Skip to content

Commit

Permalink
ssl: do not clear existing SSL options in SSLContext#set_params
Browse files Browse the repository at this point in the history
Apply SSL options set in DEFAULT_PARAMS without clearing existing
options, which may be set by a system-wide configuration file.

With a fresh installation of OpenSSL 3.3.1, this change will enable the
OpenSSL::SSL::OP_ENABLE_MIDDLEBOX_COMPAT option for users of
SSLContext#set_params.
  • Loading branch information
rhenium committed Jun 12, 2024
1 parent eb6d489 commit 3768b28
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 1 deletion.
2 changes: 1 addition & 1 deletion lib/openssl/ssl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ def initialize(version = nil)
# used.
def set_params(params={})
params = DEFAULT_PARAMS.merge(params)
self.options = params.delete(:options) # set before min_version/max_version
self.options |= params.delete(:options) # set before min_version/max_version
params.each{|name, value| self.__send__("#{name}=", value) }
if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
unless self.ca_file or self.ca_path or self.cert_store
Expand Down
2 changes: 2 additions & 0 deletions test/openssl/test_ssl.rb
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ def test_ctx_options_config
assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;")
ctx = OpenSSL::SSL::SSLContext.new
assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
ctx.set_params
assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
end;
}
end
Expand Down

0 comments on commit 3768b28

Please sign in to comment.