Change ssl version with Net::HTTP and Ruby 1.8.7 -

Change ssl version with Net::HTTP and Ruby 1.8.7 -

one of legacy ruby application still uses ruby 1.8.7. makes lot of http requests on third-party web services , of them on ssl.

those third-party services dropping back upwards of sslv3 of poodle vulnerability , i'd patch clients go on connecting them.

ruby's standard library net::http doesn't seem have way alter ssl version used.

in ruby's openssl (ssl-internal.rb) there way alter version. sadly, not exposed net::http (https.rb).

are (users of ruby 1.8.7) screwed?

edit : in fact, seems client switching tlsv1 if server doesn't back upwards sslv3. have ssl enabled website without sslv3 support, behind nginx, , i've verified 1.8.7 client switching tlsv1 , request works. if want verify yourself, take here : http://serverfault.com/questions/620123/how-can-i-let-nginx-log-the-used-ssl-tls-protocol-and-ciphersuite

in fact, seems client switching tlsv1 if server doesn't back upwards sslv3

it more other way around. within ssl handshake client shows server can (protocol, ciphers) , server picks best can too. client defaulting sslv23 not restrict client specific protocol. if server offers tlsv1 go on it, if server offers sslv3 utilize ssl 3.0.

if want restrict client pick best not allowing ssl 3.0 anymore have @ http://stackoverflow.com/a/24237525/3081018 on how disable sslv3 setting ssl_options.

ruby ssl sslv3 poodle-attack