Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2.1.0.beta1 vs 2.0.5 with 1.1.0f - SSLContext::METHODS change #147

Closed
MSP-Greg opened this issue Sep 6, 2017 · 3 comments
Closed

2.1.0.beta1 vs 2.0.5 with 1.1.0f - SSLContext::METHODS change #147

MSP-Greg opened this issue Sep 6, 2017 · 3 comments

Comments

@MSP-Greg
Copy link
Contributor

MSP-Greg commented Sep 6, 2017
edited
Loading

I'm somewhat in the middle of some other coding tasks, but I just noticed that

when using 2.1.0.beta1, SSLContext::METHODS is contains

SSLv2 SSLv23 SSLv3 TLSv1 TLSv1_1 TLSv1_2

when using 2.0.5, SSLContext::METHODS contains

SSLv23 TLSv1 TLSv1_1 TLSv1_2

Note that SSLv2 and SSLv3 appear in 2.1.0 but not 2.0.5. I'm using 1.1.0f, and I thought the OpenSSL package was build with SSL disabled. I run a daily Appveyor with info helpful for Ruby, the trunk builds are all the way at the bottom. See the OpenSSL section, 2.1.0.beta1 here and 2.0.5 here.

I checked History.md, the only thing I saw related to SSLContext::Methods was 'OpenSSL::SSL::SSLContext#min_version= and #max_version= are added. [GitHub #142]'

Not super knowledgeable about SSL, but this seems kind of odd...

EDIT: Just found some notes:

1.1.0f package used for above builds (shows no SSL versions):

>openssl ciphers -help
Usage: ciphers [options]
Valid options are:
 -help    Display this summary
 -v       Verbose listing of the SSL/TLS ciphers
 -V       Even more verbose
 -s       Only supported ciphers
 -tls1    TLS1 mode
 -tls1_1  TLS1.1 mode
 -tls1_2  TLS1.2 mode
 -psk     include ciphersuites requiring PSK
 -srp     include ciphersuites requiring SRP

Same command with a 1.0.2l package (shows SSLv2 & SSLv3):

>openssl ciphers -help
usage: ciphers args
 -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL
 -V          - even more verbose
 -ssl2       - SSL2 mode
 -ssl3       - SSL3 mode
 -tls1       - TLS1 mode
@MSP-Greg
Copy link
Contributor Author

MSP-Greg commented Sep 6, 2017

I just came across ssl: rework SSLContext#ssl_version=, so I'll close this, since I haven't had time to look thru...

@MSP-Greg MSP-Greg closed this as completed Sep 6, 2017
@MSP-Greg
Copy link
Contributor Author

MSP-Greg commented Sep 7, 2017

After reviewing the commit, and the added methods in SSLContext, I believe that SSLContext::METHODS should remain.

For instance, I have seen it used in test scripts to determine what tests to run, as it allows one to easily determine whether the OpenSSL library supports various SSL/TLS methods.

@MSP-Greg MSP-Greg reopened this Sep 7, 2017
@rhenium
Copy link
Member

rhenium commented Sep 15, 2017

I probably should have mentioned the change in SSLContext#ssl_version= and SSLContext::METHODS in History.md. I'll try when I make 2.1.0.beta2 release.

The change itself is perfectly expected. The constant contains symbol values that would be accepted by SSLContext#ssl_version=, so the semantics did not change. In fact, checking the constant has never been a proper way to check whether an SSL/TLS protocol version is supported by the OpenSSL library or not -- with previous versions of ext/openssl, one could build OpenSSL with the TLSv1{,_client,_server} methods enabled and no actual TLS 1.0 support.

@rhenium rhenium closed this as completed Sep 15, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@rhenium @MSP-Greg