Add :ssl_min_version and :ssl_max_version options

Replace :ssl_version option with these two new options. These provide
access to OpenSSL::SSL::SSLContext#{min,max}_version=, which is the
recommended way to specify SSL/TLS protocol versions.
This commit is contained in:
Kazuki Yamaguchi 2022-10-08 01:54:35 +09:00 коммит произвёл Hiroshi SHIBATA
Родитель ced1d17280
Коммит 4e29ca0c40
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: F9CF13417264FAC2
2 изменённых файлов: 37 добавлений и 23 удалений

Просмотреть файл

@ -99,7 +99,8 @@ module OpenURI
:open_timeout => true,
:ssl_ca_cert => nil,
:ssl_verify_mode => nil,
:ssl_version => nil,
:ssl_min_version => nil,
:ssl_max_version => nil,
:ftp_active_mode => false,
:redirect => true,
:encoding => nil,
@ -299,8 +300,8 @@ module OpenURI
require 'net/https'
http.use_ssl = true
http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
http.ssl_version = options[:ssl_version] if options[:ssl_version] &&
OpenSSL::SSL::SSLContext::METHODS.include?(options[:ssl_version])
http.min_version = options[:ssl_min_version]
http.max_version = options[:ssl_max_version]
store = OpenSSL::X509::Store.new
if options[:ssl_ca_cert]
Array(options[:ssl_ca_cert]).each do |cert|
@ -702,6 +703,20 @@ module OpenURI
#
# :ssl_verify_mode is used to specify openssl verify mode.
#
# [:ssl_min_version]
# Synopsis:
# :ssl_min_version=>:TLS1_2
#
# :ssl_min_version option specifies the minimum allowed SSL/TLS protocol
# version. See also OpenSSL::SSL::SSLContext#min_version=.
#
# [:ssl_max_version]
# Synopsis:
# :ssl_max_version=>:TLS1_2
#
# :ssl_max_version option specifies the maximum allowed SSL/TLS protocol
# version. See also OpenSSL::SSL::SSLContext#max_version=.
#
# [:ftp_active_mode]
# Synopsis:
# :ftp_active_mode=>bool

Просмотреть файл

@ -92,26 +92,6 @@ class TestOpenURISSL
}
end
def test_validation_ssl_version
with_https {|srv, dr, url|
setup_validation(srv, dr)
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLSv1_2) {|f|
assert_equal("200", f.status[0])
assert_equal("ddd", f.read)
}
}
end
def test_validate_bad_ssl_version_silently
with_https {|srv, dr, url|
setup_validation(srv, dr)
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLS_no_such_version) {|f|
assert_equal("200", f.status[0])
assert_equal("ddd", f.read)
}
}
end
def test_validation_failure
unless /mswin|mingw/ =~ RUBY_PLATFORM
# on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by
@ -127,6 +107,25 @@ class TestOpenURISSL
}
end
def test_ssl_min_version
with_https {|srv, dr, url|
setup_validation(srv, dr)
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS1_2) {|f|
assert_equal("200", f.status[0])
assert_equal("ddd", f.read)
}
}
end
def test_bad_ssl_version
with_https(nil) {|srv, dr, url|
setup_validation(srv, dr)
assert_raise(ArgumentError) {
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS_no_such_version) {}
}
}
end
def with_https_proxy(proxy_log_tester=lambda {|proxy_log, proxy_access_log| assert_equal([], proxy_log) })
proxy_log = []
proxy_logger = WEBrick::Log.new(proxy_log, WEBrick::BasicLog::WARN)