httpclient icon indicating copy to clipboard operation
httpclient copied to clipboard
verified publisher icon nahi

Support setting SSLContext#min_version and #max_version

Open bdewater opened this issue 7 years ago • 1 comments

The functionality in the OpenSSL gem was introduced in ruby/openssl#142 and supported by Net::HTTP in Ruby 2.5: https://github.com/ruby/ruby/commit/dcea9198a9d80bdf4eeacd9d9e9d883850a4a8d2

An example why this might be useful; for payment data the PCI DSS mandates that TLS 1.1 or newer is used after June 30. Using ssl_version would disallow the client negotiating TLS 1.2 (or 1.3 in the near future) if both sides support it, min_version doesn't have this problem.

bdewater avatar May 03 '18 15:05 bdewater

Another use case for this is the reverse.

The official Ruby images include default OpenSSL configuration restricting the min version to TLSv1.2. We talk to some old servers out of our control that cannot satisfy this requirement and would want to permit this at the code level. Currently we have to change the default at the OS level rather than allowing it in a more targetted fashion.

gshutler avatar Sep 11 '19 14:09 gshutler