API for OpenSSL #3865
API for OpenSSL #3865
Conversation
| # # - https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet#Rule_-_Only_Support_Strong_Cryptographic_Ciphers | ||
| # # - https://cipherli.st/ | ||
| # # - Full list is available at: https://wiki.openssl.org/index.php/Manual:Ciphers(1)#CIPHER_STRINGS | ||
| # context.ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" |
There was a problem hiding this comment.
I'm not sure about adding a valid value here, people should be forced to actually follow the links given rather than copy pasting whatever is here. Also it should be made clear that we do provide a sane enough default.
| # context.certificate_chain = "/tmp/certificate.crt" | ||
| # # Those options are to enhance the security of the server by not using deprecated SSLv2 and SSLv3 protocols | ||
| # # It is also advised to disable Compression and enable only TLS1.2 | ||
| # context.add_options(OpenSSL::SSL::Options::NO_SSLV2 | OpenSSL::SSL::Options::NO_SSLV3) |
There was a problem hiding this comment.
Same, those recommendations might get outdated and we do provide sane enough defaults. Or if we don't we should.
| # context = OpenSSL::SSL::Context::Client.new | ||
| # context.ciphers = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" | ||
| # context.add_options(OpenSSL::SSL::Options::NO_SSLV2 | OpenSSL::SSL::Options::NO_SSLV3) | ||
| # context.verify_mode = OpenSSL::SSL::VerifyMode::NONE |
There was a problem hiding this comment.
I wouldn't even mention this option in a usage example. People should pay reasonable research effort into this, so they understand what they're doing with it.
- removed valid ciphers from code - moved links to the upper part of the doc
|
@jhass , better ? |
|
I'll be more harsh: drop the security tuning examples completely (ciphers, options, verify mode), except for specifying the keys; document that we do our best to define good defaults (Mozilla Intermediate) in the stdlib with a link to the Mozilla wiki page for more details, along with encouragements to notify us / send a pull request if we get out-of-date, have ciphers enabled that shouldn't be, etc. Note that we don't exactly follow the Mozilla Intermediate configuration, for example we don't configure the |
|
@ysbaddaden I just did , removed all security tuning. |
|
@jhass and @ysbaddaden .
|
| # - Full list is available at: https://wiki.openssl.org/index.php/Manual:Ciphers(1)#CIPHER_STRINGS | ||
| # | ||
| # Do note that | ||
| # - Crystal do provide sane defaults for all Ciphers and protocols |
There was a problem hiding this comment.
I propose:
Crystal does its best to provide sane configuration defaults (see Mozilla Intermediate).
| # socket = TCPServer.new(5555) # Bind new TCPSocket to port 5555 | ||
| # context = OpenSSL::SSL::Context::Server.new | ||
| # # Define which ciphers to use with OpenSSL | ||
| # context.ciphers = "VALID_CIPHER_STRING" |
There was a problem hiding this comment.
context.ciphers leftover.
| # def client | ||
| # socket = TCPSocket.new("127.0.0.1", 5555) | ||
| # context = OpenSSL::SSL::Context::Client.new | ||
| # context.ciphers = "VALID_CIPHER_STRING" |
| @@ -1,5 +1,56 @@ | |||
| require "./openssl/lib_ssl" | |||
|
|
|||
| # ### Example | |||
There was a problem hiding this comment.
Maybe have a header? Something as basic as # OpenSSL integration
Maybe also have an introduction that says that:
- TLS sockets need a context, potentially with keys (required for servers) and configuration.
- TLS sockets will wrap the underlying TCP socket, and any further communication must happen through the
OpenSSL::SSL::Socketonly.
Then continue with:
- the default configuration (sane defaults, uses Mozilla Intermediate, best effort, please contribute)
- the server example —I'm not sure we should add an example about how to generate the certificates, one should buy a certificate instead;
- the client example.
|
@ysbaddaden cool ? |
|
@ysbaddaden @jhass |
| # - Linked version of OpenSSL need to be checked for supporting specific protocols and ciphers | ||
| # - If any configurations or choices in Crystal regarding SSL settings and security are found to be lacking or need | ||
| # improvement please open an issue and let us know | ||
| # ### Server side |
There was a problem hiding this comment.
Please add a newline before and after the heading ###.
| # end | ||
| # end | ||
| # ``` | ||
| # ### Client side |
| # ssl_socket.write("Testing".to_slice) | ||
| # end | ||
| # ``` | ||
|
|
There was a problem hiding this comment.
Please remove redundant newline.
|
@Sija , done. |
|
So ... are we done ? can this be merged ? |
|
Looks OK to me. |
| # socket = TCPServer.new(5555) # Bind new TCPSocket to port 5555 | ||
| # context = OpenSSL::SSL::Context::Server.new | ||
| # context.private_key = "/path/to/private.key" | ||
| # context.certificate_chain = "/path/to/public.cert?" |
There was a problem hiding this comment.
is ? at the end of the path intentional?
| # | ||
| # ### Server side | ||
| # | ||
| # ```crystal |
There was a problem hiding this comment.
no need for crystal prefix here
| # | ||
| # ### Client side | ||
| # | ||
| # ```crystal |
|
LGTM |
|
Build has failed on x86-linux. Restarted. |
No description provided.