Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support ciphers SSLOptions setting across adapters #1586

Open
1 of 9 tasks
olleolleolle opened this issue Aug 29, 2024 · 3 comments
Open
1 of 9 tasks

Support ciphers SSLOptions setting across adapters #1586

olleolleolle opened this issue Aug 29, 2024 · 3 comments

Comments

@olleolleolle
Copy link
Member

olleolleolle commented Aug 29, 2024

Basic Info

Recently, the #1581 "Add ciphers to SSL options" was fixed, and one adapter supports it.

A good mapping-out of the rest of the adapter landscape was created by @womblep, which this Issue summarizes as a sign-post Issue, with a checklist.

About SSL ciphers

What are "ciphers"? Well, in this context, it is a setting to HTTP clients' use of SSL, telling them explicitly which SSL cipher suites should be available. The kinds of strings to accept can be seen in the openssl-ciphers documentation.

TODO: Support the ciphers option

This list of adapters is about "are we done supporting the ciphers option for it?".

Details, per adapter

This lists what is known about the current landscape, as "developer hints".

Excon - support

option params [String] :ciphers Only use the specified SSL/TLS cipher suites; use OpenSSL cipher spec format e.g. 'HIGH:!aNULL:!3DES' or 'AES256-SHA:DES-CBC3-SHA'

HTTPClient - supported

    # A String of OpenSSL's cipher configuration.  Default value is
    # ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH
    # See ciphers(1) man in OpenSSL for more detail.
    attr_config :ciphers

Net::HTTP::Persistent - supported

https://github.com/drbrain/net-http-persistent/blob/master/lib/net/http/persistent.rb#L571

Patron - investigate

the adapter doesn't look like it does any SSL options other than verify. The Patron gem doesn't look like it supports ciphers (or many SSL settings)

HTTP.rb - supported

adapter and gem use OpenSSL SSLContext which support ciphers

httpx - supported

uses OpenSSL SSLContext so should be able to be added to the adapter in "def ssl_options_from_env(env)"

Typhoeus - supported

using ssl_cipher_list

Async::HTTP - supported

I am getting lost in the adapter but I think all the SSL options are passed through Async::HTTP::Faraday::Clients.make_client. Ciphers would be passed through without any change required.

EM::HTTP - supported

using cipher_list

@saiqulhaq
Copy link

Hi @olleolleolle

I want to contribute to one of the adapters first. However, I am not yet knowledgeable about Chipers and their usage.
Do you have any good resources that I can read/learn before analyzing the Faraday codebase to make the changes?
So far, I only use Faraday for basic HTTP(s) requests.

@olleolleolle
Copy link
Member Author

@saiqulhaq 👋 In order to clear up a little of the basics on "ciphers", I added a section to this Issue, perhaps that can lead your research.

@saiqulhaq
Copy link

saiqulhaq commented Sep 8, 2024

Hi @olleolleolle
I just made this PR excon/faraday-excon#21.
All RSpec tests are green. I found that the adapter tests are inherited from the Faraday source code.
The tests were failing when I added unknown OPT KEYS.
However, I am not sure that my PR is enough, but this lostisland/faraday-net_http#45 doesn't modify any tests, either.

Another one for HTTPClient lostisland/faraday-httpclient#3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants