New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add no_tlsv1_3 to Puma::DSL#ssl_bindings and Puma::MiniSSL::Context #2426
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -45,8 +45,9 @@ def context | |
ctx.ssl_cipher_filter = params['ssl_cipher_filter'] if params['ssl_cipher_filter'] | ||
end | ||
|
||
ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true' | ||
ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true' | ||
ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true' | ||
ctx.no_tlsv1_3 = true if params['no_tlsv1_3'] == 'true' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. At what point to we decide there's a more elegant interface here than just disabling individual TLS minor versions? I seem to remember something was discussed a long ways back... There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. When we drop support for OpenSSL 1.0.2? 1.1.1 has min/max functions, with 1.0.2 you have to supply a list of allowed protocols. JFYI, TLSv1.2 came out in 2008, TLSv1.3 in 2018. What we have now will probably work for a few years... |
||
|
||
if params['verify_mode'] | ||
ctx.verify_mode = case params['verify_mode'] | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've just realized how silly it is that we pass around arguments to
bind
internally as a string rather than as arguments. File that one away for the future...