class OpenSSL::SSL::SSLSocket
The following attributes are available but don't show up in rdoc.
-
io, context, sync_close
Public Class Methods
# File ext/openssl/lib/openssl/ssl.rb, line 254 def initialize(io, ctx = nil); raise NotImplementedError; end
Public Instance Methods
static VALUE
ossl_ssl_accept(VALUE self)
{
ossl_ssl_setup(self);
return ossl_start_ssl(self, SSL_accept, "SSL_accept", Qfalse);
} Waits for a SSL/TLS client to initiate a handshake. The handshake may be started after unencrypted data has been sent over the socket.
static VALUE
ossl_ssl_accept_nonblock(int argc, VALUE *argv, VALUE self)
{
VALUE opts;
rb_scan_args(argc, argv, "0:", &opts);
ossl_ssl_setup(self);
return ossl_start_ssl(self, SSL_accept, "SSL_accept", opts);
} Initiates the SSL/TLS handshake as a server in non-blocking manner.
# emulates blocking accept begin ssl.accept_nonblock rescue IO::WaitReadable IO.select([s2]) retry rescue IO::WaitWritable IO.select(nil, [s2]) retry end
By specifying `exception: false`, the options hash allows you to indicate that #accept_nonblock should not raise an IO::WaitReadable or IO::WaitWritable exception, but return the symbol :wait_readable or :wait_writable instead.
static VALUE
ossl_ssl_alpn_protocol(VALUE self)
{
SSL *ssl;
const unsigned char *out;
unsigned int outlen;
ossl_ssl_data_get_struct(self, ssl);
SSL_get0_alpn_selected(ssl, &out, &outlen);
if (!outlen)
return Qnil;
else
return rb_str_new((const char *) out, outlen);
} Returns the ALPN protocol string that was finally selected by the client during the handshake.
static VALUE
ossl_ssl_get_cert(VALUE self)
{
SSL *ssl;
X509 *cert = NULL;
ossl_ssl_data_get_struct(self, ssl);
/*
* Is this OpenSSL bug? Should add a ref?
* TODO: Ask for.
*/
cert = SSL_get_certificate(ssl); /* NO DUPs => DON'T FREE. */
if (!cert) {
return Qnil;
}
return ossl_x509_new(cert);
} The X509 certificate for this socket endpoint.
static VALUE
ossl_ssl_get_cipher(VALUE self)
{
SSL *ssl;
SSL_CIPHER *cipher;
ossl_ssl_data_get_struct(self, ssl);
cipher = (SSL_CIPHER *)SSL_get_current_cipher(ssl);
return ossl_ssl_cipher_to_ary(cipher);
} The cipher being used for the current connection
static VALUE
ossl_ssl_get_client_ca_list(VALUE self)
{
SSL *ssl;
STACK_OF(X509_NAME) *ca;
ossl_ssl_data_get_struct(self, ssl);
ca = SSL_get_client_CA_list(ssl);
return ossl_x509name_sk2ary(ca);
} Returns the list of client CAs. Please note that in contrast to OpenSSL::SSL::SSLContext#client_ca no array of X509::Certificate is returned but X509::Name instances of the CA's subject distinguished name.
In server mode, returns the list set by OpenSSL::SSL::SSLContext#client_ca. In client mode, returns the list of client CAs sent from the server.
static VALUE
ossl_ssl_connect(VALUE self)
{
ossl_ssl_setup(self);
return ossl_start_ssl(self, SSL_connect, "SSL_connect", Qfalse);
} Initiates an SSL/TLS handshake with a server. The handshake may be started after unencrypted data has been sent over the socket.
static VALUE
ossl_ssl_connect_nonblock(int argc, VALUE *argv, VALUE self)
{
VALUE opts;
rb_scan_args(argc, argv, "0:", &opts);
ossl_ssl_setup(self);
return ossl_start_ssl(self, SSL_connect, "SSL_connect", opts);
} Initiates the SSL/TLS handshake as a client in non-blocking manner.
# emulates blocking connect begin ssl.connect_nonblock rescue IO::WaitReadable IO.select([s2]) retry rescue IO::WaitWritable IO.select(nil, [s2]) retry end
By specifying `exception: false`, the options hash allows you to indicate that #connect_nonblock should not raise an IO::WaitReadable or IO::WaitWritable exception, but return the symbol :wait_readable or :wait_writable instead.
static VALUE
ossl_ssl_npn_protocol(VALUE self)
{
SSL *ssl;
const unsigned char *out;
unsigned int outlen;
ossl_ssl_data_get_struct(self, ssl);
SSL_get0_next_proto_negotiated(ssl, &out, &outlen);
if (!outlen)
return Qnil;
else
return rb_str_new((const char *) out, outlen);
} Returns the protocol string that was finally selected by the client during the handshake.
static VALUE
ossl_ssl_get_peer_cert(VALUE self)
{
SSL *ssl;
X509 *cert = NULL;
VALUE obj;
ossl_ssl_data_get_struct(self, ssl);
cert = SSL_get_peer_certificate(ssl); /* Adds a ref => Safe to FREE. */
if (!cert) {
return Qnil;
}
obj = ossl_x509_new(cert);
X509_free(cert);
return obj;
} The X509 certificate for this socket's peer.
