disable sslv3 and few unsecure options

author: sawanoboly <sawanoboriyu@higanworks.com> 2014-11-27 11:57:39 +0900
committer: sawanoboly <sawanoboriyu@higanworks.com> 2014-11-27 11:57:39 +0900
commit: c3ba7bd3ee1c7226381cbaf3f7ff54bb5f60491a (patch)
tree: a87e6a11f68863188eb38b7fe023c6e63de6d454
parent: 8788aa9da7f3c420bcab8d001208d4cb2cfc4883 (diff)
download: chef-zero-c3ba7bd3ee1c7226381cbaf3f7ff54bb5f60491a.tar.gz
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/chef_zero/server.rb b/lib/chef_zero/server.rb
index fb2b127..d8ae623 100644
--- a/lib/chef_zero/server.rb
+++ b/lib/chef_zero/server.rb
@@ -234,6 +234,7 @@ module ChefZero
         :AccessLog   => [],
         :Logger      => WEBrick::Log.new(StringIO.new, 7),
         :SSLEnable  => options[:ssl],
+        :SSLOptions  => ssl_opts,
         :SSLCertName  => [ [ 'CN', WEBrick::Utils::getservername ] ],
         :StartCallback => proc {
           @running = true
@@ -597,5 +598,16 @@ module ChefZero
       end
       value
     end
+
+    ## Disable unsecure ssl
+    ## Ref: https://www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl/
+    def ssl_opts
+      ssl_opts = OpenSSL::SSL::OP_ALL
+      ssl_opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+      ssl_opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      ssl_opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+      ssl_opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+      ssl_opts
+    end
   end
 end
author	sawanoboly <sawanoboriyu@higanworks.com>	2014-11-27 11:57:39 +0900
committer	sawanoboly <sawanoboriyu@higanworks.com>	2014-11-27 11:57:39 +0900
commit	c3ba7bd3ee1c7226381cbaf3f7ff54bb5f60491a (patch)
tree	a87e6a11f68863188eb38b7fe023c6e63de6d454
parent	8788aa9da7f3c420bcab8d001208d4cb2cfc4883 (diff)
download	chef-zero-c3ba7bd3ee1c7226381cbaf3f7ff54bb5f60491a.tar.gz