Module: OpenSSL::SSL
Relationships & Source Files | |
Namespace Children | |
Modules:
| |
Classes:
| |
Exceptions:
| |
Defined in: | ext/openssl/ossl_ssl.c, ext/openssl/ossl_ssl_session.c, ext/openssl/lib/openssl/ssl.rb |
Overview
Use SSLContext to set up the parameters for a TLS (former SSL
) connection. Both client and server TLS connections are supported, SSLSocket
and SSLServer
may be used in conjunction with an instance of SSLContext
to set up connections.
Constant Summary
-
OP_ALL =
# File 'ext/openssl/ossl_ssl.c', line 2986ULONG2NUM(SSL_OP_ALL)
-
OP_ALLOW_CLIENT_RENEGOTIATION =
# File 'ext/openssl/ossl_ssl.c', line 3000ULONG2NUM(SSL_OP_ALLOW_CLIENT_RENEGOTIATION)
-
OP_ALLOW_NO_DHE_KEX =
# File 'ext/openssl/ossl_ssl.c', line 3006ULONG2NUM(SSL_OP_ALLOW_NO_DHE_KEX)
-
OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION =
# File 'ext/openssl/ossl_ssl.c', line 3012ULONG2NUM(SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION)
-
OP_CIPHER_SERVER_PREFERENCE =
# File 'ext/openssl/ossl_ssl.c', line 3032ULONG2NUM(SSL_OP_CIPHER_SERVER_PREFERENCE)
-
OP_CISCO_ANYCONNECT =
# File 'ext/openssl/ossl_ssl.c', line 3043ULONG2NUM(SSL_OP_CISCO_ANYCONNECT)
-
OP_CLEANSE_PLAINTEXT =
# File 'ext/openssl/ossl_ssl.c', line 2988ULONG2NUM(SSL_OP_CLEANSE_PLAINTEXT)
-
OP_COOKIE_EXCHANGE =
# File 'ext/openssl/ossl_ssl.c', line 3042ULONG2NUM(SSL_OP_COOKIE_EXCHANGE)
-
OP_CRYPTOPRO_TLSEXT_BUG =
# File 'ext/openssl/ossl_ssl.c', line 3037ULONG2NUM(SSL_OP_CRYPTOPRO_TLSEXT_BUG)
-
OP_DISABLE_TLSEXT_CA_NAMES =
# File 'ext/openssl/ossl_ssl.c', line 3003ULONG2NUM(SSL_OP_DISABLE_TLSEXT_CA_NAMES)
-
OP_DONT_INSERT_EMPTY_FRAGMENTS =
# File 'ext/openssl/ossl_ssl.c', line 3008ULONG2NUM(SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS)
-
OP_ENABLE_KTLS =
# File 'ext/openssl/ossl_ssl.c', line 2992ULONG2NUM(SSL_OP_ENABLE_KTLS)
-
OP_ENABLE_MIDDLEBOX_COMPAT =
# File 'ext/openssl/ossl_ssl.c', line 3017ULONG2NUM(SSL_OP_ENABLE_MIDDLEBOX_COMPAT)
-
OP_EPHEMERAL_RSA =
Deprecated in
::OpenSSL
1.0.1k and 1.0.2.ULONG2NUM(SSL_OP_EPHEMERAL_RSA)
-
OP_IGNORE_UNEXPECTED_EOF =
# File 'ext/openssl/ossl_ssl.c', line 2997ULONG2NUM(SSL_OP_IGNORE_UNEXPECTED_EOF)
-
OP_LEGACY_SERVER_CONNECT =
# File 'ext/openssl/ossl_ssl.c', line 2990ULONG2NUM(SSL_OP_LEGACY_SERVER_CONNECT)
-
OP_MICROSOFT_BIG_SSLV3_BUFFER =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER)
-
OP_MICROSOFT_SESS_ID_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_MICROSOFT_SESS_ID_BUG)
-
OP_MSIE_SSLV2_RSA_PADDING =
Deprecated in
::OpenSSL
0.9.7h and 0.9.8b.ULONG2NUM(SSL_OP_MSIE_SSLV2_RSA_PADDING)
-
OP_NETSCAPE_CA_DN_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_NETSCAPE_CA_DN_BUG)
-
OP_NETSCAPE_CHALLENGE_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_NETSCAPE_CHALLENGE_BUG)
-
OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG)
-
OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG =
Deprecated in
::OpenSSL
0.9.8q and 1.0.0c.ULONG2NUM(SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG)
-
OP_NO_ANTI_REPLAY =
