Issue #9613 has been reported by Zachary Scott. ---------------------------------------- Bug #9613: Warn about unsafe ossl ciphers https://bugs.ruby-lang.org/issues/9613 * Author: Zachary Scott * Status: Open * Priority: Normal * Assignee: * Category: ext/openssl * Target version: current: 2.2.0 * ruby -v: 2.2.0dev * Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN, 2.1: UNKNOWN ---------------------------------------- As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted. ## Solution * Implement a new class: OpenSSL::SSL::Ciphers * This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers] * Any constant not found within this class should raise a warning and report to the user * Add an OpenSSL::SSL::Configuration class * Designed to default to no compression, and no sslv2/v3 * Used by DEFAULT_PARAMS[:options] * This class may contain helper methods such as: #compression_enabled? ## Pros * We don't break anything, without warning users first * Maintaining future whitelist ciphers is easier * Future unsupported/blacklist ciphers are already dismissed * Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers) ## Concerns I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider: * Do we backport both patches or just the warning? * Should we bother backporting deprecation warnings? * Since r45274 is not a security fix, do we consider this a bug? * Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0) * r45274 is a major change that could break existing apps, even considering security -- http://bugs.ruby-lang.org/