Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Option to restrict cipher suites for TLS1.3 #3343

Closed
willayton opened this issue Mar 13, 2024 · 0 comments · Fixed by #3359
Closed

Option to restrict cipher suites for TLS1.3 #3343

willayton opened this issue Mar 13, 2024 · 0 comments · Fixed by #3359
Labels
contrib-wanted feature ssl

Comments

@willayton
Copy link
Contributor

willayton commented Mar 13, 2024
edited

Is your feature request related to a problem? Please describe.
Puma currently has the ssl_cipher_filter or ssl_cipher_list options to specify allowed SSL ciphers. These options seem to only be passed through to OpenSSL's SSL_CTX_set_cipher_list function, which sets ciphers for TLS1.2 and below. https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_cipher_list.html

There is no way to restrict cipher suites Puma uses for TLS1.3 connections, it always uses the OpenSSL defaults.

Describe the solution you'd like
A new Puma option to pass cipher suites to OpenSSL's SSL_CTX_set_ciphersuites function, which is used to configure TLS1.3 cipher suites.

Describe alternatives you've considered
Potentially the existing options could be used to pass the same cipher config to SSL_CTX_set_ciphersuites, but it's probably preferable to separate them.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
contrib-wanted feature ssl
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add ssl_ciphersuites option for TLSv1.3 ciphers willayton/puma
2 participants
@dentarg @willayton