abstract class OpenSSL::SSL::Context

Overview

An SSL::Context represents a generic secure socket protocol configuration.

For both server and client applications exist more specialized subclassses SSL::Context::Server and SSL::Context::Client which need to be instantiated appropriately.

Direct Known Subclasses

Defined in:

openssl/ssl/context.cr
openssl/ssl/defaults.cr

Constant Summary

CIPHER_SUITES_INTERMEDIATE = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

The list of secure ciphersuites on intermediate compatibility level as per Mozilla recommendations.

The oldest clients supported by this configuration are:

Firefox 27
Android 4.4.2
Chrome 31
Edge
IE 11 on Windows 7
Java 8u31
OpenSSL 1.0.1
Opera 20
Safari 9

This list represents version 5.7 of the intermediate configuration available at https://ssl-config.mozilla.org/guidelines/5.7.json.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.

CIPHER_SUITES_MODERN = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

The list of secure ciphersuites on modern compatibility level as per Mozilla recommendations.

The oldest clients supported by this configuration are:

Firefox 63
Android 10.0
Chrome 70
Edge 75
Java 11
OpenSSL 1.1.1
Opera 57
Safari 12.1

This list represents version 5.7 of the modern configuration available at https://ssl-config.mozilla.org/guidelines/5.7.json.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.

CIPHER_SUITES_OLD = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"

The list of secure ciphersuites on old compatibility level as per Mozilla recommendations.

The oldest clients supported by this configuration are:

Firefox 1
Android 2.3
Chrome 1
Edge 12
IE8 on Windows XP
Java 6
OpenSSL 0.9.8
Opera 5
Safari 1

This list represents version 5.7 of the old configuration available at https://ssl-config.mozilla.org/guidelines/5.7.json.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.

CIPHERS_INTERMEDIATE = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

The list of secure ciphers on intermediate compatibility level as per Mozilla recommendations.

The oldest clients supported by this configuration are:

Firefox 27
Android 4.4.2
Chrome 31
Edge
IE 11 on Windows 7
Java 8u31
OpenSSL 1.0.1
Opera 20
Safari 9

This list represents version 5.7 of the intermediate configuration available at https://ssl-config.mozilla.org/guidelines/5.7.json.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.

CIPHERS_MODERN = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

The list of secure ciphers on modern compatibility level as per Mozilla recommendations.

The oldest clients supported by this configuration are:

Firefox 63
Android 10.0
Chrome 70
Edge 75
Java 11
OpenSSL 1.1.1
Opera 57
Safari 12.1

This list represents version 5.7 of the modern configuration available at https://ssl-config.mozilla.org/guidelines/5.7.json.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.

CIPHERS_OLD = "TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"

The list of secure ciphers on old compatibility level as per Mozilla recommendations.

The oldest clients supported by this configuration are:

Firefox 1
Android 2.3
Chrome 1
Edge 12
IE8 on Windows XP
Java 6
OpenSSL 0.9.8
Opera 5
Safari 1

This list represents version 5.7 of the old configuration available at https://ssl-config.mozilla.org/guidelines/5.7.json.

See https://wiki.mozilla.org/Security/Server_Side_TLS for details.

Instance Method Summary

#add_modes(mode : OpenSSL::SSL::Modes)
Adds modes to the TLS context.
#add_options(options : OpenSSL::SSL::Options)
Adds options to the TLS context.
#add_x509_verify_flags(flags : OpenSSL::SSL::X509VerifyFlags)
Sets the given OpenSSL::SSL::X509VerifyFlags in this context, additionally to the already set ones.
#alpn_protocol=(protocol : String)
Specifies an ALPN protocol to negotiate with the remote endpoint.
#ca_certificates=(file_path : String)
Sets the path to a file containing all CA certificates, in PEM format, used to validate the peers certificate.
#ca_certificates_path=(dir_path : String)
Sets the path to a directory containing all CA certificates used to validate the peers certificate.
#certificate_chain=(file_path : String)
Specify the path to the certificate chain file to use.
#cipher_suites=(cipher_suites : String)
Specify a list of TLS cipher suites to use or discard.
#ciphers=(ciphers : String)
Specify a list of TLS ciphers to use or discard.
#default_verify_param=(name : String)
Sets this context verify param to the default one of the given name.
#finalize
#modes : LibSSL::Modes
Returns the current modes set on the TLS context.
#options : LibSSL::Options
Returns the current options set on the TLS context.
#private_key=(file_path : String)
Specify the path to the private key to use.
#remove_modes(mode : OpenSSL::SSL::Modes)
Removes modes from the TLS context.
#remove_options(options : OpenSSL::SSL::Options)
Removes options from the TLS context.
#security_level : Int32
Returns the security level used by this TLS context.
#security_level=(value : Int32)
Sets the security level used by this TLS context.
#set_default_verify_paths
Sets the default paths for #ca_certificates= and #ca_certificates_path=.
#set_intermediate_ciphers
Sets the current ciphers and ciphers suites to intermediate compatibility level as per Mozilla recommendations.
#set_modern_ciphers
Sets the current ciphers and ciphers suites to modern compatibility level as per Mozilla recommendations.
#set_old_ciphers
Sets the current ciphers and ciphers suites to old compatibility level as per Mozilla recommendations.
#set_tmp_ecdh_key(curve = LibCrypto::NID_X9_62_prime256v1) : Nil
Adds a temporary ECDH key curve to the TLS context.
#to_unsafe : LibSSL::SSLContext
#verify_mode : LibSSL::VerifyMode
Returns the current verify mode.
#verify_mode=(mode : OpenSSL::SSL::VerifyMode)
Sets the verify mode.

