Warn about unsafe ossl ciphers
As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.
- Implement a new class: OpenSSL::SSL::Ciphers
- This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
- Any constant not found within this class should raise a warning and report to the user
- Add an OpenSSL::SSL::Configuration class
- Designed to default to no compression, and no sslv2/v3
- Used by DEFAULT_PARAMS[:options]
- This class may contain helper methods such as: #compression_enabled?
- We don't break anything, without warning users first
- Maintaining future whitelist ciphers is easier
- Future unsupported/blacklist ciphers are already dismissed
- Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)
I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:
- Do we backport both patches or just the warning?
- Should we bother backporting deprecation warnings?
- Since r45274 is not a security fix, do we consider this a bug?
- Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
- r45274 is a major change that could break existing apps, even considering security