Edit File by line
/home/barbar84/www/wp-conte.../plugins/sujqvwi/AnonR/smanonr..../usr/share/ruby/openssl
File: ssl.rb
# frozen_string_literal: false
[0] Fix | Delete
=begin
[1] Fix | Delete
= Info
[2] Fix | Delete
'OpenSSL for Ruby 2' project
[3] Fix | Delete
Copyright (C) 2001 GOTOU YUUZOU <gotoyuzo@notwork.org>
[4] Fix | Delete
All rights reserved.
[5] Fix | Delete
[6] Fix | Delete
= Licence
[7] Fix | Delete
This program is licensed under the same licence as Ruby.
[8] Fix | Delete
(See the file 'LICENCE'.)
[9] Fix | Delete
=end
[10] Fix | Delete
[11] Fix | Delete
require "openssl/buffering"
[12] Fix | Delete
require "io/nonblock"
[13] Fix | Delete
[14] Fix | Delete
module OpenSSL
[15] Fix | Delete
module SSL
[16] Fix | Delete
class SSLContext
[17] Fix | Delete
DEFAULT_PARAMS = { # :nodoc:
[18] Fix | Delete
:min_version => OpenSSL::SSL::TLS1_VERSION,
[19] Fix | Delete
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
[20] Fix | Delete
:verify_hostname => true,
[21] Fix | Delete
:options => -> {
[22] Fix | Delete
opts = OpenSSL::SSL::OP_ALL
[23] Fix | Delete
opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
[24] Fix | Delete
opts |= OpenSSL::SSL::OP_NO_COMPRESSION
[25] Fix | Delete
opts
[26] Fix | Delete
}.call
[27] Fix | Delete
}
[28] Fix | Delete
[29] Fix | Delete
if defined?(OpenSSL::PKey::DH)
[30] Fix | Delete
DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_
[31] Fix | Delete
-----BEGIN DH PARAMETERS-----
[32] Fix | Delete
MIIBCAKCAQEA7E6kBrYiyvmKAMzQ7i8WvwVk9Y/+f8S7sCTN712KkK3cqd1jhJDY
[33] Fix | Delete
JbrYeNV3kUIKhPxWHhObHKpD1R84UpL+s2b55+iMd6GmL7OYmNIT/FccKhTcveab
[34] Fix | Delete
VBmZT86BZKYyf45hUF9FOuUM9xPzuK3Vd8oJQvfYMCd7LPC0taAEljQLR4Edf8E6
[35] Fix | Delete
YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3
[36] Fix | Delete
1bNveX5wInh5GDx1FGhKBZ+s1H+aedudCm7sCgRwv8lKWYGiHzObSma8A86KG+MD
[37] Fix | Delete
7Lo5JquQ3DlBodj3IDyPrxIv96lvRPFtAwIBAg==
[38] Fix | Delete
-----END DH PARAMETERS-----
[39] Fix | Delete
_end_of_pem_
[40] Fix | Delete
private_constant :DEFAULT_2048
[41] Fix | Delete
[42] Fix | Delete
DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc:
[43] Fix | Delete
warn "using default DH parameters." if $VERBOSE
[44] Fix | Delete
DEFAULT_2048
[45] Fix | Delete
}
[46] Fix | Delete
end
[47] Fix | Delete
[48] Fix | Delete
if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
[49] Fix | Delete
OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
[50] Fix | Delete
DEFAULT_PARAMS.merge!(
[51] Fix | Delete
ciphers: %w{
[52] Fix | Delete
ECDHE-ECDSA-AES128-GCM-SHA256
[53] Fix | Delete
ECDHE-RSA-AES128-GCM-SHA256
[54] Fix | Delete
ECDHE-ECDSA-AES256-GCM-SHA384
[55] Fix | Delete
ECDHE-RSA-AES256-GCM-SHA384
[56] Fix | Delete
DHE-RSA-AES128-GCM-SHA256
[57] Fix | Delete
DHE-DSS-AES128-GCM-SHA256
[58] Fix | Delete
DHE-RSA-AES256-GCM-SHA384
[59] Fix | Delete
DHE-DSS-AES256-GCM-SHA384
[60] Fix | Delete
ECDHE-ECDSA-AES128-SHA256
[61] Fix | Delete
ECDHE-RSA-AES128-SHA256
[62] Fix | Delete
ECDHE-ECDSA-AES128-SHA
[63] Fix | Delete
ECDHE-RSA-AES128-SHA
[64] Fix | Delete
ECDHE-ECDSA-AES256-SHA384
[65] Fix | Delete
ECDHE-RSA-AES256-SHA384
[66] Fix | Delete
ECDHE-ECDSA-AES256-SHA
[67] Fix | Delete
ECDHE-RSA-AES256-SHA
[68] Fix | Delete
DHE-RSA-AES128-SHA256
[69] Fix | Delete
DHE-RSA-AES256-SHA256
[70] Fix | Delete
DHE-RSA-AES128-SHA
[71] Fix | Delete
DHE-RSA-AES256-SHA
[72] Fix | Delete
DHE-DSS-AES128-SHA256
[73] Fix | Delete
DHE-DSS-AES256-SHA256
[74] Fix | Delete
DHE-DSS-AES128-SHA
[75] Fix | Delete
DHE-DSS-AES256-SHA
[76] Fix | Delete
AES128-GCM-SHA256
[77] Fix | Delete
AES256-GCM-SHA384
[78] Fix | Delete
AES128-SHA256
[79] Fix | Delete
AES256-SHA256
[80] Fix | Delete
AES128-SHA
[81] Fix | Delete
AES256-SHA
[82] Fix | Delete
}.join(":"),
[83] Fix | Delete
)
[84] Fix | Delete
end
[85] Fix | Delete
[86] Fix | Delete
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new # :nodoc:
[87] Fix | Delete
DEFAULT_CERT_STORE.set_default_paths
[88] Fix | Delete
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
[89] Fix | Delete
[90] Fix | Delete
# A callback invoked when DH parameters are required.
[91] Fix | Delete
#
[92] Fix | Delete
# The callback is invoked with the Session for the key exchange, an
[93] Fix | Delete
# flag indicating the use of an export cipher and the keylength
[94] Fix | Delete
# required.
[95] Fix | Delete
#
[96] Fix | Delete
# The callback must return an OpenSSL::PKey::DH instance of the correct
[97] Fix | Delete
# key length.
[98] Fix | Delete
[99] Fix | Delete
attr_accessor :tmp_dh_callback
[100] Fix | Delete
[101] Fix | Delete
# A callback invoked at connect time to distinguish between multiple
[102] Fix | Delete
# server names.
[103] Fix | Delete
#
[104] Fix | Delete
# The callback is invoked with an SSLSocket and a server name. The
[105] Fix | Delete
# callback must return an SSLContext for the server name or nil.
[106] Fix | Delete
attr_accessor :servername_cb
[107] Fix | Delete
[108] Fix | Delete
# call-seq:
[109] Fix | Delete
# SSLContext.new -> ctx
[110] Fix | Delete
# SSLContext.new(:TLSv1) -> ctx
[111] Fix | Delete
# SSLContext.new("SSLv23") -> ctx
[112] Fix | Delete
#
[113] Fix | Delete
# Creates a new SSL context.
[114] Fix | Delete
#
[115] Fix | Delete
# If an argument is given, #ssl_version= is called with the value. Note
[116] Fix | Delete
# that this form is deprecated. New applications should use #min_version=
[117] Fix | Delete
# and #max_version= as necessary.
[118] Fix | Delete
def initialize(version = nil)
