Module: OpenSSL::SSL
- Defined in:
- ext/openssl/ossl_ssl.c,
lib/openssl/ssl.rb,
ext/openssl/ossl_ssl_session.c,
ext/openssl/ossl_ssl.c
Overview
Use SSLContext to set up the parameters for a TLS (former SSL) connection. Both client and server TLS connections are supported, SSLSocket and SSLServer may be used in conjunction with an instance of SSLContext to set up connections.
Defined Under Namespace
Modules: SocketForwarder Classes: SSLContext, SSLError, SSLErrorWaitReadable, SSLErrorWaitWritable, SSLServer, SSLSocket, Session
Constant Summary collapse
- VERIFY_NONE =
INT2NUM(SSL_VERIFY_NONE)
- VERIFY_PEER =
INT2NUM(SSL_VERIFY_PEER)
- VERIFY_FAIL_IF_NO_PEER_CERT =
INT2NUM(SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
- VERIFY_CLIENT_ONCE =
INT2NUM(SSL_VERIFY_CLIENT_ONCE)
- OP_ALL =
ULONG2NUM(SSL_OP_ALL)
- OP_CLEANSE_PLAINTEXT =
ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT)
- OP_LEGACY_SERVER_CONNECT =
ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT)
- OP_ENABLE_KTLS =
ULONG2NUM(SSL_OP_ENABLE_KTLS)
- OP_TLSEXT_PADDING =
ULONG2NUM(SSL_OP_TLSEXT_PADDING)
- OP_SAFARI_ECDHE_ECDSA_BUG =
ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
- OP_IGNORE_UNEXPECTED_EOF =
ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF)
- OP_ALLOW_CLIENT_RENEGOTIATION =
ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
- OP_DISABLE_TLSEXT_CA_NAMES =
ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
- OP_ALLOW_NO_DHE_KEX =
ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)
- OP_DONT_INSERT_EMPTY_FRAGMENTS =
ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
- OP_NO_TICKET =
ULONG2NUM(SSL_OP_NO_TICKET)
- OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
- OP_NO_COMPRESSION =
ULONG2NUM(SSL_OP_NO_COMPRESSION)
- OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
- OP_NO_ENCRYPT_THEN_MAC =
ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)
- OP_ENABLE_MIDDLEBOX_COMPAT =
ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
- OP_PRIORITIZE_CHACHA =
ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA)
- OP_NO_ANTI_REPLAY =
ULONG2NUM(SSL_OP_NO_ANTI_REPLAY)
- OP_NO_SSLv3 =
ULONG2NUM(SSL_OP_NO_SSLv3)
- OP_NO_TLSv1 =
ULONG2NUM(SSL_OP_NO_TLSv1)
- OP_NO_TLSv1_1 =
ULONG2NUM(SSL_OP_NO_TLSv1_1)
- OP_NO_TLSv1_2 =
ULONG2NUM(SSL_OP_NO_TLSv1_2)
- OP_NO_TLSv1_3 =
ULONG2NUM(SSL_OP_NO_TLSv1_3)
- OP_CIPHER_SERVER_PREFERENCE =
ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)
- OP_TLS_ROLLBACK_BUG =
ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG)
- OP_NO_RENEGOTIATION =
ULONG2NUM(SSL_OP_NO_RENEGOTIATION)
- OP_CRYPTOPRO_TLSEXT_BUG =
ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
- OP_NO_QUERY_MTU =
ULONG2NUM(SSL_OP_NO_QUERY_MTU)
- OP_COOKIE_EXCHANGE =
ULONG2NUM(SSL_OP_COOKIE_EXCHANGE)
- OP_CISCO_ANYCONNECT =
ULONG2NUM(SSL_OP_CISCO_ANYCONNECT)
- OP_MICROSOFT_SESS_ID_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_MICROSOFT_SESS_ID_BUG)
- OP_NETSCAPE_CHALLENGE_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_NETSCAPE_CHALLENGE_BUG)
- OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
Deprecated in OpenSSL 0.9.8q and 1.0.0c.
ULONG2NUM(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
- OP_SSLREF2_REUSE_CERT_TYPE_BUG =
Deprecated in OpenSSL 1.0.1h and 1.0.2.
ULONG2NUM(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
- OP_MICROSOFT_BIG_SSLV3_BUFFER =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
- OP_MSIE_SSLV2_RSA_PADDING =
Deprecated in OpenSSL 0.9.7h and 0.9.8b.
