Permalink
Browse files

Make SSLv2 harder to use.

SSLv2 is already disabled by options and ciphers by default. Now
httpclient doesn't even try to connect with SSLv2.
  • Loading branch information...
1 parent e920a5f commit 508e6b6d578d54d8bd03bfed099057f217127277 @nahi committed Oct 8, 2012
Showing with 1 addition and 2 deletions.
  1. +1 −2 lib/httpclient/ssl_config.rb
@@ -82,8 +82,7 @@ def initialize(client)
@verify_callback = nil
@dest = nil
@timeout = nil
- # TODO: change to "SSLv3" in future versions to make harder to use SSLv2.
- @ssl_version = "SSLv23"
+ @ssl_version = "SSLv3"
@options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
# OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
@ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default

1 comment on commit 508e6b6

This change broke our code because this excludes TLSv1, and in return the SNI (#49).

http://doc.ruby-lang.org/ja/1.9.3/method/OpenSSL=3a=3aSSL=3a=3aSSLContext/s/new.html

・'SSLv3' SSLv3サーバクライアント両用
・'SSLv23' SSLv2,3/TLSv1サーバクライアント両用
SSLv2 は無効化して SSLv3 と TLSv1 の両方を有効化するためには 'SSLv23' を指定し、OpenSSL::SSL::SSLContext#options= で OpenSSL::SSL::OP_NO_SSLv2 を指定します。

will submit a pull req when I have time.

Please sign in to comment.