[119] Fix | Delete
self.options |= OpenSSL::SSL::OP_ALL
[120] Fix | Delete
self.ssl_version = version if version
[121] Fix | Delete
end
[122] Fix | Delete
[123] Fix | Delete
##
[124] Fix | Delete
# call-seq:
[125] Fix | Delete
# ctx.set_params(params = {}) -> params
[126] Fix | Delete
#
[127] Fix | Delete
# Sets saner defaults optimized for the use with HTTP-like protocols.
[128] Fix | Delete
#
[129] Fix | Delete
# If a Hash _params_ is given, the parameters are overridden with it.
[130] Fix | Delete
# The keys in _params_ must be assignment methods on SSLContext.
[131] Fix | Delete
#
[132] Fix | Delete
# If the verify_mode is not VERIFY_NONE and ca_file, ca_path and
[133] Fix | Delete
# cert_store are not set then the system default certificate store is
[134] Fix | Delete
# used.
[135] Fix | Delete
def set_params(params={})
[136] Fix | Delete
params = DEFAULT_PARAMS.merge(params)
[137] Fix | Delete
self.options = params.delete(:options) # set before min_version/max_version
[138] Fix | Delete
params.each{|name, value| self.__send__("#{name}=", value) }
[139] Fix | Delete
if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
[140] Fix | Delete
unless self.ca_file or self.ca_path or self.cert_store
[141] Fix | Delete
self.cert_store = DEFAULT_CERT_STORE
[142] Fix | Delete
end
[143] Fix | Delete
end
[144] Fix | Delete
return params
[145] Fix | Delete
end
[146] Fix | Delete
[147] Fix | Delete
# call-seq:
[148] Fix | Delete
# ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
[149] Fix | Delete
# ctx.min_version = :TLS1_2
[150] Fix | Delete
# ctx.min_version = nil
[151] Fix | Delete
#
[152] Fix | Delete
# Sets the lower bound on the supported SSL/TLS protocol version. The
[153] Fix | Delete
# version may be specified by an integer constant named
[154] Fix | Delete
# OpenSSL::SSL::*_VERSION, a Symbol, or +nil+ which means "any version".
[155] Fix | Delete
#
[156] Fix | Delete
# Be careful that you don't overwrite OpenSSL::SSL::OP_NO_{SSL,TLS}v*
[157] Fix | Delete
# options by #options= once you have called #min_version= or
[158] Fix | Delete
# #max_version=.
[159] Fix | Delete
#
[160] Fix | Delete
# === Example
[161] Fix | Delete
# ctx = OpenSSL::SSL::SSLContext.new
[162] Fix | Delete
# ctx.min_version = OpenSSL::SSL::TLS1_1_VERSION
[163] Fix | Delete
# ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
[164] Fix | Delete
#
[165] Fix | Delete
# sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
[166] Fix | Delete
# sock.connect # Initiates a connection using either TLS 1.1 or TLS 1.2
[167] Fix | Delete
def min_version=(version)
[168] Fix | Delete
set_minmax_proto_version(version, @max_proto_version ||= nil)
[169] Fix | Delete
@min_proto_version = version
[170] Fix | Delete
end
[171] Fix | Delete
[172] Fix | Delete
# call-seq:
[173] Fix | Delete
# ctx.max_version = OpenSSL::SSL::TLS1_2_VERSION
[174] Fix | Delete
# ctx.max_version = :TLS1_2
[175] Fix | Delete
# ctx.max_version = nil
[176] Fix | Delete
#
[177] Fix | Delete
# Sets the upper bound of the supported SSL/TLS protocol version. See
[178] Fix | Delete
# #min_version= for the possible values.
[179] Fix | Delete
def max_version=(version)
[180] Fix | Delete
set_minmax_proto_version(@min_proto_version ||= nil, version)
