Description
Background -
I'm working on some security-related things and want to verify what TLS/SSL protocol has been negotiated after a connection is made before I start trusting it. The world of TLS libraries are a bit inconsistent (ruby openssl has SSLContext#ssl_version= to set a specific version, Go tls has MinVersion for a minimum version). To avoid confusion, I want to ask the socket about its session before I move forward sending sensitive data over the encrypted channel.
Situation -
To do this check, SSLSocket has a #session to get me the OpenSSL::SSL::Session object. To be Under MRI, this seems to work, even if it's quite obscure. For example, to ask what was negotiated, Session#to_text will tell me.
>> OpenSSL::SSL::SSLContext::METHODS.reject { |x| x.to_s =~ /(server|client)/ }.each { |ver| ctx = OpenSSL::SSL::SSLContext.new; ctx.ssl_version = ver; s = OpenSSL::SSL::SSLSocket.new(TCPSocket.new("google.com", 443), ctx); s.connect; p ver => s.session.to_text.split("\n").grep(/Proto/).first.split(/ *: */).last }
{:TLSv1=>"TLSv1"}
{:TLSv1_2=>"TLSv1.2"}
{:TLSv1_1=>"TLSv1.1"}
{:SSLv3=>"SSLv3"}
{:SSLv23=>"TLSv1.2"}This fails under JRuby 1.7.17 during the OpenSSL::SSL::SSLSocket#session call because OpenSSL::SSL::Session is not defined.
This is NOT a blocker. While I don't yet know of a run-time work-around, I can work around this by doing more extensive testing which I'll need to do anyway.