Method: OpenSSL::SSL::SSLContext.__default_options

Defined in:
lib/logstash/patches/stronger_openssl_defaults.rb

.__default_optionsObject

Returns the value that should be used for the default SSLContext options

This is a method instead of a constant because some constants (like OpenSSL::SSL::OP_NO_COMPRESSION) may not be available in all Ruby versions/platforms.



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
 
# File 'lib/logstash/patches/stronger_openssl_defaults.rb', line 31

def self.__default_options
  # ruby-core is refusing to patch ruby's default openssl settings to be more
  # secure, so let's fix that here. The next few lines setting options and
  # ciphers come from jmhodges' proposed patch
  ssloptions = OpenSSL::SSL::OP_ALL
 
  # TODO(sissel): JRuby doesn't have this. Maybe work on a fix?
  if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
    ssloptions &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
  end

  # TODO(sissel): JRuby doesn't have this. Maybe work on a fix?
  if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
    ssloptions |= OpenSSL::SSL::OP_NO_COMPRESSION
  end

  # Disable SSLv2 and SSLv3. They are insecure and highly discouraged.
  ssloptions |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
  ssloptions |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
  ssloptions
end