[181] Fix | Delete
@max_proto_version = version
[182] Fix | Delete
end
[183] Fix | Delete
[184] Fix | Delete
# call-seq:
[185] Fix | Delete
# ctx.ssl_version = :TLSv1
[186] Fix | Delete
# ctx.ssl_version = "SSLv23"
[187] Fix | Delete
#
[188] Fix | Delete
# Sets the SSL/TLS protocol version for the context. This forces
[189] Fix | Delete
# connections to use only the specified protocol version. This is
[190] Fix | Delete
# deprecated and only provided for backwards compatibility. Use
[191] Fix | Delete
# #min_version= and #max_version= instead.
[192] Fix | Delete
#
[193] Fix | Delete
# === History
[194] Fix | Delete
# As the name hints, this used to call the SSL_CTX_set_ssl_version()
[195] Fix | Delete
# function which sets the SSL method used for connections created from
[196] Fix | Delete
# the context. As of Ruby/OpenSSL 2.1, this accessor method is
[197] Fix | Delete
# implemented to call #min_version= and #max_version= instead.
[198] Fix | Delete
def ssl_version=(meth)
[199] Fix | Delete
meth = meth.to_s if meth.is_a?(Symbol)
[200] Fix | Delete
if /(?<type>_client|_server)\z/ =~ meth
[201] Fix | Delete
meth = $`
[202] Fix | Delete
if $VERBOSE
[203] Fix | Delete
warn "#{caller(1, 1)[0]}: method type #{type.inspect} is ignored"
[204] Fix | Delete
end
[205] Fix | Delete
end
[206] Fix | Delete
version = METHODS_MAP[meth.intern] or
[207] Fix | Delete
raise ArgumentError, "unknown SSL method `%s'" % meth
[208] Fix | Delete
set_minmax_proto_version(version, version)
[209] Fix | Delete
@min_proto_version = @max_proto_version = version
[210] Fix | Delete
end
[211] Fix | Delete
[212] Fix | Delete
METHODS_MAP = {
[213] Fix | Delete
SSLv23: 0,
[214] Fix | Delete
SSLv2: OpenSSL::SSL::SSL2_VERSION,
[215] Fix | Delete
SSLv3: OpenSSL::SSL::SSL3_VERSION,
[216] Fix | Delete
TLSv1: OpenSSL::SSL::TLS1_VERSION,
[217] Fix | Delete
TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
[218] Fix | Delete
TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
[219] Fix | Delete
}.freeze
[220] Fix | Delete
private_constant :METHODS_MAP
[221] Fix | Delete
[222] Fix | Delete
# The list of available SSL/TLS methods. This constant is only provided
[223] Fix | Delete
# for backwards compatibility.
[224] Fix | Delete
METHODS = METHODS_MAP.flat_map { |name,|
[225] Fix | Delete
[name, :"#{name}_client", :"#{name}_server"]
[226] Fix | Delete
}.freeze
[227] Fix | Delete
deprecate_constant :METHODS
[228] Fix | Delete
end
[229] Fix | Delete
[230] Fix | Delete
module SocketForwarder
[231] Fix | Delete
def addr
[232] Fix | Delete
to_io.addr
[233] Fix | Delete
end
[234] Fix | Delete
[235] Fix | Delete
def peeraddr
[236] Fix | Delete
to_io.peeraddr
[237] Fix | Delete
end
[238] Fix | Delete
[239] Fix | Delete
def setsockopt(level, optname, optval)
[240] Fix | Delete
to_io.setsockopt(level, optname, optval)
[241] Fix | Delete
end
[242] Fix | Delete
[243] Fix | Delete
def getsockopt(level, optname)
[244] Fix | Delete
to_io.getsockopt(level, optname)
[245] Fix | Delete
end
[246] Fix | Delete
[247] Fix | Delete
def fcntl(*args)
[248] Fix | Delete
to_io.fcntl(*args)
[249] Fix | Delete
end
[250] Fix | Delete
[251] Fix | Delete
def closed?
[252] Fix | Delete
to_io.closed?