ULONG2NUM(SSL_OP_MSIE_SSLV2_RSA_PADDING)
- OP_SSLEAY_080_CLIENT_DH_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
- OP_TLS_D5_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_TLS_D5_BUG)
- OP_TLS_BLOCK_PADDING_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_TLS_BLOCK_PADDING_BUG)
- OP_SINGLE_ECDH_USE =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_SINGLE_ECDH_USE)
- OP_SINGLE_DH_USE =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_SINGLE_DH_USE)
- OP_EPHEMERAL_RSA =
Deprecated in OpenSSL 1.0.1k and 1.0.2.
ULONG2NUM(SSL_OP_EPHEMERAL_RSA)
- OP_NO_SSLv2 =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_NO_SSLv2)
- OP_PKCS1_CHECK_1 =
Deprecated in OpenSSL 1.0.1.
ULONG2NUM(SSL_OP_PKCS1_CHECK_1)
- OP_PKCS1_CHECK_2 =
Deprecated in OpenSSL 1.0.1.
ULONG2NUM(SSL_OP_PKCS1_CHECK_2)
- OP_NETSCAPE_CA_DN_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_NETSCAPE_CA_DN_BUG)
- OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG =
Deprecated in OpenSSL 1.1.0.
ULONG2NUM(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
- SSL2_VERSION =
SSL 2.0
INT2NUM(SSL2_VERSION)
- SSL3_VERSION =
SSL 3.0
INT2NUM(SSL3_VERSION)
- TLS1_VERSION =
TLS 1.0
INT2NUM(TLS1_VERSION)
- TLS1_1_VERSION =
TLS 1.1
INT2NUM(TLS1_1_VERSION)
- TLS1_2_VERSION =
TLS 1.2
INT2NUM(TLS1_2_VERSION)
- TLS1_3_VERSION =
TLS 1.3
INT2NUM(TLS1_3_VERSION)
Class Method Summary collapse
- .verify_certificate_identity(cert, hostname) ⇒ Object
-
.verify_hostname(hostname, san) ⇒ Object
:nodoc:.
-
.verify_wildcard(domain_component, san_component) ⇒ Object
:nodoc:.
Class Method Details
.verify_certificate_identity(cert, hostname) ⇒ Object
273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 |
# File 'lib/openssl/ssl.rb', line 273 def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ostr = OpenSSL::ASN1.decode(ext.to_der).value.last sequence = OpenSSL::ASN1.decode(ostr.value) sequence.value.each{|san| case san.tag when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false if san.value.size == 4 || san.value.size == 16 begin return true if san.value == IPAddr.new(hostname).hton rescue IPAddr::InvalidAddressError end end end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" return true if verify_hostname(hostname, value) end } end return false end |
.verify_hostname(hostname, san) ⇒ Object
:nodoc:
306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 |
# File 'lib/openssl/ssl.rb', line 306 def verify_hostname(hostname, san) # :nodoc: # RFC 5280, IA5String is limited to the set of ASCII characters return false unless san.ascii_only? return false unless hostname.ascii_only? # See RFC 6125, section 6.4.1 # Matching is case-insensitive. san_parts = san.downcase.split(".") # TODO: this behavior should probably be more strict return san == hostname if san_parts.size < 2 # Matching is case-insensitive. host_parts = hostname.downcase.split(".") # RFC 6125, section 6.4.3, subitem 2. # If the wildcard character is the only character of the left-most # label in the presented identifier, the client SHOULD NOT compare # against anything but the left-most label of the reference # identifier (e.g., *.example.com would match foo.example.com but # not bar.foo.example.com or example.com). return false unless san_parts.size == host_parts.size # RFC 6125, section 6.4.3, subitem 1. # The client SHOULD NOT attempt to match a presented identifier in # which the wildcard character comprises a label other than the # left-most label (e.g., do not match bar.*.example.net). return false unless verify_wildcard(host_parts.shift, san_parts.shift) san_parts.join(".") == host_parts.join(".") end |
.verify_wildcard(domain_component, san_component) ⇒ Object
:nodoc:
339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 |
# File 'lib/openssl/ssl.rb', line 339 def verify_wildcard(domain_component, san_component) # :nodoc: parts = san_component.split("*", -1) return false if parts.size > 2 return san_component == domain_component if parts.size == 1 # RFC 6125, section 6.4.3, subitem 3. # The client SHOULD NOT attempt to match a presented identifier # where the wildcard character is embedded within an A-label or # U-label of an internationalized domain name. return false if domain_component.start_with?("xn--") && san_component != "*" parts[0].length + parts[1].length < domain_component.length && domain_component.start_with?(parts[0]) && domain_component.end_with?(parts[1]) end |