class DRb::DRbSSLSocket::SSLConfig

See DRb::DRbSSLSocket::SSLConfig.new for more details
DRbSSLSocket.open and DRbSSLSocket.open_server
An instance of this config can be passed to DRbSSLSocket.new,
DRbSSLSocket connection, including generating the X509 / RSA pair.
SSLConfig handles the needed SSL information for establishing a

def [](key);

A convenience method to access the values like a Hash

def [](key);
  @config[key] || DEFAULT[key]
end

def accept(tcp)

configuration
Accept connection to IO +tcp+, with context of the current certificate

def accept(tcp)
  ssl = OpenSSL::SSL::SSLSocket.new(tcp, @ssl_ctx)
  ssl.sync = true
  ssl.accept
  ssl
end

def connect(tcp)

configuration
Connect to IO +tcp+, with context of the current certificate

def connect(tcp)
  ssl = ::OpenSSL::SSL::SSLSocket.new(tcp, @ssl_ctx)
  ssl.sync = true
  ssl.connect
  ssl
end

def initialize(config)

c.setup_certificate
})
:SSLCertName => [["CN" => DRb::DRbSSLSocket.getservername]]
c = DRb::DRbSSLSocket::SSLConfig.new({
require 'drb/ssl'

or

c.setup_certificate
c[:SSLCACertificatePath] = "/etc/ssl/certs/"
c[:SSLVerifyMode] = OpenSSL::SSL::VERIFY_PEER
c[:SSLPrivateKey] = OpenSSL::PKey::RSA.new(File.read('mycert.key'))
OpenSSL::X509::Certificate.new(File.read('mycert.crt'))
c[:SSLCertificate] =
c = DRb::DRbSSLSocket::SSLConfig.new {}
require 'drb/ssl'

These values can be added after the fact, like a Hash.

=== Example

"Generated by Ruby/OpenSSL"
A comment to be used for generating the certificate. The default is
:SSLCertComment ::

See also OpenSSL::X509::Name

["CN","fqdn.example.com"]]
[["C", "Raleigh"], ["ST","North Carolina"],

given). The value of this is to be an Array of pairs:
the certificate (if :SSLCertificate and :SSLPrivateKey were not
Issuer name for the certificate. This is required when generating
:SSLCertName ::

A OpenSSL::X509::Store used for verification of certificates
:SSLCertificateStore ::

OpenSSL::SSL::SSLContext.verify_callback
A callback to be used for additional verification. See
:SSLVerifyCallback ::

chain.
Number of CA certificates to walk, when verifying a certificate
:SSLVerifyDepth ::

available modes. The default is OpenSSL::SSL::VERIFY_NONE
This is the SSL verification mode. See OpenSSL::SSL::VERIFY_* for
:SSLVerifyMode ::

OpenSSL::SSL::SSLContext#max_version=.
This is the maximum SSL version to allow. See
:SSLMaxVersion ::

OpenSSL::SSL::SSLContext#min_version=.
This is the minimum SSL version to allow. See
:SSLMinVersion ::

A DH callback. See OpenSSL::SSL::SSLContext.tmp_dh_callback
:SSLTmpDhCallback ::

A path to a CA certificate file, in PEM format.
:SSLCACertificateFile ::

be in PEM format.
A path to the directory of CA certificates. The certificates must
:SSLCACertificatePath ::

used as ClientCAs in the SSL Context
An OpenSSL::X509::Certificate, or Array of certificates that will
:SSLClientCA ::

the key that signed the :SSLCertificate
A private key instance, like OpenSSL::PKey::RSA. This key must be
:SSLPrivateKey ::

then a generic X509 is generated, with a correspond :SSLPrivateKey
An instance of OpenSSL::X509::Certificate. If this is not provided,
:SSLCertificate ::

From +config+ Hash:

=== Config options

minimum is to provide the :SSLCertName
configuration. If want it to generate a generic certificate, the bare
of SSLConfig, and will setup the certificate for its session for the
The DRb::DRbSSLSocket will take either a +config+ Hash or an instance

Create a new DRb::DRbSSLSocket::SSLConfig instance

def initialize(config)
  @config  = config
  @cert    = config[:SSLCertificate]
  @pkey    = config[:SSLPrivateKey]
  @ssl_ctx = nil
end

def setup_certificate

provided.
or that a new certificate is generated with the other parameters
Ensures that :SSLCertificate and :SSLPrivateKey have been provided

def setup_certificate
  if @cert && @pkey
    return
  end
  rsa = OpenSSL::PKey::RSA.new(2048){|p, n|
    next unless self[:verbose]
    case p
    when 0; $stderr.putc "."  # BN_generate_prime
    when 1; $stderr.putc "+"  # BN_generate_prime
    when 2; $stderr.putc "*"  # searching good prime,
                              # n = #of try,
                              # but also data from BN_generate_prime
    when 3; $stderr.putc "\n" # found good prime, n==0 - p, n==1 - q,
                              # but also data from BN_generate_prime
    else;   $stderr.putc "*"  # BN_generate_prime
    end
  }
  cert = OpenSSL::X509::Certificate.new
  cert.version = 3
  cert.serial = 0
  name = OpenSSL::X509::Name.new(self[:SSLCertName])
  cert.subject = name
  cert.issuer = name
  cert.not_before = Time.now
  cert.not_after = Time.now + (365*24*60*60)
  cert.public_key = rsa.public_key
  ef = OpenSSL::X509::ExtensionFactory.new(nil,cert)
  cert.extensions = [
    ef.create_extension("basicConstraints","CA:FALSE"),
    ef.create_extension("subjectKeyIdentifier", "hash") ]
  ef.issuer_certificate = cert
  cert.add_extension(ef.create_extension("authorityKeyIdentifier",
                                         "keyid:always,issuer:always"))
  if comment = self[:SSLCertComment]
    cert.add_extension(ef.create_extension("nsComment", comment))
  end
  cert.sign(rsa, "SHA256")
  @cert = cert
  @pkey = rsa
end

def setup_ssl_context

parameters provided.
Establish the OpenSSL::SSL::SSLContext with the configuration

def setup_ssl_context
  ctx = ::OpenSSL::SSL::SSLContext.new
  ctx.cert            = @cert
  ctx.key             = @pkey
  ctx.min_version     = self[:SSLMinVersion]
  ctx.max_version     = self[:SSLMaxVersion]
  ctx.client_ca       = self[:SSLClientCA]
  ctx.ca_path         = self[:SSLCACertificatePath]
  ctx.ca_file         = self[:SSLCACertificateFile]
  ctx.tmp_dh_callback = self[:SSLTmpDhCallback]
  ctx.verify_mode     = self[:SSLVerifyMode]
  ctx.verify_depth    = self[:SSLVerifyDepth]
  ctx.verify_callback = self[:SSLVerifyCallback]
  ctx.cert_store      = self[:SSLCertificateStore]
  @ssl_ctx = ctx
end

Modules

Classes