From 77c3db2d6587d6430e16c9d01611bda9ccf65e70 Mon Sep 17 00:00:00 2001
From: Kazuki Yamaguchi <k@rhe.jp>
Date: Wed, 12 Jun 2024 03:01:54 +0900
Subject: [PATCH] ssl: do not clear existing SSL options in
 SSLContext#set_params

Apply SSL options set in DEFAULT_PARAMS without clearing existing
options.

It currently clears options in order to avoid setting one of the
options included in OpenSSL::SSL::OP_ALL unless explicitly specified,
namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that
OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is
no longer necessary.
---
 lib/openssl/ssl.rb       | 2 +-
 test/openssl/test_ssl.rb | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
index f28239bab..d6cb260f9 100644
--- a/lib/openssl/ssl.rb
+++ b/lib/openssl/ssl.rb
@@ -144,7 +144,7 @@ def initialize(version = nil)
       # used.
       def set_params(params={})
         params = DEFAULT_PARAMS.merge(params)
-        self.options = params.delete(:options) # set before min_version/max_version
+        self.options |= params.delete(:options) # set before min_version/max_version
         params.each{|name, value| self.__send__("#{name}=", value) }
         if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
           unless self.ca_file or self.ca_path or self.cert_store
diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index 088bd602c..459efcc18 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -57,6 +57,8 @@ def test_ctx_options_config
       assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;")
         ctx = OpenSSL::SSL::SSLContext.new
         assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
+        ctx.set_params
+        assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
       end;
     }
   end