Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Make SSLv2 harder to use.

SSLv2 is already disabled by options and ciphers by default. Now
httpclient doesn't even try to connect with SSLv2.
  • Loading branch information...
commit 508e6b6d578d54d8bd03bfed099057f217127277 1 parent e920a5f
@nahi authored
Showing with 1 addition and 2 deletions.
  1. +1 −2  lib/httpclient/ssl_config.rb
View
3  lib/httpclient/ssl_config.rb
@@ -82,8 +82,7 @@ def initialize(client)
@verify_callback = nil
@dest = nil
@timeout = nil
- # TODO: change to "SSLv3" in future versions to make harder to use SSLv2.
- @ssl_version = "SSLv23"
+ @ssl_version = "SSLv3"
@options = defined?(SSL::OP_ALL) ? SSL::OP_ALL | SSL::OP_NO_SSLv2 : nil
# OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH"
@ciphers = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default

1 comment on commit 508e6b6

@ippeiukai

This change broke our code because this excludes TLSv1, and in return the SNI (#49).

http://doc.ruby-lang.org/ja/1.9.3/method/OpenSSL=3a=3aSSL=3a=3aSSLContext/s/new.html

・'SSLv3' SSLv3サーバクライアント両用
・'SSLv23' SSLv2,3/TLSv1サーバクライアント両用
SSLv2 は無効化して SSLv3 と TLSv1 の両方を有効化するためには 'SSLv23' を指定し、OpenSSL::SSL::SSLContext#options= で OpenSSL::SSL::OP_NO_SSLv2 を指定します。

will submit a pull req when I have time.

Please sign in to comment.
Something went wrong with that request. Please try again.