Class: OpenSSL::SSL::SSLContext

Inherits:
Object
  • Object
show all
Defined in:
lib/openssl/ssl.rb

Constant Summary collapse

DEFAULT_PARAMS =

:nodoc:

{ # :nodoc:
  :min_version => OpenSSL::SSL::TLS1_VERSION,
  :verify_mode => OpenSSL::SSL::VERIFY_PEER,
  :verify_hostname => nil, # TODO => true needs JRuby support to call verify_certificate_identity
  :options => OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION
}
DEFAULT_TMP_DH_CALLBACK =

:nodoc:

lambda { |ctx, is_export, keylen| # :nodoc:
  warn "using default DH parameters." if $VERBOSE
  DEFAULT_2048
}
DEFAULT_CERT_STORE =

:nodoc:

OpenSSL::X509::Store.new

Instance Attribute Summary collapse

Instance Method Summary collapse

Instance Attribute Details

#servername_cbObject

A callback invoked at connect time to distinguish between multiple server names.

The callback is invoked with an SSLSocket and a server name. The callback must return an SSLContext for the server name or nil.



107
108
109
 
# File 'lib/openssl/ssl.rb', line 107

def servername_cb
  @servername_cb
end

#tmp_dh_callbackObject

A callback invoked when DH parameters are required for ephemeral DH key exchange.

The callback is invoked with the SSLSocket, a flag indicating the use of an export cipher and the keylength required.

The callback must return an OpenSSL::PKey::DH instance of the correct key length.

Deprecated in version 3.0. Use #tmp_dh= instead.



100
101
102
 
# File 'lib/openssl/ssl.rb', line 100

def tmp_dh_callback
  @tmp_dh_callback
end

Instance Method Details

#max_version=(version) ⇒ Object

call-seq:

ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
ctx.max_version = :TLS1_2
ctx.max_version = nil

Sets the upper bound of the supported SSL/TLS protocol version. See #min_version= for the possible values.



182
183
184
185
 
# File 'lib/openssl/ssl.rb', line 182

def max_version=(version)
  set_minmax_proto_version(@min_proto_version ||= nil, version)
  @max_proto_version = version
end

#min_version=(version) ⇒ Object

call-seq:

ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
ctx.min_version = :TLS1_2
ctx.min_version = nil

Sets the lower bound on the supported SSL/TLS protocol version. The version may be specified by an integer constant named OpenSSL::SSL::*_VERSION, a Symbol, or nil which means “any version”.

Be careful that you don’t overwrite OpenSSL::SSL::OP_NO_SSL,TLSv* options by #options= once you have called #min_version= or #max_version=.

Example

ctx = OpenSSL::SSL::SSLContext.new
ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION

sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2



170
171
172
173
 
# File 'lib/openssl/ssl.rb', line 170

def min_version=(version)
  set_minmax_proto_version(version, @max_proto_version ||= nil)
  @min_proto_version = version
end

#set_params(params = {}) ⇒ Object

call-seq:

ctx.set_params(params = {}) -> params

Sets saner defaults optimized for the use with HTTP-like protocols.

If a Hash params is given, the parameters are overridden with it. The keys in params must be assignment methods on SSLContext.

If the verify_mode is not VERIFY_NONE and ca_file, ca_path and cert_store are not set then the system default certificate store is used.



138
139
140
141
142
143
144
145
146
147
148
 
# File 'lib/openssl/ssl.rb', line 138

def set_params(params={})
  params = DEFAULT_PARAMS.merge(params)
  self.options = params.delete(:options) # set before min_version/max_version
  params.each{|name, value| self.__send__("#{name}=", value) }
  if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
    unless self.ca_file or self.ca_path or self.cert_store
      self.cert_store = DEFAULT_CERT_STORE
    end
  end
  return params
end