From: shugo@...
Date: 2015-02-06T04:11:39+00:00
Subject: [ruby-core:68039] [ruby-trunk - Bug #10522] [Feedback] SSL_VERSION not handled properly in Net::Http, OpenSSL libraries

Issue #10522 has been updated by Shugo Maeda.

Status changed from Open to Feedback

Matt Dressel wrote:
> https://github.com/ruby/ruby/pull/762/files

What exception is raised?

The following code works fine on my box (x86_64-linux):

```ruby
  def test_allow_tls_v1_for_client
    # server does not support SSLv2 / SSLv3
    ctx_proc = Proc.new { |ctx| ctx.options = OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv3 | OpenSSL::SSL::OP_NO_SSLv2 }
    start_server_version(:TLSv1_1, ctx_proc) { |server, port|
      ctx = OpenSSL::SSL::SSLContext.new
      # It appears that explicitly calling 'ssl_version=' directly
      # is required rather than allowing `set_params` to call it via `__send__`
      ctx.set_params(ssl_version: :TLSv1_1, # soils the ssl_version
                     verify_mode: OpenSSL::SSL::VERIFY_NONE)
      assert_nothing_raised(*HANDSHAKE_ERRORS) { server_connect(port, ctx) { |ssl| } }
    }
  end
```

I had to add verify_mode: to bypass certificate verification.


----------------------------------------
Bug #10522: SSL_VERSION not handled properly in Net::Http, OpenSSL libraries
https://bugs.ruby-lang.org/issues/10522#change-51428

* Author: Matt Dressel
* Status: Feedback
* Priority: High
* Assignee: 
* ruby -v: ruby 2.1.3p242
* Backport: 2.0.0: UNKNOWN, 2.1: UNKNOWN
----------------------------------------
https://github.com/ruby/ruby/pull/762/files

While using the Faraday gem with the default net/http adapter, we are passing an explicit ssl_version to net/http, however we still received handshake warnings from the server suggesting that the ssl_version was not getting down to the OpenSSL layer.  After realizing that the Typhoeus adapter works just fine, I decided to dig deeper into Net::Http.  

The Net::Http#connect method passes the ssl_version to OpenSSL::SSL::SSLContext via the set_params method.  This appears to be problematic.  The only case I can get to work as expected calls ssl_version= without calling set_params at all.  I believe the error revolves around the set_params calling setters for all params (always includes an ssl_version).



-- 
https://bugs.ruby-lang.org/