# File 'ext/openssl/ossl_ssl.c', line 3023ULONG2NUM(SSL_OP_NO_ANTI_REPLAY)
-
OP_NO_COMPRESSION =
# File 'ext/openssl/ossl_ssl.c', line 3011ULONG2NUM(SSL_OP_NO_COMPRESSION)
-
OP_NO_ENCRYPT_THEN_MAC =
# File 'ext/openssl/ossl_ssl.c', line 3014ULONG2NUM(SSL_OP_NO_ENCRYPT_THEN_MAC)
-
OP_NO_QUERY_MTU =
# File 'ext/openssl/ossl_ssl.c', line 3041ULONG2NUM(SSL_OP_NO_QUERY_MTU)
-
OP_NO_RENEGOTIATION =
# File 'ext/openssl/ossl_ssl.c', line 3035ULONG2NUM(SSL_OP_NO_RENEGOTIATION)
-
OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION =
# File 'ext/openssl/ossl_ssl.c', line 3010ULONG2NUM(SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION)
-
OP_NO_SSLv2 =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_NO_SSLv2)
-
OP_NO_SSLv3 =
# File 'ext/openssl/ossl_ssl.c', line 3025ULONG2NUM(SSL_OP_NO_SSLv3)
-
OP_NO_TICKET =
# File 'ext/openssl/ossl_ssl.c', line 3009ULONG2NUM(SSL_OP_NO_TICKET)
-
OP_NO_TLSv1 =
# File 'ext/openssl/ossl_ssl.c', line 3026ULONG2NUM(SSL_OP_NO_TLSv1)
-
OP_NO_TLSv1_1 =
# File 'ext/openssl/ossl_ssl.c', line 3027ULONG2NUM(SSL_OP_NO_TLSv1_1)
-
OP_NO_TLSv1_2 =
# File 'ext/openssl/ossl_ssl.c', line 3028ULONG2NUM(SSL_OP_NO_TLSv1_2)
-
OP_NO_TLSv1_3 =
# File 'ext/openssl/ossl_ssl.c', line 3030ULONG2NUM(SSL_OP_NO_TLSv1_3)
-
OP_PKCS1_CHECK_1 =
Deprecated in
::OpenSSL
1.0.1.ULONG2NUM(SSL_OP_PKCS1_CHECK_1)
-
OP_PKCS1_CHECK_2 =
Deprecated in
::OpenSSL
1.0.1.ULONG2NUM(SSL_OP_PKCS1_CHECK_2)
-
OP_PRIORITIZE_CHACHA =
# File 'ext/openssl/ossl_ssl.c', line 3020ULONG2NUM(SSL_OP_PRIORITIZE_CHACHA)
-
OP_SAFARI_ECDHE_ECDSA_BUG =
# File 'ext/openssl/ossl_ssl.c', line 2995ULONG2NUM(SSL_OP_SAFARI_ECDHE_ECDSA_BUG)
-
OP_SINGLE_DH_USE =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_SINGLE_DH_USE)
-
OP_SINGLE_ECDH_USE =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_SINGLE_ECDH_USE)
-
OP_SSLEAY_080_CLIENT_DH_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_SSLEAY_080_CLIENT_DH_BUG)
-
OP_SSLREF2_REUSE_CERT_TYPE_BUG =
Deprecated in
::OpenSSL
1.0.1h and 1.0.2.ULONG2NUM(SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG)
-
OP_TLSEXT_PADDING =
# File 'ext/openssl/ossl_ssl.c', line 2994ULONG2NUM(SSL_OP_TLSEXT_PADDING)
-
OP_TLS_BLOCK_PADDING_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_TLS_BLOCK_PADDING_BUG)
-
OP_TLS_D5_BUG =
Deprecated in
::OpenSSL
1.1.0.ULONG2NUM(SSL_OP_TLS_D5_BUG)
-
OP_TLS_ROLLBACK_BUG =
# File 'ext/openssl/ossl_ssl.c', line 3033ULONG2NUM(SSL_OP_TLS_ROLLBACK_BUG)
-
SSL2_VERSION =
SSL
2.0INT2NUM(SSL2_VERSION)
-
SSL3_VERSION =
SSL
3.0INT2NUM(SSL3_VERSION)
-
TLS1_1_VERSION =
TLS 1.1
INT2NUM(TLS1_1_VERSION)
-
TLS1_2_VERSION =
TLS 1.2
INT2NUM(TLS1_2_VERSION)
-
TLS1_3_VERSION =
TLS 1.3
INT2NUM(TLS1_3_VERSION)
-
TLS1_VERSION =
TLS 1.0
INT2NUM(TLS1_VERSION)
-
VERIFY_CLIENT_ONCE =
# File 'ext/openssl/ossl_ssl.c', line 2984INT2NUM(SSL_VERIFY_CLIENT_ONCE)
-
VERIFY_FAIL_IF_NO_PEER_CERT =
# File 'ext/openssl/ossl_ssl.c', line 2983INT2NUM(SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
-
VERIFY_NONE =
# File 'ext/openssl/ossl_ssl.c', line 2981INT2NUM(SSL_VERIFY_NONE)
-
