8000 * lib/openssl/ssl.rb: Explicitly whitelist the default · github/ruby@5698d58 · GitHub
[go: up one dir, main page]
Skip to content

Commit 5698d58

Browse files
embossdbussink
emboss
authored and
dbussink
committed
* lib/openssl/ssl.rb: Explicitly whitelist the default
 SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable compression by default. Reported by Jeff Hodges. [ruby-core:59829] [Bug ruby#9424] git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@45274 b2dd03c8-39d4-4d8f-98ff-823fe69b080e Conflicts: ChangeLog ext/openssl/lib/openssl/ssl.rb
1 parent 165576c commit 5698d58

File tree

2 files changed

+50
-10
lines changed

2 files changed

+50
-10
lines changed

ChangeLog

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,11 @@
1+
Thu Mar 6 10:33:31 2014 Martin Bosslet <Martin.Bosslet@gmail.com>
2+
3+
* lib/openssl/ssl.rb: Explicitly whitelist the default
4+
SSL/TLS ciphers. Forbid SSLv2 and SSLv3, disable
5+
compression by default.
6+
Reported by Jeff Hodges.
7+
[ruby-core:59829] [Bug #9424]
8+
19
Tue Jan 14 02:20:00 2014 Kenta Murata <mrkn@mrkn.jp>
210

311
* ext/bigdecimal/bigdecimal.c (BigDecimal_divide): Add an additional

ext/openssl/lib/openssl/ssl.rb

Lines changed: 42 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -20,19 +20,51 @@
2020
module OpenSSL
2121
module SSL
2222
class SSLContext
23-
options = OpenSSL::SSL::OP_ALL
24-
if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
25-
options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
26-
end
27-
if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
28-
options |= OpenSSL::SSL::OP_NO_COMPRESSION
29-
end
30-
3123
DEFAULT_PARAMS = {
3224
:ssl_version => "SSLv23",
3325
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
34-
:ciphers => "DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!ADH",
35-
:options => options,
26+
:ciphers => %w{
27+
ECDHE-ECDSA-AES128-GCM-SHA256
28+
ECDHE-RSA-AES128-GCM-SHA256
29+
ECDHE-ECDSA-AES256-GCM-SHA384
30+
ECDHE-RSA-AES256-GCM-SHA384
31+
DHE-RSA-AES128-GCM-SHA256
32+
DHE-DSS-AES128-GCM-SHA256
33+
DHE-RSA-AES256-GCM-SHA384
34+
DHE-DSS-AES256-GCM-SHA384
35+
ECDHE-ECDSA-AES128-SHA256
36+
ECDHE-RSA-AES128-SHA256
37+
ECDHE-ECDSA-AES128-SHA
38+
ECDHE-RSA-AES128-SHA
39+
ECDHE-ECDSA-AES256-SHA384
40+
ECDHE-RSA-AES256-SHA384
41+
ECDHE-ECDSA-AES256-SHA
42+
ECDHE-RSA-AES256-SHA
43+
DHE-RSA-AES128-SHA256
44+
DHE-RSA-AES256-SHA256
45+
DHE-RSA-AES128-SHA
46+
DHE-RSA-AES256-SHA
47+
DHE-DSS-AES128-SHA256
48+
DHE-DSS-AES256-SHA256
49+
DHE-DSS-AES128-SHA
50+
DHE-DSS-AES256-SHA
51+
AES128-GCM-SHA256
52+
AES256-GCM-SHA384
53+
AES128-SHA256
54+
AES256-SHA256
55+
AES128-SHA
56+
AES256-SHA
57+
ECDHE-ECDSA-RC4-SHA
58+
ECDHE-RSA-RC4-SHA
59+
RC4-SHA
60+
}.join(":"),
61+
:options => -> {
62+
opts = OpenSSL::SSL::OP_ALL
63+
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
64+
opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
65+
opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
66+
opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
67+
}.call
3668
}
3769

3870
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new

0 commit comments

Comments
 (0)
0