Change ssl version with Net::HTTP and Ruby 1.8.7

4
votes

One of my legacy Ruby application still uses Ruby 1.8.7. It makes a lot of HTTP requests on third-party web services and some of them are over SSL.

Those third-party services are dropping their support of SSLv3 as of the POODLE vulnerability and I'd like to patch my clients to continue connecting to them.

Ruby's standard library Net::HTTP doesn't seem to have a way to change the SSL version used.

In Ruby's openssl (ssl-internal.rb) there is a way to change the version. Sadly, this is not exposed by Net::HTTP (https.rb).

Are we (users of Ruby 1.8.7) that screwed?

Edit : In fact, it seems that the client is switching to TLSv1 if the server doesn't support SSLv3. I have an SSL enabled website without SSLv3 support, behind Nginx, and I've verified that my 1.8.7 client is switching to TLSv1 and the request works. If you want to verify by yourself, take a look here : https://serverfault.com/questions/620123/how-can-i-let-nginx-log-the-used-ssl-tls-protocol-and-ciphersuite

1
rubysslsslv3poodle-attack

1 Answers

2
votes

In fact, it seems that the client is switching to TLSv1 if the server doesn't support SSLv3

It is more the other way around. Inside the SSL handshake the client shows to the server what it can (protocol, ciphers) and the server then picks from this the best it can too. Usually the client is just defaulting to SSLv23 which does not restrict the client itself to a specific protocol. If the server then offers TLSv1 they will continue with it, if the server only offers SSLv3 they will use SSL 3.0.

If you want to restrict the client to pick the best but not allowing SSL 3.0 anymore have a look at https://stackoverflow.com/a/24237525/3081018 on how to disable SSLv3 by setting the ssl_options.