[253] Fix | Delete
end
[254] Fix | Delete
[255] Fix | Delete
def do_not_reverse_lookup=(flag)
[256] Fix | Delete
to_io.do_not_reverse_lookup = flag
[257] Fix | Delete
end
[258] Fix | Delete
end
[259] Fix | Delete
[260] Fix | Delete
def verify_certificate_identity(cert, hostname)
[261] Fix | Delete
should_verify_common_name = true
[262] Fix | Delete
cert.extensions.each{|ext|
[263] Fix | Delete
next if ext.oid != "subjectAltName"
[264] Fix | Delete
ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
[265] Fix | Delete
sequence = OpenSSL::ASN1.decode(ostr.value)
[266] Fix | Delete
sequence.value.each{|san|
[267] Fix | Delete
case san.tag
[268] Fix | Delete
when 2 # dNSName in GeneralName (RFC5280)
[269] Fix | Delete
should_verify_common_name = false
[270] Fix | Delete
return true if verify_hostname(hostname, san.value)
[271] Fix | Delete
when 7 # iPAddress in GeneralName (RFC5280)
[272] Fix | Delete
should_verify_common_name = false
[273] Fix | Delete
# follows GENERAL_NAME_print() in x509v3/v3_alt.c
[274] Fix | Delete
if san.value.size == 4
[275] Fix | Delete
return true if san.value.unpack('C*').join('.') == hostname
[276] Fix | Delete
elsif san.value.size == 16
[277] Fix | Delete
return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
[278] Fix | Delete
end
[279] Fix | Delete
end
[280] Fix | Delete
}
[281] Fix | Delete
}
[282] Fix | Delete
if should_verify_common_name
[283] Fix | Delete
cert.subject.to_a.each{|oid, value|
[284] Fix | Delete
if oid == "CN"
[285] Fix | Delete
return true if verify_hostname(hostname, value)
[286] Fix | Delete
end
[287] Fix | Delete
}
[288] Fix | Delete
end
[289] Fix | Delete
return false
[290] Fix | Delete
end
[291] Fix | Delete
module_function :verify_certificate_identity
[292] Fix | Delete
[293] Fix | Delete
def verify_hostname(hostname, san) # :nodoc:
[294] Fix | Delete
# RFC 5280, IA5String is limited to the set of ASCII characters
[295] Fix | Delete
return false unless san.ascii_only?
[296] Fix | Delete
return false unless hostname.ascii_only?
[297] Fix | Delete
[298] Fix | Delete
# See RFC 6125, section 6.4.1
[299] Fix | Delete
# Matching is case-insensitive.
[300] Fix | Delete
san_parts = san.downcase.split(".")
[301] Fix | Delete
[302] Fix | Delete
# TODO: this behavior should probably be more strict
[303] Fix | Delete
return san == hostname if san_parts.size < 2
[304] Fix | Delete
[305] Fix | Delete
# Matching is case-insensitive.
[306] Fix | Delete
host_parts = hostname.downcase.split(".")
[307] Fix | Delete
[308] Fix | Delete
# RFC 6125, section 6.4.3, subitem 2.
[309] Fix | Delete
# If the wildcard character is the only character of the left-most
[310] Fix | Delete
# label in the presented identifier, the client SHOULD NOT compare
[311] Fix | Delete
# against anything but the left-most label of the reference
[312] Fix | Delete
# identifier (e.g., *.example.com would match foo.example.com but
[313] Fix | Delete
# not bar.foo.example.com or example.com).
[314] Fix | Delete
return false unless san_parts.size == host_parts.size
[315] Fix | Delete
[316] Fix | Delete
# RFC 6125, section 6.4.3, subitem 1.
[317] Fix | Delete
# The client SHOULD NOT attempt to match a presented identifier in
[318] Fix | Delete
# which the wildcard character comprises a label other than the
[319] Fix | Delete
# left-most label (e.g., do not match bar.*.example.net).
[320] Fix | Delete
return false unless verify_wildcard(host_parts.shift, san_parts.shift)
[321] Fix | Delete
[322] Fix | Delete
san_parts.join(".") == host_parts.join(".")
[323] Fix | Delete
end
[324] Fix | Delete
module_function :verify_hostname
[325] Fix | Delete
[326] Fix | Delete
def verify_wildcard(domain_component, san_component) # :nodoc:
[327] Fix | Delete
parts = san_component.split("*", -1)
