| # https://stackoverflow.com/a/24237525 | |
| require "net/http" | |
| (Net::HTTP::SSL_IVNAMES << :@ssl_options).uniq! | |
| (Net::HTTP::SSL_ATTRIBUTES << :options).uniq! | |
| Net::HTTP.class_eval do | |
| attr_accessor :ssl_options | |
| end | |
| uri = URI("https://www.ipa.go.jp:443") | |
| warn("without OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT") | |
| Net::HTTP.new(uri.host, uri.port).tap do |http| | |
| http.use_ssl = true | |
| http.ssl_options = OpenSSL::SSL::OP_ALL | |
| pp http.request(Net::HTTP::Get.new(uri.request_uri)).code | |
| rescue => e | |
| warn(e) | |
| # => SSL_connect returned=1 errno=0 peeraddr=192.218.88.180:443 state=error: unsafe legacy renegotiation disabled | |
| end | |
| warn("with OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT") | |
| Net::HTTP.new(uri.host, uri.port).tap do |http| | |
| http.use_ssl = true | |
| http.ssl_options = OpenSSL::SSL::OP_ALL + OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT | |
| pp http.request(Net::HTTP::Get.new(uri.request_uri)).code | |
| # => "200" | |
| rescue => e | |
| warn(e) | |
| end |
| require "openssl" | |
| require "open-uri" | |
| OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_LEGACY_SERVER_CONNECT | |
| pp URI.open("https://www.ipa.go.jp:443").status | |
| # => ["200", "OK"] |
https://www.openssl.org/docs/man3.0/man3/SSL_clear_options.html
SSL_clear_options
SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Allow legacy insecure renegotiation between OpenSSL and unpatched clients or servers. See the SECURE RENEGOTIATION section for more details.
SSL_OP_LEGACY_SERVER_CONNECT Allow legacy insecure renegotiation between OpenSSL and unpatched servers only. See the SECURE RENEGOTIATION section for more details.