module OpenSSL::SSL
Use SSLContext
to set up the parameters for a TLS (former SSL
) connection. Both client and server TLS connections are supported, SSLSocket
and SSLServer
may be used in conjunction with an instance of SSLContext
to set up connections.
Constants
- OP_ALL
- OP_ALLOW_CLIENT_RENEGOTIATION
- OP_ALLOW_NO_DHE_KEX
- OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
- OP_CIPHER_SERVER_PREFERENCE
- OP_CISCO_ANYCONNECT
- OP_CLEANSE_PLAINTEXT
- OP_COOKIE_EXCHANGE
- OP_CRYPTOPRO_TLSEXT_BUG
- OP_DISABLE_TLSEXT_CA_NAMES
- OP_DONT_INSERT_EMPTY_FRAGMENTS
- OP_ENABLE_KTLS
- OP_ENABLE_MIDDLEBOX_COMPAT
- OP_EPHEMERAL_RSA
Deprecated in
OpenSSL
1.0.1k and 1.0.2.- OP_IGNORE_UNEXPECTED_EOF
- OP_LEGACY_SERVER_CONNECT
- OP_MICROSOFT_BIG_SSLV3_BUFFER
Deprecated in
OpenSSL
1.1.0.- OP_MICROSOFT_SESS_ID_BUG
Deprecated in
OpenSSL
1.1.0.- OP_MSIE_SSLV2_RSA_PADDING
Deprecated in
OpenSSL
0.9.7h and 0.9.8b.- OP_NETSCAPE_CA_DN_BUG
Deprecated in
OpenSSL
1.1.0.- OP_NETSCAPE_CHALLENGE_BUG
Deprecated in
OpenSSL
1.1.0.- OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
Deprecated in
OpenSSL
1.1.0.- OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Deprecated in
OpenSSL
0.9.8q and 1.0.0c.- OP_NO_ANTI_REPLAY
- OP_NO_COMPRESSION
- OP_NO_ENCRYPT_THEN_MAC
- OP_NO_QUERY_MTU
- OP_NO_RENEGOTIATION
- OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
- OP_NO_SSLv2
Deprecated in
OpenSSL
1.1.0.- OP_NO_SSLv3
- OP_NO_TICKET
- OP_NO_TLSv1
- OP_NO_TLSv1_1
- OP_NO_TLSv1_2
- OP_NO_TLSv1_3
- OP_PKCS1_CHECK_1
Deprecated in
OpenSSL
1.0.1.- OP_PKCS1_CHECK_2
Deprecated in
OpenSSL
1.0.1.- OP_PRIORITIZE_CHACHA
- OP_SAFARI_ECDHE_ECDSA_BUG
- OP_SINGLE_DH_USE
Deprecated in
OpenSSL
1.1.0.- OP_SINGLE_ECDH_USE
Deprecated in
OpenSSL
1.1.0.- OP_SSLEAY_080_CLIENT_DH_BUG
Deprecated in
OpenSSL
1.1.0.- OP_SSLREF2_REUSE_CERT_TYPE_BUG
Deprecated in
OpenSSL
1.0.1h and 1.0.2.- OP_TLSEXT_PADDING
- OP_TLS_BLOCK_PADDING_BUG
Deprecated in
OpenSSL
1.1.0.- OP_TLS_D5_BUG
Deprecated in
OpenSSL
1.1.0.- OP_TLS_ROLLBACK_BUG
- SSL2_VERSION
SSL
2.0- SSL3_VERSION
SSL
3.0- TLS1_1_VERSION
TLS 1.1
- TLS1_2_VERSION
TLS 1.2
- TLS1_3_VERSION
TLS 1.3
- TLS1_VERSION
TLS 1.0
- VERIFY_CLIENT_ONCE
- VERIFY_FAIL_IF_NO_PEER_CERT
- VERIFY_NONE
- VERIFY_PEER
Public Class Methods
# File ext/openssl/lib/openssl/ssl.rb, line 276 def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ostr = OpenSSL::ASN1.decode(ext.to_der).value.last sequence = OpenSSL::ASN1.decode(ostr.value) sequence.value.each{|san| case san.tag when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false if san.value.size == 4 || san.value.size == 16 begin return true if san.value == IPAddr.new(hostname).hton rescue IPAddr::InvalidAddressError end end end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" return true if verify_hostname(hostname, value) end } end return false end
Private Instance Methods
# File ext/openssl/lib/openssl/ssl.rb, line 276 def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ostr = OpenSSL::ASN1.decode(ext.to_der).value.last sequence = OpenSSL::ASN1.decode(ostr.value) sequence.value.each{|san| case san.tag when 2 # dNSName in GeneralName (RFC5280) should_verify_common_name = false return true if verify_hostname(hostname, san.value) when 7 # iPAddress in GeneralName (RFC5280) should_verify_common_name = false if san.value.size == 4 || san.value.size == 16 begin return true if san.value == IPAddr.new(hostname).hton rescue IPAddr::InvalidAddressError end end end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" return true if verify_hostname(hostname, value) end } end return false end