From d4a2667af2fa9be9be7da86dbf3cf12ab5a1be85 Mon Sep 17 00:00:00 2001
From: Bart de Water <bartdewater@gmail.com>
Date: Sat, 21 Apr 2018 13:45:21 -0400
Subject: [PATCH] Allow setting min/max SSL version for a connection on Ruby
 2.5

---
 lib/net/http/persistent.rb       | 40 +++++++++++++++++++++++++++++++-
 test/test_net_http_persistent.rb | 18 ++++++++++++--
 2 files changed, 55 insertions(+), 3 deletions(-)

diff --git a/lib/net/http/persistent.rb b/lib/net/http/persistent.rb
index e6a110c..fec872f 100644
--- a/lib/net/http/persistent.rb
+++ b/lib/net/http/persistent.rb
@@ -440,10 +440,26 @@ def self.detect_idle_timeout uri, max = 10
   # SSL version to use.
   #
   # By default, the version will be negotiated automatically between client
-  # and server.  Ruby 1.9 and newer only.
+  # and server.  Ruby 1.9 and newer only. Deprecated since Ruby 2.5.
 
   attr_reader :ssl_version
 
+  ##
+  # Minimum SSL version to use, e.g. :TLS1_1
+  #
+  # By default, the version will be negotiated automatically between client
+  # and server.  Ruby 2.5 and newer only.
+
+  attr_reader :min_version
+
+  ##
+  # Maximum SSL version to use, e.g. :TLS1_2
+  #
+  # By default, the version will be negotiated automatically between client
+  # and server.  Ruby 2.5 and newer only.
+
+  attr_reader :max_version
+
   ##
   # Where this instance's last-use times live in the thread local variables
 
@@ -533,6 +549,8 @@ def initialize name: nil, proxy: nil, pool_size: DEFAULT_POOL_SIZE
     @private_key        = nil
     @ssl_timeout        = nil
     @ssl_version        = nil
+    @min_version        = nil
+    @max_version        = nil
     @verify_callback    = nil
     @verify_depth       = nil
     @verify_mode        = nil
@@ -1044,6 +1062,8 @@ def ssl connection
     connection.ciphers     = @ciphers     if @ciphers
     connection.ssl_timeout = @ssl_timeout if @ssl_timeout
     connection.ssl_version = @ssl_version if @ssl_version
+    connection.min_version = @min_version if @min_version
+    connection.max_version = @max_version if @max_version
 
     connection.verify_depth = @verify_depth
     connection.verify_mode  = @verify_mode
@@ -1115,6 +1135,24 @@ def ssl_version= ssl_version
     reconnect_ssl
   end
 
+  ##
+  # Minimum SSL version to use
+
+  def min_version= min_version
+    @min_version = min_version
+
+    reconnect_ssl
+  end
+
+  ##
+  # maximum SSL version to use
+
+  def max_version= max_version
+    @max_version = max_version
+
+    reconnect_ssl
+  end
+
   ##
   # Sets the depth of SSL certificate verification
 
diff --git a/test/test_net_http_persistent.rb b/test/test_net_http_persistent.rb
index fa64570..c1d480b 100644
--- a/test/test_net_http_persistent.rb
+++ b/test/test_net_http_persistent.rb
@@ -77,8 +77,8 @@ def teardown
   class BasicConnection
     attr_accessor :started, :finished, :address, :port, :use_ssl,
                   :read_timeout, :open_timeout, :keep_alive_timeout
-    attr_accessor :ciphers, :ssl_timeout, :ssl_version,
-                  :verify_depth, :verify_mode, :cert_store,
+    attr_accessor :ciphers, :ssl_timeout, :ssl_version, :min_version,
+                  :max_version, :verify_depth, :verify_mode, :cert_store,
                   :ca_file, :ca_path, :cert, :key
     attr_reader :req, :debug_output
     def initialize
@@ -1527,6 +1527,20 @@ def test_ssl_version_equals
     assert_equal 1, @http.ssl_generation
   end
 
+  def test_min_version_equals
+    @http.min_version = :min_version
+
+    assert_equal :min_version, @http.min_version
+    assert_equal 1, @http.ssl_generation
+  end
+
+  def test_max_version_equals
+    @http.max_version = :max_version
+
+    assert_equal :max_version, @http.max_version
+    assert_equal 1, @http.ssl_generation
+  end
+
   def test_start
     c = basic_connection
     c = c.http