VERIFY_PEER =
# File 'ext/openssl/ossl_ssl.c', line 2982INT2NUM(SSL_VERIFY_PEER)
Class Method Summary
- .verify_certificate_identity(cert, hostname) mod_func
- .verify_hostname(hostname, san) mod_func Internal use only
- .verify_wildcard(domain_component, san_component) mod_func Internal use only
Class Method Details
.verify_certificate_identity(cert, hostname) (mod_func)
[ GitHub ]# File 'ext/openssl/lib/openssl/ssl.rb', line 276
def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ostr = OpenSSL::ASN1.decode(ext.to_der).value.last sequence = OpenSSL::ASN1.decode(ostr.value) sequence.value.each{|san| case san.tag when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false if san.value.size == 4 || san.value.size == 16 begin return true if san.value == IPAddr.new(hostname).hton rescue IPAddr::InvalidAddressError end end end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" return true if verify_hostname(hostname, value) end } end return false end
.verify_hostname(hostname, san) (mod_func)
# File 'ext/openssl/lib/openssl/ssl.rb', line 309
def verify_hostname(hostname, san) # :nodoc: # RFC 5280, IA5String is limited to the set of ASCII characters return false unless san.ascii_only? return false unless hostname.ascii_only? # See RFC 6125, section 6.4.1 # Matching is case-insensitive. san_parts = san.downcase.split(".") # TODO: this behavior should probably be more strict return san == hostname if san_parts.size < 2 # Matching is case-insensitive. host_parts = hostname.downcase.split(".") # RFC 6125, section 6.4.3, subitem 2. # If the wildcard character is the only character of the left-most # label in the presented identifier, the client SHOULD NOT compare # against anything but the left-most label of the reference # identifier (e.g., *.example.com would match foo.example.com but # not bar.foo.example.com or example.com). return false unless san_parts.size == host_parts.size # RFC 6125, section 6.4.3, subitem 1. # The client SHOULD NOT attempt to match a presented identifier in # which the wildcard character comprises a label other than the # left-most label (e.g., do not match bar.*.example.net). return false unless verify_wildcard(host_parts.shift, san_parts.shift) san_parts.join(".") == host_parts.join(".") end
.verify_wildcard(domain_component, san_component) (mod_func)
# File 'ext/openssl/lib/openssl/ssl.rb', line 342
def verify_wildcard(domain_component, san_component) # :nodoc: parts = san_component.split("*", -1) return false if parts.size > 2 return san_component == domain_component if parts.size == 1 # RFC 6125, section 6.4.3, subitem 3. # The client SHOULD NOT attempt to match a presented identifier # where the wildcard character is embedded within an A-label or # U-label of an internationalized domain name. return false if domain_component.start_with?("xn--") && san_component != "*" parts[0].length + parts[1].length < domain_component.length && domain_component.start_with?(parts[0]) && domain_component.end_with?(parts[1]) end