Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a start_tls option to specify the minimum SSL version required #438

Closed
wants to merge 4 commits into from
Closed

Add a start_tls option to specify the minimum SSL version required #438

wants to merge 4 commits into from

Conversation

fabiokung
Copy link
Contributor

These patches allow EM code to disable SSLv2, or force TLSv1 only.

Usage:

module Handler
  def post_init
    start_tls(:min_version => :sslv3)
  end
end

:min_version is case insensitive and can be :sslv2 (any, default), :sslv3 (disables SSLv2), or :tlsv1 (TLSv1 only).

This is backwards compatible and the default is the same as before (:min_version => :SSLv2). @tmaher can fill us in with reasons why someone would want to completely disable SSLv2 and/or SSLv3 nowadays.

@ibc
Copy link
Contributor

ibc commented Apr 25, 2013

This is backwards compatible and the default is still SSLv23. @tmaher can fill us in with reasons why someone would want to completely disable SSLv2 nowadays.

Because not all in the world is HTTP and there are other protocols (i.e.
SIP) in which just TLS is allowed and SSL is not.

@fabiokung
allow multiple versions instead of only forcing sslv3
76b1e13 
This introduces a new ssl parameter: :min_version, which can be
:sslv2 (any), :sslv3 (no SSLv2), or :tlsv1 (forces tlsv1).
@fabiokung
Copy link
Contributor Author

I completely reworked these patches to allow a SSL :min_version, instead of only forcing SSLv3. That way, eventmachine client and/or server code can specify what is the minimum ssl version required: :sslv2 (any), :sslv3 (no SSLv2) or :tlsv1 (TLSv1 only).

I also included some tests using a client other than EM forcing specific protocol versions.

/cc @tmaher

@elijh
Copy link

elijh commented Jan 24, 2014

+1

This would be a very welcome addition to eventmachine. It is certainly best practice to disable SSLv2 whenever possible. I don't know if it would help this pull request get approved or not, but it would also be cool to add cipher selection. The hard coded cipher list in ssl.cpp is pretty horrible:

SSL_CTX_set_cipher_list (pCtx, "ALL:!ADH:!LOW:!EXP:!DES-CBC3-SHA:@STRENGTH");

This was referenced Oct 23, 2014
Closed
Open
@sodabrew
Copy link
Member

I don't think a min version is the right way to go. It's entirely possible that a bug would be discovered in a "middle version" -- for example, TLSv1.1 could become compromised while TLSv1 and TLSv1.2 are safe. We'll need a way to handle that scenario.

I suggest a version string that allows us to whitelist / blacklist a set of protocols. See #359 (comment)

@jonbrenner
Copy link

I agree with @sodabrew. In addition to specifying specific versions due to security concerns, there are interoperability reasons for specifying specific versions. E.g., embedded systems with poor implementations of specific protocol versions.

@sodabrew
Copy link
Member

sodabrew commented Nov 4, 2015

This is cherry-picked and further developed in #654

@sodabrew sodabrew closed this Nov 4, 2015
@sodabrew sodabrew added this to the v1.2.0 milestone Nov 4, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.2.0
Development

Successfully merging this pull request may close these issues.
5 participants
@fabiokung @ibc @elijh @sodabrew @jonbrenner