diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2025-04-20 20:26:00 +0900 |
|---|---|---|
| committer | git <svn-admin@ruby-lang.org> | 2025-10-08 13:59:39 +0000 |
| commit | ea79fe225cc28960595b53cf20e698ec5bbddb0e (patch) | |
| tree | 596e3f926cc46aec6cc6440d31ea489d1ae127ad /ext/openssl/lib | |
| parent | 8dfe5403415fc1bd0c6ce56e5edd8749d081e33d (diff) | |
[ruby/openssl] ssl: use SSL_CTX_set_dh_auto() by default
Rely on OpenSSL's builtin DH parameters for TLS 1.2 and earlier instead
of providing a default SSLContext#tmp_dh_callback proc.
SSL_CTX_set_dh_auto() has been available since OpenSSL 1.1.0.
The parameters can still be overridden by specifying
SSLContext#tmp_dh_callback or #tmp_dh, as confirmed by existing tests.
SSLContext#tmp_dh_callback depends on a deprecated OpenSSL feature. We
also prefer not to hard-code parameters, which is a maintenance burden.
This change also improves Ractor compatibility by removing the
unshareable proc.
https://github.com/ruby/openssl/commit/9cfec9bf5e
Diffstat (limited to 'ext/openssl/lib')
| -rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 21 |
1 files changed, 1 insertions, 20 deletions
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index 46509c333e..59e379635d 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -32,25 +32,6 @@ module OpenSSL }.call } - if defined?(OpenSSL::PKey::DH) - DH_ffdhe2048 = OpenSSL::PKey::DH.new <<-_end_of_pem_ ------BEGIN DH PARAMETERS----- -MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz -+8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a -87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7 -YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi -7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD -ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== ------END DH PARAMETERS----- - _end_of_pem_ - private_constant :DH_ffdhe2048 - - DEFAULT_TMP_DH_CALLBACK = lambda { |ctx, is_export, keylen| # :nodoc: - warn "using default DH parameters." if $VERBOSE - DH_ffdhe2048 - } - end - if !OpenSSL::OPENSSL_VERSION.start_with?("OpenSSL") DEFAULT_PARAMS.merge!( min_version: OpenSSL::SSL::TLS1_VERSION, @@ -457,7 +438,7 @@ ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg== end def tmp_dh_callback - @context.tmp_dh_callback || OpenSSL::SSL::SSLContext::DEFAULT_TMP_DH_CALLBACK + @context.tmp_dh_callback end def session_new_cb |