Class: OpenSSL::SSL::SSLContext

Inherits:
Object
  • Object
show all
Defined in:
lib/jopenssl22/openssl/ssl.rb,
lib/jopenssl23/openssl/ssl.rb,
lib/jopenssl19/openssl/ssl-internal.rb

Constant Summary collapse

DEFAULT_PARAMS =

:nodoc:

{
    :ssl_version => "SSLv23",
    :verify_mode => OpenSSL::SSL::VERIFY_PEER,
    :ciphers => %w{
    ECDHE-ECDSA-AES128-GCM-SHA256
    ECDHE-RSA-AES128-GCM-SHA256
    ECDHE-ECDSA-AES256-GCM-SHA384
    ECDHE-RSA-AES256-GCM-SHA384
    DHE-RSA-AES128-GCM-SHA256
    DHE-DSS-AES128-GCM-SHA256
    DHE-RSA-AES256-GCM-SHA384
    DHE-DSS-AES256-GCM-SHA384
    ECDHE-ECDSA-AES128-SHA256
    ECDHE-RSA-AES128-SHA256
    ECDHE-ECDSA-AES128-SHA
    ECDHE-RSA-AES128-SHA
    ECDHE-ECDSA-AES256-SHA384
    ECDHE-RSA-AES256-SHA384
    ECDHE-ECDSA-AES256-SHA
    ECDHE-RSA-AES256-SHA
    DHE-RSA-AES128-SHA256
    DHE-RSA-AES256-SHA256
    DHE-RSA-AES128-SHA
    DHE-RSA-AES256-SHA
    DHE-DSS-AES128-SHA256
    DHE-DSS-AES256-SHA256
    DHE-DSS-AES128-SHA
    DHE-DSS-AES256-SHA
    AES128-GCM-SHA256
    AES256-GCM-SHA384
    AES128-SHA256
    AES256-SHA256
    AES128-SHA
    AES256-SHA
    ECDHE-ECDSA-RC4-SHA
    ECDHE-RSA-RC4-SHA
    RC4-SHA
  }.join(":"),
    :options => -> {
      opts = OpenSSL::SSL::OP_ALL
      opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
      opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
      opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
      opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
      opts
    }.call
}
DEFAULT_TMP_DH_CALLBACK =

:nodoc:

lambda { |ctx, is_export, keylen| # :nodoc:
  warn "using default DH parameters." if $VERBOSE
  DEFAULT_2048
}

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#servername_cbObject

A callback invoked at connect time to distinguish between multiple server names.

The callback is invoked with an SSLSocket and a server name. The callback must return an SSLContext for the server name or nil.



112
113
114
 
# File 'lib/jopenssl23/openssl/ssl.rb', line 112

def servername_cb
  @servername_cb
end

#tmp_dh_callbackObject

A callback invoked when DH parameters are required.

The callback is invoked with the Session for the key exchange, an flag indicating the use of an export cipher and the keylength required.

The callback must return an OpenSSL::PKey::DH instance of the correct key length.



105
106
107
 
# File 'lib/jopenssl23/openssl/ssl.rb', line 105

def tmp_dh_callback
  @tmp_dh_callback
end

Instance Method Details

#max_version=(version) ⇒ Object

call-seq:

ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
ctx.max_version = :TLS1_2
ctx.max_version = nil

Sets the upper bound of the supported SSL/TLS protocol version. See #min_version= for the possible values.



171
172
173
174
 
# File 'lib/jopenssl23/openssl/ssl.rb', line 171

def max_version=(version)
  set_minmax_proto_version(@min_proto_version ||= nil, version)
  @max_proto_version = version
end

#min_version=(version) ⇒ Object

call-seq:

ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
ctx.min_version = :TLS1_2
ctx.min_version = nil

Sets the lower bound on the supported SSL/TLS protocol version. The version may be specified by an integer constant named OpenSSL::SSL::*_VERSION, a Symbol, or nil which means “any version”.

Be careful that you don’t overwrite OpenSSL::SSL::OP_NO_SSL,TLSv* options by #options= once you have called #min_version= or #max_version=.

Example

ctx = OpenSSL::SSL::SSLContext.new
ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION

sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2



159
160
161
162
 
# File 'lib/jopenssl23/openssl/ssl.rb', line 159

def min_version=(version)
  set_minmax_proto_version(version, @max_proto_version ||= nil)
  @min_proto_version = version
end

#set_params(params = {}) ⇒ Object

call-seq:

ctx.set_params(params = {}) -> params

Sets saner defaults optimized for the use with HTTP-like protocols.

If a Hash params is given, the parameters are overridden with it. The keys in params must be assignment methods on SSLContext.

If the verify_mode is not VERIFY_NONE and ca_file, ca_path and cert_store are not set then the system default certificate store is used.



87
88
89
90
91
92
93
94
95
96
 
# File 'lib/jopenssl22/openssl/ssl.rb', line 87

def set_params(params={})
  params = DEFAULT_PARAMS.merge(params)
  params.each { |name, value| self.__send__("#{name}=", value) }
  if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
    unless self.ca_file or self.ca_path or self.cert_store
      self.cert_store = DEFAULT_CERT_STORE
    end
  end
  return params
end

#ssl_version=(meth) ⇒ Object

call-seq:

ctx.ssl_version = :TLSv1
ctx.ssl_version = "SSLv23"

Sets the SSL/TLS protocol version for the context. This forces connections to use only the specified protocol version. This is deprecated and only provided for backwards compatibility. Use #min_version= and #max_version= instead.

History

As the name hints, this used to call the SSL_CTX_set_ssl_version() function which sets the SSL method used for connections created from the context. As of Ruby/OpenSSL 2.1, this accessor method is implemented to call #min_version= and #max_version= instead.



190
191
192
193
194
195
196
197
198
199
200
201
202
 
# File 'lib/jopenssl23/openssl/ssl.rb', line 190

def ssl_version=(meth)
  meth = meth.to_s if meth.is_a?(Symbol)
  if /(?<type>_client|_server)\z/ =~ meth
    meth = $`
    if $VERBOSE
      warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
    end
  end
  version = METHODS_MAP[meth.intern] or
    raise ArgumentError, "unknown SSL method `%s'" % meth
  set_minmax_proto_version(version, version)
  @min_proto_version = @max_proto_version = version
end