Issue #9640 has been updated by Usaku NAKAMURA.


Tomoyuki Chikanaga wrote:
> But now I feel the necessity of rethink about it according to the change of circumstance (ex. POODLE).

I feel so, too.


> I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

ext/openssl(/lib/openssl/ssl.rb) actually sets the default of chiphers, so changing them of OpenSSL itself is meaningless about us.
Am I wrong?


> I think r45274 changes only default settings, so users who need SSLv3 or old ciphers have some workarounds, for example via Net::HTTP#ssl_version= or Net::HTTP#ciphers=). Is it correct?

Since net/http does not have the interface to change the ciphers at the moment, available workaround should be a complex monkey patch, I guess.

----------------------------------------
Backport #9640: Please backport SSL fixes to 2.1
https://bugs.ruby-lang.org/issues/9640#change-49524

* Author: Christian Hofstaedtler
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
Please backport the fixes for issue #9424 to 2.1.

https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/45274/diff/ext/openssl/lib/openssl/ssl.rb




-- 
https://bugs.ruby-lang.org/