From: matt.dressel@...
Date: 2014-11-18T00:24:00+00:00
Subject: [ruby-core:66340] [ruby-trunk - Bug #10522] SSL_VERSION not handled properly in Net::Http, OpenSSL libraries

Issue #10522 has been updated by Matt Dressel.


This has become quite a problem due to POODLE and the systematic phasing out of SSLv3 support from many of the APIs we use in production.

We use the following abstracted gems that sit atop net/http & openssl:
* RestClient
* Typhoeus

Both suffer the same handshake problems.  If this is actually not a problem and I am misdiagnosing it, let me know how it should work and I will update the documentation / tests.

----------------------------------------
Bug #10522: SSL_VERSION not handled properly in Net::Http, OpenSSL libraries
https://bugs.ruby-lang.org/issues/10522#change-49995

* Author: Matt Dressel
* Status: Open
* Priority: High
* Assignee: 
* Category: ext/openssl
* Target version: 
* ruby -v: ruby 2.1.3p242
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
https://github.com/ruby/ruby/pull/762/files

While using the Faraday gem with the default net/http adapter, we are passing an explicit ssl_version to net/http, however we still received handshake warnings from the server suggesting that the ssl_version was not getting down to the OpenSSL layer.  After realizing that the Typhoeus adapter works just fine, I decided to dig deeper into Net::Http.  

The Net::Http#connect method passes the ssl_version to OpenSSL::SSL::SSLContext via the set_params method.  This appears to be problematic.  The only case I can get to work as expected calls ssl_version= without calling set_params at all.  I believe the error revolves around the set_params calling setters for all params (always includes an ssl_version).



-- 
https://bugs.ruby-lang.org/