net-http icon indicating copy to clipboard operation
net-http copied to clipboard
verified publisher icon ruby

[Feature #19641] Enable to pass SSLContext to Net::HTTP

Open shouichi opened this issue 2 years ago • 3 comments

Also SSLContext is reused among requests.

shouichi avatar Aug 18 '23 06:08 shouichi

Reusing SSLContext might be a breaking change. A Net::HTTP instance may start a connection multiple times, but an SSLContext can only be modified before the first connection due to openssl's limitations for thread safety. An example which won't work if SSLContext is reused:

http = Net::HTTP.new(host)
http.cert = cert_a
http.key = key_a
http.start {
  http.get("/")
}

http.cert = cert_b
http.key = key_b
http.start {
  http.get("/")
}

This concern led to the hack-ish code for TLS session resumption we currently have in #connect. Please see https://bugs.ruby-lang.org/issues/5341 for context.

rhenium avatar Aug 20 '23 06:08 rhenium

https://bugs.ruby-lang.org/issues/19641

A potential drawback is conflict handling may not be obvious to users. For example, what happens if a user both sets Net::HTTP#verify_hostname and OpenSSL::SSL::Context#verify_hostname?

For the same reason as above, the new attribute for setting SSLContext has to assume the user-supplied SSLContext may already be frozen. So I think we have no choice but to disallow other existing attributes for configuring SSLContext if user supplies a pre-made SSLContext.

rhenium avatar Aug 20 '23 07:08 rhenium

@rhenium Thank you for the explanation. How about letting users set arbitrary parameters to SSLContext?

http.ssl_context_params = { security_level: 1}

shouichi avatar Aug 25 '23 03:08 shouichi