Feature #9613

Warn about unsafe ossl ciphers

Added by Zachary Scott over 1 year ago. Updated 26 days ago.



As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.


  • Implement a new class: OpenSSL::SSL::Ciphers
    • This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
    • Any constant not found within this class should raise a warning and report to the user
  • Add an OpenSSL::SSL::Configuration class
    • Designed to default to no compression, and no sslv2/v3
    • Used by DEFAULT_PARAMS[:options]
    • This class may contain helper methods such as: #compression_enabled?


  • We don't break anything, without warning users first
  • Maintaining future whitelist ciphers is easier
  • Future unsupported/blacklist ciphers are already dismissed
  • Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)


I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

  • Do we backport both patches or just the warning?
  • Should we bother backporting deprecation warnings?
    • Since r45274 is not a security fix, do we consider this a bug?
    • Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
  • r45274 is a major change that could break existing apps, even considering security

Related issues

Related to Backport21 - Backport #9640: Please backport SSL fixes to 2.1 Closed 03/15/2014


#1 Updated by Yui NARUSE over 1 year ago

#2 Updated by Christian Hofstaedtler over 1 year ago

Single datapoint: r45274 will likely end up in Debian jessie's ruby 2.1, and by extension probably in Ubuntu's ruby 2.1.

#3 Updated by Zachary Scott 26 days ago

  • Assignee set to openssl
  • Tracker changed from Bug to Feature

Also available in: Atom PDF