How to use tls1 but not sslv2/3 in https?

Hello All

I need to https connect an apache server that only support tls1
protocol.
How do I switch to use ONLY tls1 in https module? I searched over
internet for a long while and found nothing useful for me.

The apache server itself is ok. I could connect to it with IE by using
tls1.
My ruby scripts are also ok to https connect the other regular apache
server.
And from the httpd log, it is confirmed that it is raised by wrong
version number.

My ruby version: ruby 1.8.6

Thanks in advance for your help!

Best Regards
Liping

Liping Bao wrote:

Hello All

I need to https connect an apache server that only support tls1
protocol.
How do I switch to use ONLY tls1 in https module? I searched over
internet for a long while and found nothing useful for me.

Have a look in the source code, probably somewhere like
/usr/lib/ruby/1.8/net/https.rb

You can see there is an instance variable @ssl_context which keeps the
SSL state. Now see the docs for this:

http://www.ruby-doc.org/core-1.9/classes/OpenSSL/SSL/SSLContext.html

It looks like you should be able to replace
SSLContext.new
with
SSLContext.new(:TLSv1)

Looking through the code, I think you can do this without
monkey-patching, by setting the @ssl_context variable before calling
use_ssl=true. Something like this (untested):

uri = URI.parse(ARGV[0] || 'https://localhost/')
http = Net::HTTP.new(uri.host, uri.port)
if uri.scheme == "https"
  http.instance_eval { @ssl_context = 

OpenSSL::SSL::SSLContext.new(:TLSv1) }
http.use_ssl = true
end

If this works, then go to redmine.ruby-lang.org and submit a ticket
suggesting this be made available as a feature, e.g.

— https.rb.orig 2009-12-03 09:27:56.000000000 +0000
+++ https.rb 2009-12-03 09:30:18.000000000 +0000
@@ -121,7 +121,7 @@
raise IOError, “use_ssl value changed, but session already
started”
if started? and @use_ssl != flag
if flag and not @ssl_context

  •    @ssl_context = OpenSSL::SSL::SSLContext.new
    
  •    @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new : 
    

OpenSSL::SSL::SSLContext.new(flag)
end
@use_ssl = flag
end

Brian C. wrote:

if uri.scheme == "https"
  http.instance_eval { @ssl_context = 

OpenSSL::SSL::SSLContext.new(:TLSv1) }
http.use_ssl = true
end

Thanks a lot! It works for me.

       if started? and @use_ssl != flag
   if flag and not @ssl_context
  •    @ssl_context = OpenSSL::SSL::SSLContext.new
    
  •    @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new : 
    

OpenSSL::SSL::SSLContext.new(flag)
end
Sorry, I do not understand the code segment. What kind of improvement
do you mean? I think the current usage is ok for me.

Liping Bao wrote:

Brian C. wrote:

if uri.scheme == "https"
  http.instance_eval { @ssl_context = 

OpenSSL::SSL::SSLContext.new(:TLSv1) }
http.use_ssl = true
end

Thanks a lot! It works for me.

       if started? and @use_ssl != flag
   if flag and not @ssl_context
  •    @ssl_context = OpenSSL::SSL::SSLContext.new
    
  •    @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new : 
    

OpenSSL::SSL::SSLContext.new(flag)
end
Sorry, I do not understand the code segment. What kind of improvement
do you mean? I think the current usage is ok for me.

It would let you say

http.use_ssl = :TLSv1

It would let you say

http.use_ssl = :TLSv1

Thanks, I got it. I tried your diff, and with a little change, it does
work.
Here is the final diff.

  • flag = (flag ? true : false)
    raise IOError, “use_ssl value changed, but session already
    started”
    if started? and @use_ssl != flag
    if flag and not @ssl_context
  •    @ssl_context = OpenSSL::SSL::SSLContext.new
    
  •    @ssl_context = flag == true ? OpenSSL::SSL::SSLContext.new :
    

OpenSSL::SSL::SSLContext.new(flag)
end
@use_ssl = flag
end

I have already submitted the ticket.

Liping Bao wrote:

Thanks, I got it. I tried your diff, and with a little change, it does
work.
Here is the final diff.

  • flag = (flag ? true : false)

Ah, I didn’t spot that. This means that it would be a
backwards-incompatible change. Maybe it would be better to have another
accessor then.