Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow setting min/max SSL version for a connection on Ruby 2.5 #2775

Merged
merged 2 commits into from
Apr 19, 2018
Merged

Allow setting min/max SSL version for a connection on Ruby 2.5 #2775

merged 2 commits into from
Apr 19, 2018

Conversation

bdewater
Copy link
Contributor

@bdewater bdewater commented Mar 5, 2018
edited
Loading

The configuration on the Net::HTTP object is passed through to OpenSSL::SSLContext. The functionality in the OpenSSL gem was introduced in ruby/openssl#142

This is useful for the upcoming expiry of the PCI DSS TLS 1.0 exemption (see #2774) to configure a minimum version from the client side as well.

@bdewater bdewater mentioned this pull request Mar 19, 2018
Merged
@bdewater bdewater force-pushed the ssl-minmax-version branch 2 times, most recently from 152cff1 to 55804fc Compare March 20, 2018 19:58
@bdewater
Copy link
Contributor Author

bdewater commented Apr 6, 2018

Rebased now that Travis is running 2.5 tests.

I've added a rake task similar to the SSL certificate verification one to test the version negotiation. It requires Ruby 2.5. Output:

$ bundle exec rake gateways:ssl:min_version
Could not load gateway PaypalExpressCommonGateway from /Users/bartdewater/src/github.com/activemerchant/active_merchant/lib/active_merchant/billing/gateways/paypal_express_common.rb.
Could not load gateway Cc5Gateway from /Users/bartdewater/src/github.com/activemerchant/active_merchant/lib/active_merchant/billing/gateways/cc5.rb.
Could not load gateway SmartPsGateway from /Users/bartdewater/src/github.com/activemerchant/active_merchant/lib/active_merchant/billing/gateways/smart_ps.rb.
Verifying 202 gateways for SSL min_version=TLS1_1

......E........E.................EE...............E...........................E........EF......E...E.........E.......E......................E.........E..E.E.E.E.................E......

Succeeded gateways (165)


Failed Gateways (1):
ActiveMerchant::Billing::ModernPaymentsCimGateway - #<OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unsupported protocol>


Error Gateways (18):
ActiveMerchant::Billing::BalancedGateway - #<SocketError: Failed to open TCP connection to api.balancedpayments.com:443 (getaddrinfo: nodename nor servname provided, or not known)>
ActiveMerchant::Billing::BorgunGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::CreditcallGateway - #<Errno::ECONNRESET: Connection reset by peer>
ActiveMerchant::Billing::CredoraxGateway - #<SocketError: Failed to open TCP connection to assigned-subdomain.credorax.net:443 (getaddrinfo: nodename nor servname provided, or not known)>
ActiveMerchant::Billing::EzicGateway - #<Net::ReadTimeout: Net::ReadTimeout>
ActiveMerchant::Billing::LitleGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::MigsGateway - #<Errno::ECONNRESET: Connection reset by peer>
ActiveMerchant::Billing::NcrSecurePayGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::NetbillingGateway - #<Net::ReadTimeout: Net::ReadTimeout>
ActiveMerchant::Billing::PacNetRavenGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::PaySecureGateway - #<SocketError: Failed to open TCP connection to clearance.commsecure.com.au:443 (getaddrinfo: nodename nor servname provided, or not known)>
ActiveMerchant::Billing::PslCardGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::SafeChargeGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::SallieMaeGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::SecurePayAuGateway - #<Errno::ECONNRESET: Connection reset by peer>
ActiveMerchant::Billing::SecurePayTechGateway - #<Net::OpenTimeout: execution expired>
ActiveMerchant::Billing::SkipJackGateway - #<SocketError: Failed to open TCP connection to www.skipjackic.com:443 (getaddrinfo: nodename nor servname provided, or not known)>
ActiveMerchant::Billing::WebpayGateway - #<Net::OpenTimeout: execution expired>


Gateways missing live_url (12):
ActiveMerchant::Billing::BanwireGateway
ActiveMerchant::Billing::BraintreeBlueGateway
ActiveMerchant::Billing::CC5Gateway
ActiveMerchant::Billing::CitrusPayGateway
ActiveMerchant::Billing::IatsPaymentsGateway
ActiveMerchant::Billing::JetpayGateway
ActiveMerchant::Billing::MerchantOneGateway
ActiveMerchant::Billing::MerchantWarriorGateway
ActiveMerchant::Billing::MercuryGateway
ActiveMerchant::Billing::PayexGateway
ActiveMerchant::Billing::SwipeCheckoutGateway
ActiveMerchant::Billing::TnsGateway

So far ModernPaymentsCimGateway is the only worrying one, and the others we can look into. I do believe we should make this a default setting after the deadline has passed on supported Rubies, but I'm open to feedback.

@bdewater bdewater force-pushed the ssl-minmax-version branch 2 times, most recently from fa086f3 to c4b782b Compare April 6, 2018 16:41
@bdewater bdewater merged commit f1838e6 into master Apr 19, 2018
@bdewater bdewater deleted the ssl-minmax-version branch April 19, 2018 14:19
@bdewater bdewater mentioned this pull request Jun 29, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jasonwebster jasonwebster jasonwebster approved these changes

@davidsantoso davidsantoso Awaiting requested review from davidsantoso

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bdewater @jasonwebster