Skip to content

Commit

Permalink
ssl: do not enable OpenSSL::SSL::OP_ALL by default
Browse files Browse the repository at this point in the history
Respect the SSL options set by default by SSL_CTX() and by the
system-wide OpenSSL configuration file.

OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL
on top of the default SSL options. Let's stop doing it.

OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior
to workaround various TLS implementation bugs. Using it is considered
usually safe, but is not completely harmless.
  • Loading branch information
rhenium committed Sep 5, 2024
1 parent 9120fcd commit 00bec0d
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 3 deletions.
1 change: 0 additions & 1 deletion lib/openssl/ssl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -125,7 +125,6 @@ class SSLContext
# that this form is deprecated. New applications should use #min_version=
# and #max_version= as necessary.
def initialize(version = nil)
self.options |= OpenSSL::SSL::OP_ALL
self.ssl_version = version if version
self.verify_mode = OpenSSL::SSL::VERIFY_NONE
self.verify_hostname = false
Expand Down
32 changes: 30 additions & 2 deletions test/openssl/test_ssl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -15,11 +15,16 @@ def test_bad_socket
end
end

def test_ctx_setup
ctx = OpenSSL::SSL::SSLContext.new
assert_equal true, ctx.setup
assert_predicate ctx, :frozen?
assert_equal nil, ctx.setup
end

def test_ctx_options
ctx = OpenSSL::SSL::SSLContext.new

assert (OpenSSL::SSL::OP_ALL & ctx.options) == OpenSSL::SSL::OP_ALL,
"OP_ALL is set by default"
ctx.options = 4
assert_equal 4, ctx.options & 4
if ctx.options != 4
Expand All @@ -33,6 +38,29 @@ def test_ctx_options
assert_equal nil, ctx.setup
end

def test_ctx_options_config
omit "LibreSSL does not support OPENSSL_CONF" if libressl?
omit "OpenSSL < 1.1.1 does not support system_default" if openssl? && !openssl?(1, 1, 1)

Tempfile.create("openssl.cnf") { |f|
f.puts(<<~EOF)
openssl_conf = default_conf
[default_conf]
ssl_conf = ssl_sect
[ssl_sect]
system_default = ssl_default_sect
[ssl_default_sect]
Options = -SessionTicket
EOF
f.close

assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;")
ctx = OpenSSL::SSL::SSLContext.new
assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
end;
}
end

def test_ssl_with_server_cert
ctx_proc = -> ctx {
ctx.cert = @svr_cert
Expand Down

0 comments on commit 00bec0d

Please sign in to comment.