What does the ssl_version set as nil fallback to in ruby OpenSSL

Question

We have asked to by our payment provider to upgrade the SSL version to TLS from SSLv3 citing poodle attack

Currently I see the ssl_version been set as nil in Ruby net/https library what I'm trying to understand is when ssl_version is set nil what does it translate to? (or fallback to ?)

Reading through this make me feel that it upto OpenSSL to decide the ssl_version(protocol) to use

It also mention by setting :auto always make sure it take the highest available protocol

Can anyone share some light on it.

Answer 1

Ruby 2.1.3 uses SSLv23 as a default. You can check it in your irb console:

> require 'openssl'
# => true
> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
# => {
# =>     :ssl_version => "SSLv23",
# =>     :verify_mode => 1,
# =>     :ciphers     => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
# =>     :options     => -2147482625
# => }

Btw there is another constant that tells you all available SSL/TLS methods:

> OpenSSL::SSL::SSLContext::METHODS
# => [
# =>     [ 0] :TLSv1,
# =>     [ 1] :TLSv1_server,
# =>     [ 2] :TLSv1_client,
# =>     [ 3] :TLSv1_2,
# =>     [ 4] :TLSv1_2_server,
# =>     [ 5] :TLSv1_2_client,
# =>     [ 6] :TLSv1_1,
# =>     [ 7] :TLSv1_1_server,
# =>     [ 8] :TLSv1_1_client,
# =>     [ 9] :SSLv3,
# =>     [10] :SSLv3_server,
# =>     [11] :SSLv3_client,
# =>     [12] :SSLv23,
# =>     [13] :SSLv23_server,
# =>     [14] :SSLv23_client
# => ]

see: http://ruby-doc.org/stdlib-2.1.3/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#constants-list