Add ciphers to SSL options

[womblep]

I have hit a server where I needed to pin the ciphers to be able to connect. The server is most certainly badly configured but it is not something I can get changed.

I was able to work around this by monkey-patching Faraday and the Faraday Net::HTTP adapter (Net::HTTP supports ciphers) but I would like to submit patches to make it easier to do.

The Faraday change is just adding a "ciphers" member to the SSLOptions

Linked to lostisland/faraday-net_http#44

[iMacTia]

As a general rule, we only add new SSLOptions if these are general HTTP concepts or supported by most of the Faraday adapters / Ruby HTTP clients.

In this case, we know Net::HTTP supports it, and I found evidence of its support in other adapters as well:

• Typhoeus.
• Async::HTTP via the SSLEndpoint class
• EM::HTTP supports a cipher_list ssl config

@womblep I hope this can help getting you started. Would you have time to go through the other Faraday adapters and check how many of them support it?
Sometimes the adapter itself is just a wrapper of the underlying HTTP library (see async-http or em-http examples above), so figuring out if they support ciphers or not requires some digging

[womblep]

Excon - support
option params [String] :ciphers Only use the specified SSL/TLS cipher suites; use OpenSSL cipher spec format e.g. 'HIGH:!aNULL:!3DES' or 'AES256-SHA:DES-CBC3-SHA'

• It needs to be added to OPTS_KEY

HTTPClient - support
# A String of OpenSSL's cipher configuration. Default value is
# ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@strength
# See ciphers(1) man in OpenSSL for more detail.
attr_config :ciphers

• It needs to be added to configure_ssl(client, ssl)

Net::HTTP::Persistent - support
https://github.com/drbrain/net-http-persistent/blob/master/lib/net/http/persistent.rb#L571

• It needs to be added to https://github.com/lostisland/faraday-net_http_persistent/blob/main/lib/faraday/adapter/net_http_persistent.rb#L180

Patron - the adapter doesnt look like it does any SSL options other than verify. The Patron gem doesnt look like it supports ciphers (or many SSL settings)

HTTP.rb adapter and gem use OpenSSL SSLContext which support ciphers

• It needs to be added to https://github.com/lostisland/faraday-http/blob/master/lib/faraday/adapter/http.rb#L80

httpx - uses OpenSSL SSLContext so should be able to be added to the adapter in "def ssl_options_from_env(env)"

[womblep]

Typhoeus - supported using ssl_cipher_list

• needs to be added to https://github.com/dleavitt/faraday-typhoeus/blob/main/lib/faraday/adapter/typhoeus.rb#L127

Async::HTTP - supported - I am getting lost in the adapter but I think all the SSL options are passed through Async::HTTP::Faraday::Clients.make_client. Ciphers would be passed through without any change required.

EM::HTTP - supported using cipher_list

• needs to be added to https://github.com/lostisland/faraday-em_http/blob/main/lib/faraday/adapter/em_http.rb#L76 although there are a lot of the options missing it seems

[iMacTia]

This was great research, thank you ❤️!
I feel much more confident about adding this directly to Faraday now because it seems like we can get it supported by most adapters 💪

[iMacTia]

@womblep FYI – just released Faraday 2.11.0 with support for ciphers (and updated dependency on the net_http adapter v3.3 that contains your PR)

[womblep]

@iMacTia thanks for the speedy release! ❤️