drbrain / net-http-persistent

Thread-safe persistent connections with Net::HTTP
http://seattlerb.rubyforge.org/net-http-persistent
339 stars 117 forks source link

Allow setting min/max SSL version for a connection on Ruby 2.5 #94

Closed bdewater closed 5 years ago

bdewater commented 6 years ago

The functionality in the OpenSSL gem was introduced in ruby/openssl#142 and supported by Net::HTTP in Ruby 2.5: https://github.com/ruby/ruby/commit/dcea9198a9d80bdf4eeacd9d9e9d883850a4a8d2

An example why this might be useful; for payment data the PCI DSS mandates that TLS 1.1 or newer is used after June 30. Using ssl_version would disallow the client negotiating TLS 1.2 (or 1.3 in the near future) if both sides support it, min_version doesn't have this problem.

bdewater commented 5 years ago

Hi @drbrain 👋you're probably busy, but I was wondering if you might have a moment to look at this PR. Stripe's gem has started depending on net-http-persistent (https://github.com/stripe/stripe-ruby/pull/698) and we would like to ensure client side that connections are not downgraded from TLS 1.2 for PCI-DSS reasons.

While we can run a fork, I think it would benefit the larger Ruby community to have this functionality merged. It might become a default setting in Stripe's gem for example.