Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Initial approach to allowing SSL context option passing #105

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Initial approach to allowing SSL context option passing #105

wants to merge 5 commits into from

Conversation

rcuhljr
Copy link

@rcuhljr rcuhljr commented Jan 23, 2023

Hello!

This is really meant more to start a conversation since there's likely a lot of implications to this change I'm not aware of.

I've found that it would be very convenient to be able to pass in options to the underlying SSL Context, this provides support for flags like OP_LEGACY_SERVER_CONNECT and OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION. Which while dangerous do provide real utility. This was proposed in the past however at the time it was for passing in the flags that block specific SSL versions. This proposal was closed when min/max version parameters were added. I think the underlying need is still there so I'm opening this up to get some feedback.

@rcuhljr rcuhljr changed the title Initial approach to allowing SSL context option passing. Initial approach to allowing SSL context option passing Jan 23, 2023
@rcuhljr
Copy link
Author

rcuhljr commented Jun 12, 2023

I'm super keen to be able to remove my projects patch on this someday, if anyone wants to weigh on this change.

@htcarr3
Copy link

htcarr3 commented Aug 2, 2023

@rcuhljr, so if you set either the UnsafeLegacyServerConnect or UnsafeLegacyRenegotiation as options in the openssl configuration, does that not automatically get loaded into ruby? I'm running into this issue where, when I am working behind my corporate firewall we have proxy service that requires me to set these flags in order to use openssl. For some reason anything using ruby net/http still throws the renegotation error even though these options are set

@jeffgran-dox
Copy link

I would love to see this get attention too. It would be nice to be able to set ssl options for http requests individually, and I also made a commit that would add the ability to set a default for all http requests: rcuhljr#1

@rcuhljr
Copy link
Author

rcuhljr commented Feb 16, 2024

@htcarr3, @jeffgran-dox Sorry this had really fallen off my radar over the back half of last year. As for setting in the overall configuration, I'm unsure but didn't pursue it since this is running on a web server for me I really don't want these settings as part of my overall SSL configuration for the session, just for some specific requests I'm making to 3rd party servers as health checks. Jeff thanks for the interest, and yeah having the extra flexibility of just doing it once would also be nice for situations that do want the same custom settings on all requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@rcuhljr @htcarr3 @jeffgran-dox