25

Is it possible to use TLSv.1.2 or TLSv1.1 with Ruby?

I have compiled a Frankenstein version of Ruby using OpenSSL 1.0.1c (the latest available) and the only difference being is SSLv2 is now an option under OpenSSL::SSL::SSLContext::METHODS

Is it possible to add TLSv1.2 to that list?

lcarpenter
  • 798
  • 1
  • 7
  • 18
  • A related prerequisite is OpenSSL 1.0.0 and above. OpenSSL 0.9.8 does *not* provide the protocols or cipher suites. – jww May 04 '15 at 17:41

1 Answers1

38

Yes, we added TLS 1.1 & 1.2 support recently. It's as easy as setting ssl_version on your SSLContext:

ctx = OpenSSL::SSL::SSLContext.new
ctx.ssl_version = :TLSv1_2

You may still continue to use the more generic :SSLv23 for maximum interoperability. It will have the effect that the newest protocol supported by the peer will be used for the connection. If your peer understands TLS 1.2, then it will be used. But opposed to the above sample, if the peer does not speak 1.2, then the implementation will silently fall back to the best/newest version that the peer does understand - while in the above example, the connection would be rejected by the peer if it did not recognize 1.2.

For further details, also have a look at OpenSSL's own docs on the subject, you can transfer what's being said about TLSv1_method to TLSv1_1_method and TLSv1_2_method (represented in Ruby as :TLSv1, :TLSv1_1 and :TLSv1_2 respectively).

If your underlying OpenSSL supports TLS 1.2 (>= 1.0.1 does), you're good to go. However, this requires a Ruby build from trunk currently. But if we get no negative feedback in the meantime, it might well be that it will be backported to the next 1.9.3 release.

ShaMan-H_Fel
  • 2,139
  • 17
  • 24
emboss
  • 38,880
  • 7
  • 101
  • 108
  • I would love to have this backported, is there anything I can do to help? – lcarpenter Jun 16 '12 at 15:36
  • Unless there will be complaints in the immediate future, I'm pretty confident that this will be backported to the next 1.9.3 release. If you'd like to expedite the process, you may open a ticket on http://bugs.ruby-lang.org/projects/ruby-193, assign it to me and tell me to backport r35549 and r35567 :) – emboss Jun 17 '12 at 14:42
  • @emboss was this ever backported to 1.9.3? – Bo Jeanes Jan 30 '14 at 18:02
  • @emboss, is the fix ever released? I installed ruby 2.00p451 but :TLSv1_1 or :TLSv1_2 are not supported. – gp. Mar 16 '14 at 12:48
  • 11
    Is there a way to use TLS1.0/1.1/1.2 but disable SSLv2/v3 client-side? It looks like if you use `:TLSv1_2` that you will break against any server which does not support TLS1.2, but the only method with fallback is `:SSLv23` which is not useful to prevent fallback to SSLv3. It would be good to point out that the 'maximum interoperability' of `:SSLv23` comes at the expense of exposure to BEAST and POODLE attacks, and likely nobody should be using it. – lamont Oct 15 '14 at 01:27
  • According to Ruby's Changelog, it's supported in 2.0.0 and up – Steven Soroka Oct 15 '14 at 14:45
  • Can you add this as a multiple version ? like ctx.ssl_version = :TLS1, :TLS1_1, :TLSv1_2 ? – Ba7a7chy Oct 17 '14 at 13:45
  • Can you please give me path ..where to change ctx.ssl_version = :TLSv1_2 in ruby in system? – user1780370 Nov 23 '15 at 11:35
  • 3
    i have ruby 2.3 and get this error, "/usr/lib/ruby/2.3.0/openssl/ssl.rb:125:in `ssl_version=': unknown SSL method `TLSv1.2'. (ArgumentError) " – appleLover Jul 08 '17 at 17:35