diff --git a/lib/net/http.rb b/lib/net/http.rb index f64f7ba7..7b345293 100644 --- a/lib/net/http.rb +++ b/lib/net/http.rb @@ -660,6 +660,10 @@ class HTTPHeaderSyntaxError < StandardError; end # Sets the minimum SSL version. # - {#peer_cert}[rdoc-ref:Net::HTTP#peer_cert]: # Returns the X509 certificate chain for the session's socket peer. + # - {:ssl_options}[rdoc-ref:Net::HTTP#ssl_options]: + # Returns the SSL options. + # - {:ssl_options=}[rdoc-ref:Net::HTTP#ssl_options=]: + # Sets the SSL options. # - {:ssl_version}[rdoc-ref:Net::HTTP#ssl_version]: # Returns the SSL version. # - {:ssl_version=}[rdoc-ref:Net::HTTP#ssl_version=]: @@ -1190,6 +1194,7 @@ def initialize(address, port = nil) # :nodoc: @use_ssl = false @ssl_context = nil + @ssl_options = nil @ssl_session = nil @sspi_enabled = false SSL_IVNAMES.each do |ivname| @@ -1556,6 +1561,10 @@ def use_ssl=(flag) # Sets or returns the OpenSSL::PKey::RSA or OpenSSL::PKey::DSA object. attr_accessor :key + # Sets or returns the SSL options. + # See {OpenSSL::SSL::SSLContext#options=}[OpenSSL::SSL::SSL::Context#options=]. + attr_accessor :ssl_options + # Sets or returns the SSL timeout seconds. attr_accessor :ssl_timeout @@ -1698,6 +1707,7 @@ def connect end end end + @ssl_context.options |= @ssl_options unless @ssl_options.nil? @ssl_context.set_params(ssl_parameters) unless @ssl_context.session_cache_mode.nil? # a dummy method on JRuby @ssl_context.session_cache_mode = diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb index e860c874..f4c50fd3 100644 --- a/test/net/http/test_https.rb +++ b/test/net/http/test_https.rb @@ -286,6 +286,24 @@ def test_max_version assert_match(re_msg, ex.message) end + def test_ssl_options + ssl_options = OpenSSL::SSL::OP_NO_TLSv1 | + OpenSSL::SSL::OP_NO_TLSv1_1 | + OpenSSL::SSL::OP_NO_TLSv1_2 | + OpenSSL::SSL::OP_NO_TLSv1_3 + http = Net::HTTP.new(HOST, config("port")) + http.use_ssl = true + http.ssl_options = ssl_options + http.cert_store = TEST_STORE + ex = assert_raise(OpenSSL::SSL::SSLError){ + http.request_get("/") {|res| } + } + re_msg = /\ASSL_connect returned=1 errno=0 |no protocols available/ + assert_match(re_msg, ex.message) + ssl_context = http.instance_variable_get(:@ssl_context) + assert_equal(ssl_options, ssl_context.options & ssl_options) + end + end if defined?(OpenSSL::SSL) class TestNetHTTPSIdentityVerifyFailure < Test::Unit::TestCase