Description
Since the author of #87 seems to be inactive, I'm picking up the SSL verification issue and writing a patch to make it work. To stay API-compatible, I'm planning not to touch the defaults (:simple_tls, :start_tls), but instead creating :custom_tls and :custom_starttls, which offer more customization options. In these modes, I would pass in the following default ruby-openssl parameters (OpenSSL::SSL::SSLContext::DEFAULT_PARAMS) by default:
{
:ssl_version=>"SSLv23",
:verify_mode=>1,
:ciphers=>"ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:DHE-DSS-AES128-SHA256:DHE-DSS-AES256-SHA256:DHE-DSS-AES128-SHA:DHE-DSS-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:ECDHE-ECDSA-RC4-SHA:ECDHE-RSA-RC4-SHA:RC4-SHA",
:options=>-2097019905
}This will enable verification, attempt to use good ciphers, and try to negotiate up to TLSv1.2, if the target LDAP server supports it. In addition, one can pass an options hash :tls_params, which allows to pass in a custom options hash (the available parameters and options are documented in the ruby-openssl documentation.
Any thoughts or additional requests before I implement it this way?
edited issue description to format ruby hash -jch