зеркало из https://github.com/github/ruby.git
Add :ssl_min_version and :ssl_max_version options
Replace :ssl_version option with these two new options. These provide access to OpenSSL::SSL::SSLContext#{min,max}_version=, which is the recommended way to specify SSL/TLS protocol versions.
This commit is contained in:
Родитель
ced1d17280
Коммит
4e29ca0c40
|
@ -99,7 +99,8 @@ module OpenURI
|
|||
:open_timeout => true,
|
||||
:ssl_ca_cert => nil,
|
||||
:ssl_verify_mode => nil,
|
||||
:ssl_version => nil,
|
||||
:ssl_min_version => nil,
|
||||
:ssl_max_version => nil,
|
||||
:ftp_active_mode => false,
|
||||
:redirect => true,
|
||||
:encoding => nil,
|
||||
|
@ -299,8 +300,8 @@ module OpenURI
|
|||
require 'net/https'
|
||||
http.use_ssl = true
|
||||
http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
|
||||
http.ssl_version = options[:ssl_version] if options[:ssl_version] &&
|
||||
OpenSSL::SSL::SSLContext::METHODS.include?(options[:ssl_version])
|
||||
http.min_version = options[:ssl_min_version]
|
||||
http.max_version = options[:ssl_max_version]
|
||||
store = OpenSSL::X509::Store.new
|
||||
if options[:ssl_ca_cert]
|
||||
Array(options[:ssl_ca_cert]).each do |cert|
|
||||
|
@ -702,6 +703,20 @@ module OpenURI
|
|||
#
|
||||
# :ssl_verify_mode is used to specify openssl verify mode.
|
||||
#
|
||||
# [:ssl_min_version]
|
||||
# Synopsis:
|
||||
# :ssl_min_version=>:TLS1_2
|
||||
#
|
||||
# :ssl_min_version option specifies the minimum allowed SSL/TLS protocol
|
||||
# version. See also OpenSSL::SSL::SSLContext#min_version=.
|
||||
#
|
||||
# [:ssl_max_version]
|
||||
# Synopsis:
|
||||
# :ssl_max_version=>:TLS1_2
|
||||
#
|
||||
# :ssl_max_version option specifies the maximum allowed SSL/TLS protocol
|
||||
# version. See also OpenSSL::SSL::SSLContext#max_version=.
|
||||
#
|
||||
# [:ftp_active_mode]
|
||||
# Synopsis:
|
||||
# :ftp_active_mode=>bool
|
||||
|
|
|
@ -92,26 +92,6 @@ class TestOpenURISSL
|
|||
}
|
||||
end
|
||||
|
||||
def test_validation_ssl_version
|
||||
with_https {|srv, dr, url|
|
||||
setup_validation(srv, dr)
|
||||
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLSv1_2) {|f|
|
||||
assert_equal("200", f.status[0])
|
||||
assert_equal("ddd", f.read)
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def test_validate_bad_ssl_version_silently
|
||||
with_https {|srv, dr, url|
|
||||
setup_validation(srv, dr)
|
||||
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_version => :TLS_no_such_version) {|f|
|
||||
assert_equal("200", f.status[0])
|
||||
assert_equal("ddd", f.read)
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def test_validation_failure
|
||||
unless /mswin|mingw/ =~ RUBY_PLATFORM
|
||||
# on Windows, Errno::ECONNRESET will be raised, and it'll be eaten by
|
||||
|
@ -127,6 +107,25 @@ class TestOpenURISSL
|
|||
}
|
||||
end
|
||||
|
||||
def test_ssl_min_version
|
||||
with_https {|srv, dr, url|
|
||||
setup_validation(srv, dr)
|
||||
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS1_2) {|f|
|
||||
assert_equal("200", f.status[0])
|
||||
assert_equal("ddd", f.read)
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def test_bad_ssl_version
|
||||
with_https(nil) {|srv, dr, url|
|
||||
setup_validation(srv, dr)
|
||||
assert_raise(ArgumentError) {
|
||||
URI.open("#{url}/data", :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE, :ssl_min_version => :TLS_no_such_version) {}
|
||||
}
|
||||
}
|
||||
end
|
||||
|
||||
def with_https_proxy(proxy_log_tester=lambda {|proxy_log, proxy_access_log| assert_equal([], proxy_log) })
|
||||
proxy_log = []
|
||||
proxy_logger = WEBrick::Log.new(proxy_log, WEBrick::BasicLog::WARN)
|
||||
|
|
Загрузка…
Ссылка в новой задаче