURI https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb#L300 require 'net/https' http.use_ssl = true http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER - http.ssl_version = options[:ssl_version] if options[:ssl_version] && - OpenSSL::SSL::SSLContext::METHODS.include?(options[:ssl_version]) + http.min_version = options[:ssl_min_version] + http.max_version = options[:ssl_max_version] store = OpenSSL::X509::Store.new if options[:ssl_ca_cert] Array(options[:ssl_ca_cert]).each do |cert| @@ -702,6 +703,20 @@ module OpenURI https://github.com/ruby/ruby/blob/trunk/lib/open-uri.rb#L703 # # :ssl_verify_mode is used to specify openssl verify mode. # + # [:ssl_min_version] + # Synopsis: + # :ssl_min_version=>:TLS1_2 + # + # :ssl_min_version option specifies the minimum allowed SSL/TLS protocol + # version. See also OpenSSL::SSL::SSLContext#min_version=. + # + # [:ssl_max_version] + # Synopsis: + # :ssl_max_version=>:TLS1_2 + # + # :ssl_max_version option specifies the maximum allowed SSL/TLS protocol + # version. See also OpenSSL::SSL::SSLContext#max_version=. + # # [:ftp_active_mode] # Synopsis: # :ftp_active_mode=>bool diff --git a/test/open-uri/test_ssl.rb b/test/open-uri/test_ssl.rb index 2d6149e654..3f94cab40f 100644 --- a/test/open-uri/test_ssl.rb +++ b/test/open-uri/test_ssl.rb @@ -92,38 +92,37 @@ class TestOpenURISSL https://github.com/ruby/ruby/blob/trunk/test/open-uri/test_ssl.rb#L92 } end - def test_validation_ssl_version - with_https {|srv, dr, url| - setup_validation(srv, dr) - URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLSv1_2) {|f| - assert_equal("200", f.status[0]) - assert_equal("ddd", f.read) + def test_validation_failure + unless /mswin|mingw/ =~ RUBY_PLATFORM + # on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by + # WEBrick + log_tester = lambda {|server_log| + assert_equal(1, server_log.length) + assert_match(/ERROR OpenSSL::SSL::SSLError:/, server_log[0]) } + end + with_https(log_tester) {|srv, dr, url, server_thread, server_log| + setup_validation(srv, dr) + assert_raise(OpenSSL::SSL::SSLError) { URI.open("#{url}/data") {} } } end - def test_validate_bad_ssl_version_silently + def test_ssl_min_version with_https {|srv, dr, url| setup_validation(srv, dr) - URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLS_no_such_version) {|f| + URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS1_2) {|f| assert_equal("200", f.status[0]) assert_equal("ddd", f.read) } } end - def test_validation_failure - unless /mswin|mingw/ =~ RUBY_PLATFORM - # on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by - # WEBrick - log_tester = lambda {|server_log| - assert_equal(1, server_log.length) - assert_match(/ERROR OpenSSL::SSL::SSLError:/, server_log[0]) - } - end - with_https(log_tester) {|srv, dr, url, server_thread, server_log| + def test_bad_ssl_version + with_https(nil) {|srv, dr, url| setup_validation(srv, dr) - assert_raise(OpenSSL::SSL::SSLError) { URI.open("#{url}/data") {} } + assert_raise(ArgumentError) { + URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS_no_such_version) {} + } } end -- cgit v1.2.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/