-
Notifications
You must be signed in to change notification settings - Fork 635
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a start_tls option to specify the minimum SSL version required #438
Conversation
It is apparently different accross openssl versions
Because not all in the world is HTTP and there are other protocols (i.e. |
This introduces a new ssl parameter: :min_version, which can be :sslv2 (any), :sslv3 (no SSLv2), or :tlsv1 (forces tlsv1).
I completely reworked these patches to allow a SSL I also included some tests using a client other than EM forcing specific protocol versions. /cc @tmaher |
+1 This would be a very welcome addition to eventmachine. It is certainly best practice to disable SSLv2 whenever possible. I don't know if it would help this pull request get approved or not, but it would also be cool to add cipher selection. The hard coded cipher list in ssl.cpp is pretty horrible:
|
I don't think a min version is the right way to go. It's entirely possible that a bug would be discovered in a "middle version" -- for example, TLSv1.1 could become compromised while TLSv1 and TLSv1.2 are safe. We'll need a way to handle that scenario. I suggest a version string that allows us to whitelist / blacklist a set of protocols. See #359 (comment) |
I agree with @sodabrew. In addition to specifying specific versions due to security concerns, there are interoperability reasons for specifying specific versions. E.g., embedded systems with poor implementations of specific protocol versions. |
This is cherry-picked and further developed in #654 |
These patches allow EM code to disable SSLv2, or force TLSv1 only.
Usage:
:min_version
is case insensitive and can be:sslv2
(any, default),:sslv3
(disables SSLv2), or:tlsv1
(TLSv1 only).This is backwards compatible and the default is the same as before (
:min_version => :SSLv2
). @tmaher can fill us in with reasons why someone would want to completely disable SSLv2 and/or SSLv3 nowadays.