Instance methods inherited from class `Reference`

, , , , , , , ,

Constructor methods inherited from class `Reference`

Instance methods inherited from class `Object`

, , , , , , , , , , , , , , , , , , , , , , , , , ,

Class methods inherited from class `Object`

,

Instance Method Detail

def add_modes(mode : OpenSSL::SSL::Modes) #

Adds modes to the TLS context.

[View source]

def add_options(options : OpenSSL::SSL::Options) #

Adds options to the TLS context.

Example:

context.add_options(
  OpenSSL::SSL::Options::ALL |       # various workarounds
  OpenSSL::SSL::Options::NO_SSL_V2 | # disable overly deprecated SSLv2
  OpenSSL::SSL::Options::NO_SSL_V3   # disable deprecated SSLv3
)

[View source]

def add_x509_verify_flags(flags : OpenSSL::SSL::X509VerifyFlags) #

Sets the given OpenSSL::SSL::X509VerifyFlags in this context, additionally to the already set ones.

[View source]

def alpn_protocol=(protocol : String) #

Specifies an ALPN protocol to negotiate with the remote endpoint. This is required to negotiate HTTP/2 with browsers, since browser vendors decided not to implement HTTP/2 over insecure connections.

Example:

context.alpn_protocol = "h2"

[View source]

def ca_certificates=(file_path : String) #

Sets the path to a file containing all CA certificates, in PEM format, used to validate the peers certificate.

[View source]

def ca_certificates_path=(dir_path : String) #

Sets the path to a directory containing all CA certificates used to validate the peers certificate. The certificates should be in PEM format and the c_rehash(1) utility must have been run in the directory.

[View source]

def certificate_chain=(file_path : String) #

Specify the path to the certificate chain file to use. In server mode this is presented to the client, in client mode this used as client certificate.

[View source]

def cipher_suites=(cipher_suites : String) #

Specify a list of TLS cipher suites to use or discard.

See #security_level= for some sensible system configuration.

[View source]

def ciphers=(ciphers : String) #

Specify a list of TLS ciphers to use or discard.

This affects only TLSv1.2 and below. See #security_level= for some sensible system configuration.

[View source]

def default_verify_param=(name : String) #

Sets this context verify param to the default one of the given name.

Depending on the OpenSSL version, the available defaults are default, pkcs7, smime_sign, ssl_client and ssl_server.

[View source]

def finalize #

[View source]

def modes : LibSSL::Modes #

Returns the current modes set on the TLS context.

[View source]

def options : LibSSL::Options #

Returns the current options set on the TLS context.

[View source]

def private_key=(file_path : String) #

Specify the path to the private key to use. The key must in PEM format. The key must correspond to the entity certificate set by #certificate_chain=.

[View source]

def remove_modes(mode : OpenSSL::SSL::Modes) #

Removes modes from the TLS context.

[View source]

def remove_options(options : OpenSSL::SSL::Options) #

Removes options from the TLS context.

Example:

context.remove_options(OpenSSL::SSL::Options::NO_SSL_V3)

[View source]

def security_level : Int32 #

Returns the security level used by this TLS context.

[View source]

def security_level=(value : Int32) #

Sets the security level used by this TLS context. The default system security level might disable some ciphers.

https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_security_level.html
https://wiki.debian.org/ContinuousIntegration/TriagingTips/openssl-1.1.1

[View source]

def set_default_verify_paths #

Sets the default paths for #ca_certificates= and #ca_certificates_path=.

[View source]

def set_intermediate_ciphers #

Sets the current ciphers and ciphers suites to intermediate compatibility level as per Mozilla recommendations. See CIPHERS_INTERMEDIATE and CIPHER_SUITES_INTERMEDIATE. See #security_level= for some sensible system configuration.

[View source]

def set_modern_ciphers #

Sets the current ciphers and ciphers suites to modern compatibility level as per Mozilla recommendations. See CIPHERS_MODERN and CIPHER_SUITES_MODERN. See #security_level= for some sensible system configuration.

[View source]

def set_old_ciphers #

Sets the current ciphers and ciphers suites to old compatibility level as per Mozilla recommendations. See CIPHERS_OLD and CIPHER_SUITES_OLD. See #security_level= for some sensible system configuration.

[View source]

def set_tmp_ecdh_key(curve = LibCrypto::NID_X9_62_prime256v1) : Nil #

Adds a temporary ECDH key curve to the TLS context. This is required to enable the EECDH cipher suites. By default the prime256 curve will be used.

[View source]

def to_unsafe : LibSSL::SSLContext #

[View source]

def verify_mode : LibSSL::VerifyMode #

Returns the current verify mode. See the SSL_CTX_set_verify(3) manpage for more details.

[View source]

def verify_mode=(mode : OpenSSL::SSL::VerifyMode) #

Sets the verify mode. See the SSL_CTX_set_verify(3) manpage for more details.

[View source]