Method: #tls

Defined in:
lib/falcon/environments/tls.rb

#tlsObject

A general SSL context environment.



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
 
# File 'lib/falcon/environments/tls.rb', line 31

environment(:tls) do
	# The default session identifier for the session cache.
	# @attribute [String]
	ssl_session_id "falcon"
	
	# The supported ciphers.
	# @attribute [Array(String)]
	ssl_ciphers Falcon::TLS::SERVER_CIPHERS
	
	# The public certificate path.
	# @attribute [String]
	ssl_certificate_path do
		File.expand_path("ssl/certificate.pem", root)
	end
	
	# The list of certificates loaded from that path.
	# @attribute [Array(OpenSSL::X509::Certificate)]
	ssl_certificates do
		OpenSSL::X509.load_certificates(ssl_certificate_path)
	end
	
	# The main certificate.
	# @attribute [OpenSSL::X509::Certificate]
	ssl_certificate {ssl_certificates[0]}
	
	# The certificate chain.
	# @attribute [Array(OpenSSL::X509::Certificate)]
	ssl_certificate_chain {ssl_certificates[1..-1]}
	
	# The private key path.
	# @attribute [String]
	ssl_private_key_path do
		File.expand_path("ssl/private.key", root)
	end
	
	# The private key.
	# @attribute [OpenSSL::PKey::RSA]
	ssl_private_key do
		OpenSSL::PKey::RSA.new(File.read(ssl_private_key_path))
	end
	
	# The SSL context to use for incoming connections.
	# @attribute [OpenSSL::SSL::SSLContext]
	ssl_context do
		OpenSSL::SSL::SSLContext.new.tap do |context|
			context.add_certificate(ssl_certificate, ssl_private_key, ssl_certificate_chain)
			
			context.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
			context.session_id_context = ssl_session_id
			
			context.alpn_select_cb = lambda do |protocols|
				if protocols.include? "h2"
					return "h2"
				elsif protocols.include? "http/1.1"
					return "http/1.1"
				elsif protocols.include? "http/1.0"
					return "http/1.0"
				else
					return nil
				end
			end
			
			# TODO Ruby 2.4 requires using ssl_version.
			context.ssl_version = :TLSv1_2_server
			
			context.set_params(
				ciphers: ssl_ciphers,
				verify_mode: OpenSSL::SSL::VERIFY_NONE,
			)
			
			context.setup
		end
	end
end