module OpenSSL::SSL
Use SSLContext to set up the parameters for a TLS (former SSL) connection. Both client and server TLS connections are supported, SSLSocket and SSLServer may be used in conjunction with an instance of SSLContext to set up connections.
Constants
- OP_ALL
- OP_ALLOW_NO_DHE_KEX
- OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
- OP_CIPHER_SERVER_PREFERENCE
- OP_CISCO_ANYCONNECT
- OP_COOKIE_EXCHANGE
- OP_CRYPTOPRO_TLSEXT_BUG
- OP_DONT_INSERT_EMPTY_FRAGMENTS
- OP_EPHEMERAL_RSA
Deprecated in OpenSSL 1.0.1k and 1.0.2.
- OP_LEGACY_SERVER_CONNECT
- OP_MICROSOFT_BIG_SSLV3_BUFFER
Deprecated in OpenSSL 1.1.0.
- OP_MICROSOFT_SESS_ID_BUG
Deprecated in OpenSSL 1.1.0.
- OP_MSIE_SSLV2_RSA_PADDING
Deprecated in OpenSSL 0.9.7h and 0.9.8b.
- OP_NETSCAPE_CA_DN_BUG
Deprecated in OpenSSL 1.1.0.
- OP_NETSCAPE_CHALLENGE_BUG
Deprecated in OpenSSL 1.1.0.
- OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
Deprecated in OpenSSL 1.1.0.
- OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Deprecated in OpenSSL 0.9.8q and 1.0.0c.
- OP_NO_COMPRESSION
- OP_NO_ENCRYPT_THEN_MAC
- OP_NO_QUERY_MTU
- OP_NO_RENEGOTIATION
- OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
- OP_NO_SSLv2
Deprecated in OpenSSL 1.1.0.
- OP_NO_SSLv3
- OP_NO_TICKET
- OP_NO_TLSv1
- OP_NO_TLSv1_1
- OP_NO_TLSv1_2
- OP_NO_TLSv1_3
- OP_PKCS1_CHECK_1
Deprecated in OpenSSL 1.0.1.
- OP_PKCS1_CHECK_2
Deprecated in OpenSSL 1.0.1.
- OP_SAFARI_ECDHE_ECDSA_BUG
- OP_SINGLE_DH_USE
Deprecated in OpenSSL 1.1.0.
- OP_SINGLE_ECDH_USE
Deprecated in OpenSSL 1.1.0.
- OP_SSLEAY_080_CLIENT_DH_BUG
Deprecated in OpenSSL 1.1.0.
- OP_SSLREF2_REUSE_CERT_TYPE_BUG
Deprecated in OpenSSL 1.0.1h and 1.0.2.
- OP_TLSEXT_PADDING
- OP_TLS_BLOCK_PADDING_BUG
Deprecated in OpenSSL 1.1.0.
- OP_TLS_D5_BUG
Deprecated in OpenSSL 1.1.0.
- OP_TLS_ROLLBACK_BUG
- SSL2_VERSION
SSL 2.0
- SSL3_VERSION
SSL 3.0
- TLS1_1_VERSION
TLS 1.1
- TLS1_2_VERSION
TLS 1.2
- TLS1_3_VERSION
TLS 1.3
- TLS1_VERSION
TLS 1.0
- VERIFY_CLIENT_ONCE
- VERIFY_FAIL_IF_NO_PEER_CERT
- VERIFY_NONE
- VERIFY_PEER
Public Class Methods
# File ext/openssl/lib/openssl/ssl.rb, line 261 def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ostr = OpenSSL::ASN1.decode(ext.to_der).value.last sequence = OpenSSL::ASN1.decode(ostr.value) sequence.value.each{|san| case san.tag when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false # follows GENERAL_NAME_print() in x509v3/v3_alt.c if san.value.size == 4 return true if san.value.unpack('C*').join('.') == hostname elsif san.value.size == 16 return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname end end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" return true if verify_hostname(hostname, value) end } end return false end
Private Instance Methods
# File ext/openssl/lib/openssl/ssl.rb, line 261 def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ostr = OpenSSL::ASN1.decode(ext.to_der).value.last sequence = OpenSSL::ASN1.decode(ostr.value) sequence.value.each{|san| case san.tag when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false # follows GENERAL_NAME_print() in x509v3/v3_alt.c if san.value.size == 4 return true if san.value.unpack('C*').join('.') == hostname elsif san.value.size == 16 return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname end end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" return true if verify_hostname(hostname, value) end } end return false end