[328] Fix | Delete
[329] Fix | Delete
return false if parts.size > 2
[330] Fix | Delete
return san_component == domain_component if parts.size == 1
[331] Fix | Delete
[332] Fix | Delete
# RFC 6125, section 6.4.3, subitem 3.
[333] Fix | Delete
# The client SHOULD NOT attempt to match a presented identifier
[334] Fix | Delete
# where the wildcard character is embedded within an A-label or
[335] Fix | Delete
# U-label of an internationalized domain name.
[336] Fix | Delete
return false if domain_component.start_with?("xn--") && san_component != "*"
[337] Fix | Delete
[338] Fix | Delete
parts[0].length + parts[1].length < domain_component.length &&
[339] Fix | Delete
domain_component.start_with?(parts[0]) &&
[340] Fix | Delete
domain_component.end_with?(parts[1])
[341] Fix | Delete
end
[342] Fix | Delete
module_function :verify_wildcard
[343] Fix | Delete
[344] Fix | Delete
class SSLSocket
[345] Fix | Delete
include Buffering
[346] Fix | Delete
include SocketForwarder
[347] Fix | Delete
[348] Fix | Delete
attr_reader :hostname
[349] Fix | Delete
[350] Fix | Delete
# The underlying IO object.
[351] Fix | Delete
attr_reader :io
[352] Fix | Delete
alias :to_io :io
[353] Fix | Delete
[354] Fix | Delete
# The SSLContext object used in this connection.
[355] Fix | Delete
attr_reader :context
[356] Fix | Delete
[357] Fix | Delete
# Whether to close the underlying socket as well, when the SSL/TLS
[358] Fix | Delete
# connection is shut down. This defaults to +false+.
[359] Fix | Delete
attr_accessor :sync_close
[360] Fix | Delete
[361] Fix | Delete
# call-seq:
[362] Fix | Delete
# ssl.sysclose => nil
[363] Fix | Delete
#
[364] Fix | Delete
# Sends "close notify" to the peer and tries to shut down the SSL
[365] Fix | Delete
# connection gracefully.
[366] Fix | Delete
#
[367] Fix | Delete
# If sync_close is set to +true+, the underlying IO is also closed.
[368] Fix | Delete
def sysclose
[369] Fix | Delete
return if closed?
[370] Fix | Delete
stop
[371] Fix | Delete
io.close if sync_close
[372] Fix | Delete
end
[373] Fix | Delete
[374] Fix | Delete
# call-seq:
[375] Fix | Delete
# ssl.post_connection_check(hostname) -> true
[376] Fix | Delete
#
[377] Fix | Delete
# Perform hostname verification following RFC 6125.
[378] Fix | Delete
#
[379] Fix | Delete
# This method MUST be called after calling #connect to ensure that the
[380] Fix | Delete
# hostname of a remote peer has been verified.
[381] Fix | Delete
def post_connection_check(hostname)
[382] Fix | Delete
if peer_cert.nil?
[383] Fix | Delete
msg = "Peer verification enabled, but no certificate received."
[384] Fix | Delete
if using_anon_cipher?
[385] Fix | Delete
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. " \
[386] Fix | Delete
"Anonymous suites must be disabled to use peer verification."
[387] Fix | Delete
end
[388] Fix | Delete
raise SSLError, msg
[389] Fix | Delete
end
[390] Fix | Delete
[391] Fix | Delete
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
[392] Fix | Delete
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
[393] Fix | Delete
end
[394] Fix | Delete
return true
[395] Fix | Delete
end
[396] Fix | Delete
[397] Fix | Delete
# call-seq:
[398] Fix | Delete
# ssl.session -> aSession
[399] Fix | Delete
#
[400] Fix | Delete
# Returns the SSLSession object currently used, or nil if the session is
[401] Fix | Delete
# not established.
[402] Fix | Delete
def session
[403] Fix | Delete
SSL::Session.new(self)
[404] Fix | Delete
rescue SSL::Session::SessionError
[405] Fix | Delete
nil
[406] Fix | Delete
end
[407] Fix | Delete
[408] Fix | Delete
private
[409] Fix | Delete
[410] Fix | Delete
def using_anon_cipher?
