Closed bdewater closed 5 years ago
Hi @drbrain 👋you're probably busy, but I was wondering if you might have a moment to look at this PR. Stripe's gem has started depending on net-http-persistent
(https://github.com/stripe/stripe-ruby/pull/698) and we would like to ensure client side that connections are not downgraded from TLS 1.2 for PCI-DSS reasons.
While we can run a fork, I think it would benefit the larger Ruby community to have this functionality merged. It might become a default setting in Stripe's gem for example.
The functionality in the OpenSSL gem was introduced in ruby/openssl#142 and supported by Net::HTTP in Ruby 2.5: https://github.com/ruby/ruby/commit/dcea9198a9d80bdf4eeacd9d9e9d883850a4a8d2
An example why this might be useful; for payment data the PCI DSS mandates that TLS 1.1 or newer is used after June 30. Using
ssl_version
would disallow the client negotiating TLS 1.2 (or 1.3 in the near future) if both sides support it,min_version
doesn't have this problem.