Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ssl: add SSLContext#min_version= and #max_version= #142

Merged
merged 5 commits into from
Sep 3, 2017
Merged

ssl: add SSLContext#min_version= and #max_version= #142

merged 5 commits into from
Sep 3, 2017

Conversation

rhenium
Copy link
Member

@rhenium rhenium commented Aug 29, 2017

Add methods that set the minimum and maximum supported protocol
versions for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO{SSL,TLS}v* flags.

The new methods are meant to replace the deprecated
SSLContext#ssl_version= that cannot support multiple protocol versions.

SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.

@rhenium rhenium force-pushed the ky/ssl-version-min-max branch 2 times, most recently from 5a60eda to ae15316 Compare August 31, 2017 15:54
@rhenium rhenium mentioned this pull request Aug 31, 2017
Closed
@rhenium rhenium force-pushed the ky/ssl-version-min-max branch from d05e16a to 9ff2650 Compare September 2, 2017 09:05
@rhenium
ssl: ensure that SSL option flags are non-negative
fb7fe81 
SSL_CTX_{get,set,clear}_options() are made separate functions and they
now treat flags as unsigned long. Fix possible RangeError on platforms
with sizeof(long)==4.
@rhenium
ssl: update OpenSSL::SSL::OP_* flags
b44ab7f 
Reorder, expand ossl_ssl_def_const() macro so RDoc can parse and render
better, and add new flags that are in recent versions of OpenSSL.
@rhenium
ssl: prefer TLS_method() over SSLv23_method()
5b753d4 
OpenSSL 1.1.0 replaced SSLv23_method() with TLS_method(). SSLv23_method
which still exists in 1.1.0, as a macro around TLS_method, will
eventually be removed. Use the new name if possible.
@rhenium rhenium force-pushed the ky/ssl-version-min-max branch 4 times, most recently from fb11c04 to da704fc Compare September 3, 2017 01:45
@rhenium
ssl: add SSLContext#min_version= and #max_version=
1860394 
Add methods that set the minimum and maximum supported protocol versions
for the SSL context. If the OpenSSL library supports, use
SSL_CTX_set_{min,max}_proto_version() that do the exact thing.
Otherwise, simulate by combining SSL_OP_NO_{SSL,TLS}v* flags.

The new methods are meant to replace the deprecated #ssl_version= that
cannot support multiple protocol versions.

SSLContext::DEFAULT_PARAMS is also updated to use the new
SSLContext#min_version=.
@rhenium
ssl: rework SSLContext#ssl_version=
5653599 
Reimplement SSLContext#ssl_version= as a wrapper around
SSLContext#min_version= and #max_version=.

SSLContext#ssl_version= used to call SSL_CTX_set_ssl_version() which
replaces the SSL method used for the connections created from the SSL
context. This is mainly used for forcing a specific SSL/TLS protocol
version.

As of OpenSSL 1.1.0, however, use of the version-specific SSL methods
such as TLSv1_method() is deprecated. Follow the current recommendation
-- to use the generic SSL method always and to control the supported
version range by SSL_CTX_set_{min,max}_proto_version(). Actually, we
have already started doing a similar thing when the extension is
compiled with OpenSSL 1.1.0.

OpenSSL::SSL::SSLContext::METHODS, which contained the possible names of
SSL methods, is not useful anymore. It is now deprecate_constant-ed.
@rhenium rhenium force-pushed the ky/ssl-version-min-max branch from da704fc to 5653599 Compare September 3, 2017 02:23
@rhenium rhenium merged commit e96d9c0 into ruby:master Sep 3, 2017
@MSP-Greg MSP-Greg mentioned this pull request Sep 6, 2017
Closed
@bdewater bdewater mentioned this pull request Mar 5, 2018
Merged
This was referenced Apr 21, 2018
Merged
Merged
Merged
@bdewater bdewater mentioned this pull request May 3, 2018
Open
@semaperepelitsa semaperepelitsa mentioned this pull request Jun 18, 2019
Closed
@ruby ruby deleted a comment Nov 3, 2019
@ruby ruby deleted a comment Nov 3, 2019
rhenium added a commit to rhenium/ruby-openssl that referenced this pull request Jan 30, 2025
@rhenium
ssl: separate SSLContext#min_version= and #max_version=
1fc427d 
Make these methods simple wrappers around
SSL_CTX_set_{min,max}_proto_version().

When we introduced these methods in commit 1860394 [1], which went
to v2.1.0, we added a private method to SSLContext that set both the
minimum and maximum protocol versions at the same time. This was to
allow emulating the behavior using SSL options on older OpenSSL versions
that lack SSL_CTX_set_{min,max}_proto_version(). Since we no longer
support OpenSSL 1.0.2, the related code has already been removed.

In OpenSSL 1.1.1 or later, setting the minimum or maximum version to 0
is not equivalent to leaving it unset. Similar to SSL options, which we
avoid overwriting as of commit 00bec0d and commit 77c3db2 [2],
a system-wide configuration file may define a default protocol version
bounds. Setting the minimum version should not unset the maximum
version, and vice versa.

[1] ruby#142
[2] ruby#767
@rhenium rhenium mentioned this pull request Jan 30, 2025
Merged
rhenium added a commit to rhenium/ruby-openssl that referenced this pull request Jan 31, 2025
@rhenium
ssl: separate SSLContext#min_version= and #max_version=
5766386 
Make these methods simple wrappers around
SSL_CTX_set_{min,max}_proto_version().

When we introduced these methods in commit 1860394 [1], which went
to v2.1.0, we added a private method to SSLContext that set both the
minimum and maximum protocol versions at the same time. This was to
allow emulating the behavior using SSL options on older OpenSSL versions
that lack SSL_CTX_set_{min,max}_proto_version(). Since we no longer
support OpenSSL 1.0.2, the related code has already been removed.

In OpenSSL 1.1.1 or later, setting the minimum or maximum version to 0
is not equivalent to leaving it unset. Similar to SSL options, which we
avoid overwriting as of commit 00bec0d and commit 77c3db2 [2],
a system-wide configuration file may define a default protocol version
bounds. Setting the minimum version should not unset the maximum
version, and vice versa.

[1] ruby#142
[2] ruby#767
matzbot pushed a commit to ruby/ruby that referenced this pull request Feb 3, 2025
@rhenium @matzbot
[ruby/openssl] ssl: separate SSLContext#min_version= and #max_version=
5a14f53 
Make these methods simple wrappers around
SSL_CTX_set_{min,max}_proto_version().

When we introduced these methods in commit ruby/openssl@18603949d316 [1], which went
to v2.1.0, we added a private method to SSLContext that set both the
minimum and maximum protocol versions at the same time. This was to
allow emulating the behavior using SSL options on older OpenSSL versions
that lack SSL_CTX_set_{min,max}_proto_version(). Since we no longer
support OpenSSL 1.0.2, the related code has already been removed.

In OpenSSL 1.1.1 or later, setting the minimum or maximum version to 0
is not equivalent to leaving it unset. Similar to SSL options, which we
avoid overwriting as of commit ruby/openssl@00bec0d905d5 and commit ruby/openssl@77c3db2d6587 [2],
a system-wide configuration file may define a default protocol version
bounds. Setting the minimum version should not unset the maximum
version, and vice versa.

[1] ruby/openssl#142
[2] ruby/openssl#767

ruby/openssl@5766386321
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@rhenium