Skip to content

Commit 3b05e60

Browse files
committed
Only set min_version on OpenSSL < 1.1.0
Both Red Hat and Debian-like systems configure the minimum TLS version to be 1.2 by default, but allow users to change this via configs. On Red Hat and derivatives this happens via crypto-policies[1], which in writes settings in /etc/crypto-policies/back-ends/opensslcnf.config. Most notably, it sets TLS.MinProtocol there. For Debian there's MinProtocol in /etc/ssl/openssl.cnf. Both default to TLSv1.2, which is considered a secure default. In constrast, the SSLContext has a hard coded OpenSSL::SSL::TLS1_VERSION for min_version. TLS 1.0 and 1.1 are considered insecure. By always setting this in the default parameters, the system wide default can't be respected, even if a developer wants to. This takes the approach that's also done for ciphers: it's only set for OpenSSL < 1.1.0. [1]: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/using-the-system-wide-cryptographic-policies_security-hardening
1 parent 1fa9fc5 commit 3b05e60

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

lib/openssl/ssl.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@ module OpenSSL
2222
module SSL
2323
class SSLContext
2424
DEFAULT_PARAMS = { # :nodoc:
25-
:min_version => OpenSSL::SSL::TLS1_VERSION,
2625
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
2726
:verify_hostname => true,
2827
:options => -> {
@@ -55,6 +54,7 @@ class SSLContext
5554
if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
5655
OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
5756
DEFAULT_PARAMS.merge!(
57+
min_version: OpenSSL::SSL::TLS1_VERSION,
5858
ciphers: %w{
5959
ECDHE-ECDSA-AES128-GCM-SHA256
6060
ECDHE-RSA-AES128-GCM-SHA256

0 commit comments

Comments
 (0)