static VALUE
ossl_ssl_get_peer_cert_chain(VALUE self)
{
SSL *ssl;
STACK_OF(X509) *chain;
X509 *cert;
VALUE ary;
int i, num;
ossl_ssl_data_get_struct(self, ssl);
chain = SSL_get_peer_cert_chain(ssl);
if(!chain) return Qnil;
num = sk_X509_num(chain);
ary = rb_ary_new2(num);
for (i = 0; i < num; i++){
cert = sk_X509_value(chain, i);
rb_ary_push(ary, ossl_x509_new(cert));
}
return ary;
} The X509 certificate chain for this socket's peer.
static VALUE
ossl_ssl_pending(VALUE self)
{
SSL *ssl;
ossl_ssl_data_get_struct(self, ssl);
return INT2NUM(SSL_pending(ssl));
} The number of bytes that are immediately available for reading
# File ext/openssl/lib/openssl/ssl.rb, line 308
def post_connection_check(hostname)
if peer_cert.nil?
msg = "Peer verification enabled, but no certificate received."
if using_anon_cipher?
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
end
raise SSLError, msg
end
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
end
return true
end Perform hostname verification after an SSL connection is established
This method MUST be called after calling connect to ensure that the hostname of a remote peer has been verified.
# File ext/openssl/lib/openssl/ssl.rb, line 323 def session SSL::Session.new(self) rescue SSL::Session::SessionError nil end
static VALUE
ossl_ssl_set_session(VALUE self, VALUE arg1)
{
SSL *ssl;
SSL_SESSION *sess;
/* why is ossl_ssl_setup delayed? */
ossl_ssl_setup(self);
ossl_ssl_data_get_struct(self, ssl);
SafeGetSSLSession(arg1, sess);
if (SSL_set_session(ssl, sess) != 1)
ossl_raise(eSSLError, "SSL_set_session");
return arg1;
} Sets the Session to be used when the connection is established.
static VALUE
ossl_ssl_session_reused(VALUE self)
{
SSL *ssl;
ossl_ssl_data_get_struct(self, ssl);
switch(SSL_session_reused(ssl)) {
case 1: return Qtrue;
case 0: return Qfalse;
default: ossl_raise(eSSLError, "SSL_session_reused");
}
UNREACHABLE;
} Returns true if a reused session was negotiated during the handshake.
static VALUE
ossl_ssl_get_version(VALUE self)
{
SSL *ssl;
ossl_ssl_data_get_struct(self, ssl);
return rb_str_new2(SSL_get_version(ssl));
} Returns a String representing the SSL/TLS version that was negotiated for the connection, for example “TLSv1.2”.
static VALUE
ossl_ssl_get_state(VALUE self)
{
SSL *ssl;
VALUE ret;
ossl_ssl_data_get_struct(self, ssl);
ret = rb_str_new2(SSL_state_string(ssl));
if (ruby_verbose) {
rb_str_cat2(ret, ": ");
rb_str_cat2(ret, SSL_state_string_long(ssl));
}
return ret;
} A description of the current connection state.
static VALUE
ossl_ssl_read(int argc, VALUE *argv, VALUE self)
{
return ossl_ssl_read_internal(argc, argv, self, 0);
} Reads length bytes from the SSL connection. If a pre-allocated buffer is provided the data will be written into it.
static VALUE
ossl_ssl_write(VALUE self, VALUE str)
{
return ossl_ssl_write_internal(self, str, Qfalse);
} Writes string to the SSL connection.
static VALUE
ossl_ssl_get_verify_result(VALUE self)
{
SSL *ssl;
ossl_ssl_data_get_struct(self, ssl);
return INT2FIX(SSL_get_verify_result(ssl));
} Returns the result of the peer certificates verification. See verify(1) for error values and descriptions.
If no peer certificate was presented X509_V_OK is returned.
Private Instance Methods
# File ext/openssl/lib/openssl/ssl.rb, line 337 def client_cert_cb @context.client_cert_cb end
# File ext/openssl/lib/openssl/ssl.rb, line 353 def session_get_cb @context.session_get_cb end
# File ext/openssl/lib/openssl/ssl.rb, line 349 def session_new_cb @context.session_new_cb end
static VALUE
ossl_ssl_stop(VALUE self)
{
SSL *ssl;
ossl_ssl_data_get_struct(self, ssl);
ossl_ssl_shutdown(ssl);
return Qnil;
} Sends “close notify” to the peer and tries to shut down the SSL connection gracefully.
static VALUE
ossl_ssl_read_nonblock(int argc, VALUE *argv, VALUE self)
{
return ossl_ssl_read_internal(argc, argv, self, 1);
} A non-blocking version of sysread. Raises an SSLError if reading would block. If “exception: false” is passed, this method returns a symbol of :wait_readable, :wait_writable, or nil, rather than raising an exception.
Reads length bytes from the SSL connection. If a pre-allocated buffer is provided the data will be written into it.
# File ext/openssl/lib/openssl/ssl.rb, line 341 def tmp_dh_callback @context.tmp_dh_callback || OpenSSL::PKey::DEFAULT_TMP_DH_CALLBACK end
# File ext/openssl/lib/openssl/ssl.rb, line 345 def tmp_ecdh_callback @context.tmp_ecdh_callback end
# File ext/openssl/lib/openssl/ssl.rb, line 331 def using_anon_cipher? ctx = OpenSSL::SSL::SSLContext.new ctx.ciphers = "aNULL" ctx.ciphers.include?(cipher) end
Ruby Core © 1993–2017 Yukihiro Matsumoto
Licensed under the Ruby License.
Ruby Standard Library © contributors
Licensed under their own licenses.