Feature #9613

Warn about unsafe ossl ciphers

Added by Zachary Scott over 2 years ago. Updated 12 months ago.



As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.


  • Implement a new class: OpenSSL::SSL::Ciphers
    • This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
    • Any constant not found within this class should raise a warning and report to the user
  • Add an OpenSSL::SSL::Configuration class
    • Designed to default to no compression, and no sslv2/v3
    • Used by DEFAULT_PARAMS[:options]
    • This class may contain helper methods such as: #compression_enabled?


  • We don't break anything, without warning users first
  • Maintaining future whitelist ciphers is easier
  • Future unsupported/blacklist ciphers are already dismissed
  • Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)


I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

  • Do we backport both patches or just the warning?
  • Should we bother backporting deprecation warnings?
    • Since r45274 is not a security fix, do we consider this a bug?
    • Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
  • r45274 is a major change that could break existing apps, even considering security

Related issues

Related to Backport21 - Backport #9640: Please backport SSL fixes to 2.1 Closed 03/15/2014


#1 [ruby-core:61559] Updated by Yui NARUSE over 2 years ago

#2 [ruby-core:61569] Updated by Christian Hofstaedtler over 2 years ago

Single datapoint: r45274 will likely end up in Debian jessie's ruby 2.1, and by extension probably in Ubuntu's ruby 2.1.

#3 Updated by Zachary Scott 12 months ago

  • Tracker changed from Bug to Feature
  • Assignee set to openssl

Also available in: Atom PDF