net-http icon indicating copy to clipboard operation
net-http copied to clipboard

Published 20 hours ago verified publisher icon ruby

Initial approach to allowing SSL context option passing

Open rcuhljr opened this issue 2 years ago • 4 comments

Hello!

This is really meant more to start a conversation since there's likely a lot of implications to this change I'm not aware of.

I've found that it would be very convenient to be able to pass in options to the underlying SSL Context, this provides support for flags like OP_LEGACY_SERVER_CONNECT and OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION. Which while dangerous do provide real utility. This was proposed in the past however at the time it was for passing in the flags that block specific SSL versions. This proposal was closed when min/max version parameters were added. I think the underlying need is still there so I'm opening this up to get some feedback.

rcuhljr avatar Jan 23 '23 20:01 rcuhljr

I'm super keen to be able to remove my projects patch on this someday, if anyone wants to weigh on this change.

rcuhljr avatar Jun 12 '23 13:06 rcuhljr

@rcuhljr, so if you set either the UnsafeLegacyServerConnect or UnsafeLegacyRenegotiation as options in the openssl configuration, does that not automatically get loaded into ruby? I'm running into this issue where, when I am working behind my corporate firewall we have proxy service that requires me to set these flags in order to use openssl. For some reason anything using ruby net/http still throws the renegotation error even though these options are set

htcarr3 avatar Aug 02 '23 20:08 htcarr3

I would love to see this get attention too. It would be nice to be able to set ssl options for http requests individually, and I also made a commit that would add the ability to set a default for all http requests: https://github.com/rcuhljr/net-http/pull/1

jeffgran-dox avatar Oct 11 '23 14:10 jeffgran-dox

@htcarr3, @jeffgran-dox Sorry this had really fallen off my radar over the back half of last year. As for setting in the overall configuration, I'm unsure but didn't pursue it since this is running on a web server for me I really don't want these settings as part of my overall SSL configuration for the session, just for some specific requests I'm making to 3rd party servers as health checks. Jeff thanks for the interest, and yeah having the extra flexibility of just doing it once would also be nice for situations that do want the same custom settings on all requests.

rcuhljr avatar Feb 16 '24 17:02 rcuhljr