ssl: do not enable OpenSSL::SSL::OP_ALL by default

Respect the SSL options set by default by SSL_CTX() or by the system-wide OpenSSL configuration file. OpenSSL::SSL::SSLContext#initialize currently adds OpenSSL::SSL::OP_ALL on top of the default SSL options. Let's stop doing it. OpenSSL::SSL::OP_ALL is a set of options that changes OpenSSL's behavior to workaround various TLS implementation bugs. Using it is considered usually safe, but is not completely harmless.
rhenium · Jun 12, 2024 · eb6d489 · eb6d489
1 parent 9cd508a
commit eb6d489
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 3 deletions.
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
@@ -125,7 +125,6 @@ class SSLContext
       # that this form is deprecated. New applications should use #min_version=
       # and #max_version= as necessary.
       def initialize(version = nil)
-        self.options |= OpenSSL::SSL::OP_ALL
         self.ssl_version = version if version
         self.verify_mode = OpenSSL::SSL::VERIFY_NONE
         self.verify_hostname = false

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -15,11 +15,16 @@ def test_bad_socket
     end
   end
 
+  def test_ctx_setup
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_equal true, ctx.setup
+    assert_predicate ctx, :frozen?
+    assert_equal nil, ctx.setup
+  end
+
   def test_ctx_options
     ctx = OpenSSL::SSL::SSLContext.new
 
-    assert (OpenSSL::SSL::OP_ALL & ctx.options) == OpenSSL::SSL::OP_ALL,
-           "OP_ALL is set by default"
     ctx.options = 4
     assert_equal 4, ctx.options & 4
     if ctx.options != 4
@@ -33,6 +38,26 @@ def test_ctx_options
     assert_equal nil, ctx.setup
   end
 
+  def test_ctx_options_config
+    Tempfile.create("openssl.cnf") { |f|
+      f.puts(<<~EOC)
+      openssl_conf = openssl_init
+      [openssl_init]
+      ssl_conf = ssl_module
+      [ssl_module]
+      system_default = tls_system_default
+      [tls_system_default]
+      Options = -SessionTicket
+      EOC
+      f.close
+
+      assert_separately([{ "OPENSSL_CONF" => f.path }, "-ropenssl"], <<~"end;")
+        ctx = OpenSSL::SSL::SSLContext.new
+        assert_equal OpenSSL::SSL::OP_NO_TICKET, ctx.options & OpenSSL::SSL::OP_NO_TICKET
+      end;
+    }
+  end
+
   def test_ssl_with_server_cert
     ctx_proc = -> ctx {
       ctx.cert = @svr_cert