bernd
commented
8 years ago Thank you very much! I will try to review this the next days.
@milgner We are looking for a maintainer for gelf-rb, are you interested? :smile:
Closed milgner closed 8 years ago
bernd
commented
8 years ago Thank you very much! I will try to review this the next days.
@milgner We are looking for a maintainer for gelf-rb, are you interested? :smile:
milgner
commented
8 years ago Hi Bernd,
that sounds good! Regarding maintenance, I already wrote a mail to @dennisoelkers: in principle I'm very open to the idea, just would like to get an estimate on the expected workload that's associated with maintenance and discuss the mode of operations. That's simply to avoid a worst-case scenario where the GELF protocol receives important updates and I'm too busy with my day job to update the Ruby gem.
Having said that, this PR became much heavier than originally intended to not only add TLS support but also support for non-blocking I/O via Celluloid::IO. Separating both refactorings would have been somewhat complicated so in the end I decided to just do them both at once.
I also took the liberty of removing support for Ruby 1.9.2 to update some dependencies which were known to have security issues, even if those wouldn't have had a direct impact on users.
dennisoelkers
commented
8 years ago @milgner: Hey Marcus, unfortunately I got no mail from you. Could you send it again?
Replaces #45 with a much more solid implementation although most aspects still apply:
GELF::Transport::TCP#addressesclass_evalwithdefine_methodThe TLS session is configured to be as secure as possible by default, using TLS v1.2, forbidding SSLv3 and explicitly setting the cipher list to prevent weak ciphers.
The next step will be to add support for pinning or stricter verification of the server certificate.
Since this is a breaking change (removed deprecated options) and introduces a major feature (TLS), I bumped the version to 3.0.0. Also I took the liberty of adding myself to the authors list ;)
Since this is a big PR, I'd like to do some more testing before actually merging it.
Discussion and feedback welcome, especially people willing to test this in the wild.
I'll be deploying this version to the staging environment of our Rails app soon, subject it to a bit of abuse in the following days and get back with my results...