Warn if TLS 1.2 is not supported

Edouard-chin · Edouard-chin · commit e4f70a3e4fac · 2025-04-10T22:52:37.000+02:00
diff --git a/bundler/exe/ssl_check.rb b/bundler/exe/ssl_check.rb
@@ -29,23 +29,3 @@
 puts "Ruby:          %s" % ruby_version
 puts "RubyGems:      %s" % Gem::VERSION if defined?(Gem::VERSION)
 puts "Bundler:       %s" % Bundler::VERSION if defined?(Bundler::VERSION)
-
-def tls12_supported?
-  ctx = OpenSSL::SSL::SSLContext.new
-  if ctx.methods.include?(:min_version=)
-    ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
-    true
-  else
-    OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2)
-  end
-rescue
-end
-
-# We were able to connect, but perhaps this Ruby will have trouble when we require TLSv1.2
-unless tls12_supported?
-  puts "\nWARNING: Although your Ruby can connect to #{host} today, your OpenSSL is very old! 👴",
-         "WARNING: You will need to upgrade OpenSSL to use #{host}."
-  exit 1
-end
-
-exit 0
diff --git a/bundler/lib/bundler/cli/doctor/ssl.rb b/bundler/lib/bundler/cli/doctor/ssl.rb
@@ -105,6 +105,7 @@ def net_http_connection_successful?
       end.start
 
       Bundler.ui.info("Ruby net/http: success")
+      warn_on_unsupported_tls12
 
       true
     rescue StandardError => error
@@ -119,6 +120,28 @@ def net_http_connection_successful?
       false
     end
 
+    def warn_on_unsupported_tls12
+      ctx = OpenSSL::SSL::SSLContext.new
+      supported = true
+
+      if ctx.respond_to?(:min_version=)
+        begin
+          ctx.min_version = ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
+        rescue OpenSSL::SSL::SSLError, NameError
+          supported = false
+        end
+      else
+        supported = OpenSSL::SSL::SSLContext::METHODS.include?(:TLSv1_2) # rubocop:disable Naming/VariableNumber
+      end
+
+      Bundler.ui.warn(<<~EOM) unless supported
+
+        WARNING: Although your Ruby can connect to #{host} today, your OpenSSL is very old!
+        WARNING: You will need to upgrade OpenSSL to use #{host}.
+
+      EOM
+    end
+
     module Explanation
       extend self
 
diff --git a/bundler/spec/commands/ssl_spec.rb b/bundler/spec/commands/ssl_spec.rb
@@ -334,5 +334,39 @@ def connect
       expect(net_http.min_version.to_s).to eq("TLS1_3")
       expect(net_http.max_version.to_s).to eq("TLS1_3")
     end
+
+    it "warns when TLS1.2 is not supported" do
+      expected_out = <<~MSG
+        Here's your OpenSSL environment:
+
+        OpenSSL:       #{OpenSSL::VERSION}
+        Compiled with: #{OpenSSL::OPENSSL_VERSION}
+        Loaded with:   #{OpenSSL::OPENSSL_LIBRARY_VERSION}
+
+        Trying connections to https://rubygems.org:
+        Bundler:       success
+        RubyGems:      success
+        Ruby net/http: success
+
+        Hooray! This Ruby can connect to rubygems.org.
+        You are all set to use Bundler and RubyGems.
+
+      MSG
+
+      expected_err = <<~MSG
+
+        WARNING: Although your Ruby can connect to rubygems.org today, your OpenSSL is very old!
+        WARNING: You will need to upgrade OpenSSL to use rubygems.org.
+
+      MSG
+
+      previous_version = OpenSSL::SSL::TLS1_2_VERSION
+      OpenSSL::SSL.send(:remove_const, :TLS1_2_VERSION)
+
+      subject = Bundler::CLI::Doctor::SSL.new({})
+      expect { subject.run }.to output(expected_out).to_stdout.and output(expected_err).to_stderr
+    ensure
+      OpenSSL::SSL.const_set(:TLS1_2_VERSION, previous_version)
+    end
   end
 end
