Feature #9613


Warn about unsafe ossl ciphers

Added by zzak (Zachary Scott) over 8 years ago. Updated about 7 years ago.

Target version:


As of r45274, we now have sane whitelist of available OpenSSL ciphers. However, this patch breaks backwards compatibility for any apps that use any ciphers not whitelisted.


  • Implement a new class: OpenSSL::SSL::Ciphers
    • This class defines a constant for every whitelisted cipher used by DEFAULT_PARAMS[:ciphers]
    • Any constant not found within this class should raise a warning and report to the user
  • Add an OpenSSL::SSL::Configuration class
    • Designed to default to no compression, and no sslv2/v3
    • Used by DEFAULT_PARAMS[:options]
    • This class may contain helper methods such as: #compression_enabled?


  • We don't break anything, without warning users first
  • Maintaining future whitelist ciphers is easier
  • Future unsupported/blacklist ciphers are already dismissed
  • Users are able to extend cipher lists to support their needs (by adding a constant to OpenSSL::SSL::Ciphers)


I have discussed this with Martin, and we'd like to open up this discussion for feedback. We're particularly concerned about backporting r45274 as it breaks compatibility. We should also consider:

  • Do we backport both patches or just the warning?
  • Should we bother backporting deprecation warnings?
    • Since r45274 is not a security fix, do we consider this a bug?
    • Rails only introduces deprecation notices in new minor releases (ie: Ruby-2.2.0)
  • r45274 is a major change that could break existing apps, even considering security

Related issues 1 (0 open1 closed)

Related to Backport21 - Backport #9640: Please backport SSL fixes to 2.1Closednagachika (Tomoyuki Chikanaga)03/15/2014Actions

Updated by naruse (Yui NARUSE) over 8 years ago

Updated by zeha (Christian Hofstaedtler) over 8 years ago

Single datapoint: r45274 will likely end up in Debian jessie's ruby 2.1, and by extension probably in Ubuntu's ruby 2.1.

Actions #3

Updated by zzak (Zachary Scott) about 7 years ago

  • Tracker changed from Bug to Feature
  • Assignee set to 7150

Also available in: Atom PDF