From c3ba7bd3ee1c7226381cbaf3f7ff54bb5f60491a Mon Sep 17 00:00:00 2001
From: sawanoboly <sawanoboriyu@higanworks.com>
Date: Thu, 27 Nov 2014 11:57:39 +0900
Subject: disable sslv3 and few unsecure options

---
 lib/chef_zero/server.rb | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/chef_zero/server.rb b/lib/chef_zero/server.rb
index fb2b127..d8ae623 100644
--- a/lib/chef_zero/server.rb
+++ b/lib/chef_zero/server.rb
@@ -234,6 +234,7 @@ module ChefZero
         :AccessLog   => [],
         :Logger      => WEBrick::Log.new(StringIO.new, 7),
         :SSLEnable  => options[:ssl],
+        :SSLOptions  => ssl_opts,
         :SSLCertName  => [ [ 'CN', WEBrick::Utils::getservername ] ],
         :StartCallback => proc {
           @running = true
@@ -597,5 +598,16 @@ module ChefZero
       end
       value
     end
+
+    ## Disable unsecure ssl
+    ## Ref: https://www.ruby-lang.org/en/news/2014/10/27/changing-default-settings-of-ext-openssl/
+    def ssl_opts
+      ssl_opts = OpenSSL::SSL::OP_ALL
+      ssl_opts &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+      ssl_opts |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+      ssl_opts |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
+      ssl_opts |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
+      ssl_opts
+    end
   end
 end
-- 
cgit v1.2.1