module OpenSSL::SSL

Use SSLContext to set up the parameters for a TLS (former SSL) connection. Both client and server TLS connections are supported, SSLSocket and SSLServer may be used in conjunction with an instance of SSLContext to set up connections.

Constants

OP_ALL
OP_ALLOW_NO_DHE_KEX
OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
OP_CIPHER_SERVER_PREFERENCE
OP_CISCO_ANYCONNECT
OP_CRYPTOPRO_TLSEXT_BUG
OP_DONT_INSERT_EMPTY_FRAGMENTS
OP_EPHEMERAL_RSA

Deprecated in OpenSSL 1.0.1k and 1.0.2.

OP_LEGACY_SERVER_CONNECT
OP_MICROSOFT_BIG_SSLV3_BUFFER

Deprecated in OpenSSL 1.1.0.

OP_MICROSOFT_SESS_ID_BUG

Deprecated in OpenSSL 1.1.0.

OP_MSIE_SSLV2_RSA_PADDING

Deprecated in OpenSSL 0.9.7h and 0.9.8b.

OP_NETSCAPE_CA_DN_BUG

Deprecated in OpenSSL 1.1.0.

OP_NETSCAPE_CHALLENGE_BUG

Deprecated in OpenSSL 1.1.0.

OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG

Deprecated in OpenSSL 1.1.0.

OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG

Deprecated in OpenSSL 0.9.8q and 1.0.0c.

OP_NO_COMPRESSION
OP_NO_ENCRYPT_THEN_MAC
OP_NO_QUERY_MTU
OP_NO_RENEGOTIATION
OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
OP_NO_SSLv2

Deprecated in OpenSSL 1.1.0.

OP_NO_SSLv3
OP_NO_TICKET
OP_NO_TLSv1
OP_NO_TLSv1_1
OP_NO_TLSv1_2
OP_NO_TLSv1_3
OP_PKCS1_CHECK_1

Deprecated in OpenSSL 1.0.1.

OP_PKCS1_CHECK_2

Deprecated in OpenSSL 1.0.1.

OP_SAFARI_ECDHE_ECDSA_BUG
OP_SINGLE_DH_USE

Deprecated in OpenSSL 1.1.0.

OP_SINGLE_ECDH_USE

Deprecated in OpenSSL 1.1.0.

OP_SSLEAY_080_CLIENT_DH_BUG

Deprecated in OpenSSL 1.1.0.

OP_SSLREF2_REUSE_CERT_TYPE_BUG

Deprecated in OpenSSL 1.0.1h and 1.0.2.

OP_TLSEXT_PADDING
OP_TLS_BLOCK_PADDING_BUG

Deprecated in OpenSSL 1.1.0.

OP_TLS_D5_BUG

Deprecated in OpenSSL 1.1.0.

OP_TLS_ROLLBACK_BUG
SSL2_VERSION

SSL 2.0

SSL3_VERSION

SSL 3.0

TLS1_1_VERSION

TLS 1.1

TLS1_2_VERSION

TLS 1.2

TLS1_3_VERSION

TLS 1.3

TLS1_VERSION

TLS 1.0

VERIFY_CLIENT_ONCE
VERIFY_FAIL_IF_NO_PEER_CERT
VERIFY_NONE
VERIFY_PEER

Public Class Methods

verify_certificate_identity(cert, hostname) click to toggle source
# File ext/openssl/lib/openssl/ssl.rb, line 262
def verify_certificate_identity(cert, hostname)
  should_verify_common_name = true
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
    sequence = OpenSSL::ASN1.decode(ostr.value)
    sequence.value.each{|san|
      case san.tag
      when 2 # dNSName in GeneralName (RFC5280)
        should_verify_common_name = false
        return true if verify_hostname(hostname, san.value)
      when 7 # iPAddress in GeneralName (RFC5280)
        should_verify_common_name = false
        # follows GENERAL_NAME_print() in x509v3/v3_alt.c
        if san.value.size == 4
          return true if san.value.unpack('C*').join('.') == hostname
        elsif san.value.size == 16
          return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
        end
      end
    }
  }
  if should_verify_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN"
        return true if verify_hostname(hostname, value)
      end
    }
  end
  return false
end

Private Instance Methods

verify_certificate_identity(cert, hostname) click to toggle source
# File ext/openssl/lib/openssl/ssl.rb, line 262
def verify_certificate_identity(cert, hostname)
  should_verify_common_name = true
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
    sequence = OpenSSL::ASN1.decode(ostr.value)
    sequence.value.each{|san|
      case san.tag
      when 2 # dNSName in GeneralName (RFC5280)
        should_verify_common_name = false
        return true if verify_hostname(hostname, san.value)
      when 7 # iPAddress in GeneralName (RFC5280)
        should_verify_common_name = false
        # follows GENERAL_NAME_print() in x509v3/v3_alt.c
        if san.value.size == 4
          return true if san.value.unpack('C*').join('.') == hostname
        elsif san.value.size == 16
          return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
        end
      end
    }
  }
  if should_verify_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN"
        return true if verify_hostname(hostname, value)
      end
    }
  end
  return false
end