Skip to content

Commit a8e7b26

Browse files
kareskares
committed
JOSSL does not need DEFAULT_PARAMS[:ciphers]
also restore SSL_DEFAULT_CIPHER_LIST to 1.0.2 compat
1 parent cfaeb6d commit a8e7b26

File tree

2 files changed

+46
-41
lines changed

2 files changed

+46
-41
lines changed

lib/openssl/ssl.rb

Lines changed: 38 additions & 37 deletions
Original file line numberDiff line numberDiff line change
@@ -24,43 +24,44 @@ class SSLContext
2424
:options => OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION
2525
}
2626

27-
if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
28-
OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
29-
DEFAULT_PARAMS.merge!(
30-
ciphers: %w{
31-
ECDHE-ECDSA-AES128-GCM-SHA256
32-
ECDHE-RSA-AES128-GCM-SHA256
33-
ECDHE-ECDSA-AES256-GCM-SHA384
34-
ECDHE-RSA-AES256-GCM-SHA384
35-
DHE-RSA-AES128-GCM-SHA256
36-
DHE-DSS-AES128-GCM-SHA256
37-
DHE-RSA-AES256-GCM-SHA384
38-
DHE-DSS-AES256-GCM-SHA384
39-
ECDHE-ECDSA-AES128-SHA256
40-
ECDHE-RSA-AES128-SHA256
41-
ECDHE-ECDSA-AES128-SHA
42-
ECDHE-RSA-AES128-SHA
43-
ECDHE-ECDSA-AES256-SHA384
44-
ECDHE-RSA-AES256-SHA384
45-
ECDHE-ECDSA-AES256-SHA
46-
ECDHE-RSA-AES256-SHA
47-
DHE-RSA-AES128-SHA256
48-
DHE-RSA-AES256-SHA256
49-
DHE-RSA-AES128-SHA
50-
DHE-RSA-AES256-SHA
51-
DHE-DSS-AES128-SHA256
52-
DHE-DSS-AES256-SHA256
53-
DHE-DSS-AES128-SHA
54-
DHE-DSS-AES256-SHA
55-
AES128-GCM-SHA256
56-
AES256-GCM-SHA384
57-
AES128-SHA256
58-
AES256-SHA256
59-
AES128-SHA
60-
AES256-SHA
61-
}.join(":"),
62-
)
63-
end
27+
# JRuby does not want this non (recent) OpenSSL fallback to happen
28+
# if !(OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") &&
29+
# OpenSSL::OPENSSL_VERSION_NUMBER >= 0x10100000)
30+
# DEFAULT_PARAMS.merge!(
31+
# ciphers: %w{
32+
# ECDHE-ECDSA-AES128-GCM-SHA256
33+
# ECDHE-RSA-AES128-GCM-SHA256
34+
# ECDHE-ECDSA-AES256-GCM-SHA384
35+
# ECDHE-RSA-AES256-GCM-SHA384
36+
# DHE-RSA-AES128-GCM-SHA256
37+
# DHE-DSS-AES128-GCM-SHA256
38+
# DHE-RSA-AES256-GCM-SHA384
39+
# DHE-DSS-AES256-GCM-SHA384
40+
# ECDHE-ECDSA-AES128-SHA256
41+
# ECDHE-RSA-AES128-SHA256
42+
# ECDHE-ECDSA-AES128-SHA
43+
# ECDHE-RSA-AES128-SHA
44+
# ECDHE-ECDSA-AES256-SHA384
45+
# ECDHE-RSA-AES256-SHA384
46+
# ECDHE-ECDSA-AES256-SHA
47+
# ECDHE-RSA-AES256-SHA
48+
# DHE-RSA-AES128-SHA256
49+
# DHE-RSA-AES256-SHA256
50+
# DHE-RSA-AES128-SHA
51+
# DHE-RSA-AES256-SHA
52+
# DHE-DSS-AES128-SHA256
53+
# DHE-DSS-AES256-SHA256
54+
# DHE-DSS-AES128-SHA
55+
# DHE-DSS-AES256-SHA
56+
# AES128-GCM-SHA256
57+
# AES256-GCM-SHA384
58+
# AES128-SHA256
59+
# AES256-SHA256
60+
# AES128-SHA
61+
# AES256-SHA
62+
# }.join(":"),
63+
# )
64+
# end
6465

6566
if defined?(OpenSSL::PKey::DH)
6667
DEFAULT_2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_

src/main/java/org/jruby/ext/openssl/CipherStrings.java

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -224,18 +224,22 @@ public class CipherStrings {
224224
public final static String SSL_TXT_CMPALL = "COMPLEMENTOFALL";
225225
public final static String SSL_TXT_CMPDEF = "COMPLEMENTOFDEFAULT";
226226

227-
// "ALL:!aNULL:!eNULL:!SSLv2" is for OpenSSL 1.0.0 GA
228-
public final static String SSL_DEFAULT_CIPHER_LIST = "AES:ALL:!aNULL:!eNULL:!SSLv2:+RC4:@STRENGTH";
227+
// NOTE: Default list of TLSv1.2 (and earlier) ciphers deprecated in 3.0.0
228+
// "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2" in OpenSSL 1.0.2
229+
public final static String SSL_DEFAULT_CIPHER_LIST; // = "AES:ALL:!aNULL:!eNULL:!SSLv2:+RC4:@STRENGTH";
229230
/*
230231
* The following cipher list is used by default. It also is substituted when
231232
* an application-defined cipher list string starts with 'DEFAULT'.
232233
* This applies to ciphersuites for TLSv1.2 and below.
233234
*/
234-
//public final static String SSL_DEFAULT_CIPHER_LIST = "ALL:!COMPLEMENTOFDEFAULT:!eNULL";
235-
/* This is the default set of TLSv1.3 ciphersuites */ // TODO REVIEW 1.3 cipher matching
235+
//public final static String SSL_DEFAULT_CIPHER_LIST = "ALL:!COMPLEMENTOFDEFAULT:!eNULL"; // OpenSSL 1.1.1
236+
/* This is the default set of TLSv1.3 ciphersuites */
236237
public final static String TLS_DEFAULT_CIPHERSUITES = "TLS_AES_256_GCM_SHA384:" +
237238
"TLS_CHACHA20_POLY1305_SHA256:" +
238239
"TLS_AES_128_GCM_SHA256";
240+
static { // TODO REVIEW 1.3 cipher matching
241+
SSL_DEFAULT_CIPHER_LIST = "ALL:!EXPORT:!LOW:!aNULL:!eNULL:!SSLv2"; // + ':' + TLS_DEFAULT_CIPHERSUITES;
242+
}
239243

240244
public final static long SSL_MKEY_MASK = 0x000000FFL;
241245
/* Bits for algorithm_mkey (key exchange algorithm) */

0 commit comments

Comments
 (0)