[411] Fix | Delete
ctx = OpenSSL::SSL::SSLContext.new
[412] Fix | Delete
ctx.ciphers = "aNULL"
[413] Fix | Delete
ctx.ciphers.include?(cipher)
[414] Fix | Delete
end
[415] Fix | Delete
[416] Fix | Delete
def client_cert_cb
[417] Fix | Delete
@context.client_cert_cb
[418] Fix | Delete
end
[419] Fix | Delete
[420] Fix | Delete
def tmp_dh_callback
[421] Fix | Delete
@context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK
[422] Fix | Delete
end
[423] Fix | Delete
[424] Fix | Delete
def tmp_ecdh_callback
[425] Fix | Delete
@context.tmp_ecdh_callback
[426] Fix | Delete
end
[427] Fix | Delete
[428] Fix | Delete
def session_new_cb
[429] Fix | Delete
@context.session_new_cb
[430] Fix | Delete
end
[431] Fix | Delete
[432] Fix | Delete
def session_get_cb
[433] Fix | Delete
@context.session_get_cb
[434] Fix | Delete
end
[435] Fix | Delete
end
[436] Fix | Delete
[437] Fix | Delete
##
[438] Fix | Delete
# SSLServer represents a TCP/IP server socket with Secure Sockets Layer.
[439] Fix | Delete
class SSLServer
[440] Fix | Delete
include SocketForwarder
[441] Fix | Delete
# When true then #accept works exactly the same as TCPServer#accept
[442] Fix | Delete
attr_accessor :start_immediately
[443] Fix | Delete
[444] Fix | Delete
# Creates a new instance of SSLServer.
[445] Fix | Delete
# * _srv_ is an instance of TCPServer.
[446] Fix | Delete
# * _ctx_ is an instance of OpenSSL::SSL::SSLContext.
[447] Fix | Delete
def initialize(svr, ctx)
[448] Fix | Delete
@svr = svr
[449] Fix | Delete
@ctx = ctx
[450] Fix | Delete
unless ctx.session_id_context
[451] Fix | Delete
# see #6137 - session id may not exceed 32 bytes
[452] Fix | Delete
prng = ::Random.new($0.hash)
[453] Fix | Delete
session_id = prng.bytes(16).unpack('H*')[0]
[454] Fix | Delete
@ctx.session_id_context = session_id
[455] Fix | Delete
end
[456] Fix | Delete
@start_immediately = true
[457] Fix | Delete
end
[458] Fix | Delete
[459] Fix | Delete
# Returns the TCPServer passed to the SSLServer when initialized.
[460] Fix | Delete
def to_io
[461] Fix | Delete
@svr
[462] Fix | Delete
end
[463] Fix | Delete
[464] Fix | Delete
# See TCPServer#listen for details.
[465] Fix | Delete
def listen(backlog=5)
[466] Fix | Delete
@svr.listen(backlog)
[467] Fix | Delete
end
[468] Fix | Delete
[469] Fix | Delete
# See BasicSocket#shutdown for details.
[470] Fix | Delete
def shutdown(how=Socket::SHUT_RDWR)
[471] Fix | Delete
@svr.shutdown(how)
[472] Fix | Delete
end
[473] Fix | Delete
[474] Fix | Delete
# Works similar to TCPServer#accept.
[475] Fix | Delete
def accept
[476] Fix | Delete
# Socket#accept returns [socket, addrinfo].
[477] Fix | Delete
# TCPServer#accept returns a socket.
[478] Fix | Delete
# The following comma strips addrinfo.
[479] Fix | Delete
sock, = @svr.accept
[480] Fix | Delete
begin
[481] Fix | Delete
ssl = OpenSSL::SSL::SSLSocket.new(sock, @ctx)
[482] Fix | Delete
ssl.sync_close = true
[483] Fix | Delete
ssl.accept if @start_immediately
[484] Fix | Delete
ssl
[485] Fix | Delete
rescue Exception => ex
[486] Fix | Delete
if ssl
[487] Fix | Delete
ssl.close
[488] Fix | Delete
else
[489] Fix | Delete
sock.close
[490] Fix | Delete
end
[491] Fix | Delete
raise ex
[492] Fix | Delete
end
[493] Fix | Delete
end
[494] Fix | Delete
[495] Fix | Delete
# See IO#close for details.
[496] Fix | Delete
def close
[497] Fix | Delete
@svr.close
[498] Fix | Delete
end
[499] Fix | Delete
12
It is recommended that you Edit text format, this type of Fix handles quite a lot in one request
Function