Issue #9640 has been updated by Tomoyuki Chikanaga.


>>    I think users can protect themselves via configuration or update OpenSSL itself, not the by ruby C extension library. Is it correct?

> ext/openssl(/lib/openssl/ssl.rb) actually sets the default of chiphers, so changing them of OpenSSL itself is meaningless about us.
> Am I wrong?

Thank you for pointing out that. It seems that I misunderstood about the point.
So I think we *should* backport the change.

> Since net/http does not have the interface to change the ciphers at the moment, available workaround should be a complex monkey patch, I guess.

Yes. But I think the workaround to do something potentially dangerous could be complicated. Users should know what they really to do.

----------------------------------------
Backport #9640: Please backport SSL fixes to 2.1
https://bugs.ruby-lang.org/issues/9640#change-49538

* Author: Christian Hofstaedtler
* Status: Open
* Priority: Normal
* Assignee: 
----------------------------------------
Please backport the fixes for issue #9424 to 2.1.

https://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/45274/diff/ext/openssl/lib/openssl/ssl.rb




-- 
https://bugs.ruby-lang.org/