Use more secure OpenSSL default ciphers

dbussink · dbussink · commit 7c1f5afbb1a7 · 2014-01-21T12:54:09.000+01:00
This makes sure we don't use weak ciphers when connecting to services
that run over SSL.
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
@@ -20,13 +20,19 @@
 module OpenSSL
   module SSL
     class SSLContext
+      options = OpenSSL::SSL::OP_ALL
+      if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
+        options &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS
+      end
+      if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
+        options |= OpenSSL::SSL::OP_NO_COMPRESSION
+      end
+
       DEFAULT_PARAMS = {
         :ssl_version => "SSLv23",
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
-        :options => defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS) ?
-          OpenSSL::SSL::OP_ALL & ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS :
-          OpenSSL::SSL::OP_ALL,
+        :ciphers => "DEFAULT:!aNULL:!eNULL:!LOW:!EXPORT:!SSLv2:!ADH",
+        :options => options,
       }
 
       DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
