Class: OpenSSL::SSL::SSLContext
- Inherits:
-
Object
- Object
- OpenSSL::SSL::SSLContext
- Defined in:
- lib/jopenssl22/openssl/ssl.rb,
lib/jopenssl23/openssl/ssl.rb,
lib/jopenssl19/openssl/ssl-internal.rb
Constant Summary collapse
- DEFAULT_PARAMS =
:nodoc:
{ :ssl_version => "SSLv23", :verify_mode => OpenSSL::SSL::VERIFY_PEER, :ciphers => %w{ ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 DHE-DSS-AES128-GCM-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-DSS-AES256-GCM-SHA384 ECDHE-ECDSA-AES128-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-ECDSA-AES128-SHA ECDHE-RSA-AES128-SHA ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 ECDHE-ECDSA-AES256-SHA ECDHE-RSA-AES256-SHA DHE-RSA-AES128-SHA256 DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA DHE-DSS-AES128-SHA256 DHE-DSS-AES256-SHA256 DHE-DSS-AES128-SHA DHE-DSS-AES256-SHA AES128-GCM-SHA256 AES256-GCM-SHA384 AES128-SHA256 AES256-SHA256 AES128-SHA AES256-SHA ECDHE-ECDSA-RC4-SHA ECDHE-RSA-RC4-SHA RC4-SHA }.join(":"), :options => -> { opts = OpenSSL::SSL::OP_ALL opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION) opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2) opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) opts }.call }
- DEFAULT_TMP_DH_CALLBACK =
:nodoc:
lambda { |ctx, is_export, keylen| # :nodoc: warn "using default DH parameters." if $VERBOSE DEFAULT_2048 }
Instance Attribute Summary collapse
-
#servername_cb ⇒ Object
A callback invoked at connect time to distinguish between multiple server names.
-
#tmp_dh_callback ⇒ Object
A callback invoked when DH parameters are required.
Instance Method Summary collapse
-
#max_version=(version) ⇒ Object
call-seq: ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION ctx.max_version = :TLS1_2 ctx.max_version = nil.
-
#min_version=(version) ⇒ Object
call-seq: ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION ctx.min_version = :TLS1_2 ctx.min_version = nil.
-
#set_params(params = {}) ⇒ Object
call-seq: ctx.set_params(params = {}) -> params.
-
#ssl_version=(meth) ⇒ Object
call-seq: ctx.ssl_version = :TLSv1 ctx.ssl_version = “SSLv23”.
Instance Attribute Details
#servername_cb ⇒ Object
A callback invoked at connect time to distinguish between multiple server names.
The callback is invoked with an SSLSocket and a server name. The callback must return an SSLContext for the server name or nil.
112 113 114 |
# File 'lib/jopenssl23/openssl/ssl.rb', line 112 def servername_cb @servername_cb end |
#tmp_dh_callback ⇒ Object
A callback invoked when DH parameters are required.
The callback is invoked with the Session for the key exchange, an flag indicating the use of an export cipher and the keylength required.
The callback must return an OpenSSL::PKey::DH instance of the correct key length.
105 106 107 |
# File 'lib/jopenssl23/openssl/ssl.rb', line 105 def tmp_dh_callback @tmp_dh_callback end |
Instance Method Details
#max_version=(version) ⇒ Object
171 172 173 174 |
# File 'lib/jopenssl23/openssl/ssl.rb', line 171 def max_version=(version) set_minmax_proto_version(@min_proto_version ||= nil, version) @max_proto_version = version end |
#min_version=(version) ⇒ Object
call-seq:
ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
ctx.min_version = :TLS1_2
ctx.min_version = nil
Sets the lower bound on the supported SSL/TLS protocol version. The version may be specified by an integer constant named OpenSSL::SSL::*_VERSION, a Symbol, or nil
which means “any version”.
Be careful that you don’t overwrite OpenSSL::SSL::OP_NO_SSL,TLSv* options by #options= once you have called #min_version= or #max_version=.
Example
ctx = OpenSSL::SSL::SSLContext.new
ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2
159 160 161 162 |
# File 'lib/jopenssl23/openssl/ssl.rb', line 159 def min_version=(version) set_minmax_proto_version(version, @max_proto_version ||= nil) @min_proto_version = version end |
#set_params(params = {}) ⇒ Object
call-seq:
ctx.set_params(params = {}) -> params
Sets saner defaults optimized for the use with HTTP-like protocols.
If a Hash params is given, the parameters are overridden with it. The keys in params must be assignment methods on SSLContext.
If the verify_mode is not VERIFY_NONE and ca_file, ca_path and cert_store are not set then the system default certificate store is used.
87 88 89 90 91 92 93 94 95 96 |
# File 'lib/jopenssl22/openssl/ssl.rb', line 87 def set_params(params={}) params = DEFAULT_PARAMS.merge(params) params.each { |name, value| self.__send__("#{name}=", value) } if self.verify_mode != OpenSSL::SSL::VERIFY_NONE unless self.ca_file or self.ca_path or self.cert_store self.cert_store = DEFAULT_CERT_STORE end end return params end |
#ssl_version=(meth) ⇒ Object
call-seq:
ctx.ssl_version = :TLSv1
ctx.ssl_version = "SSLv23"
Sets the SSL/TLS protocol version for the context. This forces connections to use only the specified protocol version. This is deprecated and only provided for backwards compatibility. Use #min_version= and #max_version= instead.
History
As the name hints, this used to call the SSL_CTX_set_ssl_version() function which sets the SSL method used for connections created from the context. As of Ruby/OpenSSL 2.1, this accessor method is implemented to call #min_version= and #max_version= instead.
190 191 192 193 194 195 196 197 198 199 200 201 202 |
# File 'lib/jopenssl23/openssl/ssl.rb', line 190 def ssl_version=(meth) meth = meth.to_s if meth.is_a?(Symbol) if /(?<type>_client|_server)\z/ =~ meth meth = $` if $VERBOSE warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored" end end version = METHODS_MAP[meth.intern] or raise ArgumentError, "unknown SSL method `%s'" % meth set_minmax_proto_version(version, version) @min_proto_version = @max_proto_version = version end |