From: Liping Bao on
Hello All

I need to https connect an apache server that only support tls1
protocol.
How do I switch to use ONLY tls1 in https module? I searched over
internet for a long while and found nothing useful for me.

The apache server itself is ok. I could connect to it with IE by using
tls1.
My ruby scripts are also ok to https connect the other regular apache
server.
And from the httpd log, it is confirmed that it is raised by wrong
version number.

My ruby version: ruby 1.8.6

Thanks in advance for your help!

Best Regards
Liping
--
Posted via http://www.ruby-forum.com/.

From: Brian Candler on
Liping Bao wrote:
> Hello All
>
> I need to https connect an apache server that only support tls1
> protocol.
> How do I switch to use ONLY tls1 in https module? I searched over
> internet for a long while and found nothing useful for me.

Have a look in the source code, probably somewhere like
/usr/lib/ruby/1.8/net/https.rb

You can see there is an instance variable @ssl_context which keeps the
SSL state. Now see the docs for this:

http://www.ruby-doc.org/core-1.9/classes/OpenSSL/SSL/SSLContext.html

It looks like you should be able to replace
SSLContext.new
with
SSLContext.new(:TLSv1)

Looking through the code, I think you can do this without
monkey-patching, by setting the @ssl_context variable *before* calling
use_ssl=true. Something like this (untested):

uri = URI.parse(ARGV[0] || 'https://localhost/')
http = Net::HTTP.new(uri.host, uri.port)
if uri.scheme == "https"
http.instance_eval { @ssl_context =
OpenSSL::SSL::SSLContext.new(:TLSv1) }
http.use_ssl = true
end

If this works, then go to redmine.ruby-lang.org and submit a ticket
suggesting this be made available as a feature, e.g.

--- https.rb.orig 2009-12-03 09:27:56.000000000 +0000
+++ https.rb 2009-12-03 09:30:18.000000000 +0000
@@ -121,7 +121,7 @@
raise IOError, "use_ssl value changed, but session already
started" \
if started? and @use_ssl != flag
if flag and not @ssl_context
- @ssl_context = OpenSSL::SSL::SSLContext.new
+ @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new :
OpenSSL::SSL::SSLContext.new(flag)
end
@use_ssl = flag
end
--
Posted via http://www.ruby-forum.com/.

From: Liping Bao on
Brian Candler wrote:
> if uri.scheme == "https"
> http.instance_eval { @ssl_context =
> OpenSSL::SSL::SSLContext.new(:TLSv1) }
> http.use_ssl = true
> end
>

Thanks a lot! It works for me.

> if started? and @use_ssl != flag
> if flag and not @ssl_context
> - @ssl_context = OpenSSL::SSL::SSLContext.new
> + @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new :
> OpenSSL::SSL::SSLContext.new(flag)
> end
Sorry, I do not understand the code segment. What kind of improvement
do you mean? I think the current usage is ok for me.
--
Posted via http://www.ruby-forum.com/.

From: Brian Candler on
Liping Bao wrote:
> Brian Candler wrote:
>> if uri.scheme == "https"
>> http.instance_eval { @ssl_context =
>> OpenSSL::SSL::SSLContext.new(:TLSv1) }
>> http.use_ssl = true
>> end
>>
>
> Thanks a lot! It works for me.
>
>> if started? and @use_ssl != flag
>> if flag and not @ssl_context
>> - @ssl_context = OpenSSL::SSL::SSLContext.new
>> + @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new :
>> OpenSSL::SSL::SSLContext.new(flag)
>> end
> Sorry, I do not understand the code segment. What kind of improvement
> do you mean? I think the current usage is ok for me.

It would let you say

http.use_ssl = :TLSv1
--
Posted via http://www.ruby-forum.com/.

From: Liping Bao on
> It would let you say
>
> http.use_ssl = :TLSv1
Thanks, I got it. I tried your diff, and with a little change, it does
work.
Here is the final diff.
- flag = (flag ? true : false)
raise IOError, "use_ssl value changed, but session already
started" \
if started? and @use_ssl != flag
if flag and not @ssl_context
- @ssl_context = OpenSSL::SSL::SSLContext.new
+ @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new :
OpenSSL::SSL::SSLContext.new(flag)
end
@use_ssl = flag
end

I have already submitted the ticket.
--
Posted via http://www.ruby-forum.com/.