Adding "ssl_ctx_set_options"

[bararchy]

This should be added to "lib_ssl.cr"

code:

fun ssl_ctx_set_options = SSL_CTX_ctrl(context : SSLContext, command : Int32, long_arg : Int32, pointer_arg : Void*) : Int32

And for context.cr

code:

def set_options(ctx_options)
  LibSSL.ssl_ctx_set_options(@handle, LibSSL::SSL_CTRL_OPTIONS, ctx_options, nil)
end

This can allow us to set

context.set_options(LibSSL::OP_NO_SSLv2 | LibSSL::OP_NO_SSLv3)

[asterite]

I would make it context.options =, that's the convention instead of context.set_...

[datanoise]

There is already Context#options= method. Also check Context::ContextOptions enum

[bararchy]

@datanoise

Using

require "../src/openssl"
require "socket"

begin
  tcp_server = TCPServer.new(55555)
rescue e : Exception
  puts "Error in socket: #{e}"
end

if tcp_server
  context = OpenSSL::SSL::Context.new(OpenSSL::SSL::Method::SSLv23)
  context.private_key_file = "new.key"
  context.certificate_file = "cert.pem"
  context.cipher_list = "!ADH:!RC4:!aNULL:!MD5:!EXPORT:!SSLv2:HIGH"
  no_ssl_3_2_compress = OpenSSL::SSL::ContextOptions::NO_SSLV2 | OpenSSL::SSL::ContextOptions::NO_SSLV3 | OpenSSL::SSL::ContextOptions::NO_COMPRESSION
  context.options = no_ssl_3_2_compress
  puts context.inspect
    loop do
      begin
        client = tcp_server.accept
        puts "In loop! accepted connection: #{client.inspect}"
        OpenSSL::SSL::Socket.new_server(client, context) do |ssl_server|
          buf :: UInt8[512]
          slice = buf.to_slice
          loop do
            len = ssl_server.read(slice)
            if len > 0
              ssl_server.write(slice[0, len])
            else
              break
            end
          end
        end
    rescue e : Exception
      puts "Error in SSL socket: #{e.message}\r\nlog: #{e.backtrace}"
    end
  end
end

This seems to work and indeed closes SSL3,2 and compression.

Closing issue now.