ssl: do not enable OpenSSL::SSL::OP_ALL by default #767
Commits on Sep 5, 2024
-
-
ssl: do not enable OpenSSL::SSL::OP_ALL by default
Respect the SSL options set by default by SSL_CTX() and by the system-wide OpenSSL configuration file. OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL on top of the default SSL options. Let's stop doing it. OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior to workaround various TLS implementation bugs. Using it is considered usually safe, but is not completely harmless.
-
ssl: do not clear existing SSL options in SSLContext#set_params
Apply SSL options set in DEFAULT_PARAMS without clearing existing options. It currently clears options in order to avoid setting one of the options included in OpenSSL::SSL::OP_ALL unless explicitly specified, namely OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS. Now that OpenSSL::SSL::OP_ALL has been removed from SSLContext#initialize, it is no longer necessary.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.