Update OpenSSL::SSL::Context default ciphers (crystal-lang#13667)

Bizalog · Jul 25, 2023 · ffa176f · ffa176f
1 parent ce82727
commit ffa176f
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 15 deletions.
diff --git a/scripts/generate_ssl_server_defaults.cr b/scripts/generate_ssl_server_defaults.cr
@@ -7,36 +7,53 @@
 require "http"
 require "json"
 
+struct Configuration
+  include JSON::Serializable
+
+  getter oldest_clients : Array(String)
+  getter ciphersuites : Array(String)
+  @[JSON::Field(root: "openssl")]
+  getter ciphers : Array(String)
+end
+
+struct Guidelines
+  include JSON::Serializable
+
+  @[JSON::Field(converter: String::RawConverter)]
+  getter version : String
+  getter href : String
+  getter configurations : Hash(String, Configuration)
+end
+
 url = ARGV.shift? || "https://ssl-config.mozilla.org/guidelines/latest.json"
-DEFAULTS_FILE = "src/openssl/ssl/defaults.cr"
+DEFAULTS_FILE = File.expand_path("../src/openssl/ssl/defaults.cr", __DIR__)
 
-json = JSON.parse(HTTP::Client.get(url).body)
+guidelines = Guidelines.from_json(HTTP::Client.get(url).body)
+disabled_ciphers = %w(!RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS)
 
 File.open(DEFAULTS_FILE, "w") do |file|
-  file.print <<-CRYSTAL
-  # THIS FILE WAS AUTOMATICALLY GENERATED BY script/ssl_server_defaults.cr
+  file.puts <<-CRYSTAL
+  # THIS FILE WAS AUTOMATICALLY GENERATED BY scripts/#{File.basename(__FILE__)}
   # on #{Time.utc}.
 
   abstract class OpenSSL::SSL::Context
   CRYSTAL
 
-  configuration = json["configurations"].as_h.each do |level, configuration|
-    clients = configuration["oldest_clients"].as_a
-    ciphersuites = configuration["ciphersuites"].as_a
-    ciphers = configuration["ciphers"]["openssl"].as_a
-    disabled_ciphers = %w(!RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS)
+  guidelines.configurations.join(file, '\n') do |(level, configuration)|
+    clients = configuration.oldest_clients
+    ciphersuites = configuration.ciphersuites
+    ciphers = configuration.ciphers
     all_ciphers = ciphersuites + ciphers + disabled_ciphers
 
     file.puts <<-CRYSTAL
-
       # The list of secure ciphers on **#{level}** compatibility level as per Mozilla
       # recommendations.
       #
       # The oldest clients supported by this configuration are:
       # * #{clients.join("\n  # * ")}
       #
-      # This list represents version #{json["version"]} of the #{level} configuration
-      # available at #{json["href"]}.
+      # This list represents version #{guidelines.version} of the #{level} configuration
+      # available at #{guidelines.href}.
       #
       # See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
       CIPHERS_#{level.upcase} = "#{all_ciphers.join(":")}"
@@ -47,8 +64,8 @@ File.open(DEFAULTS_FILE, "w") do |file|
       # The oldest clients supported by this configuration are:
       # * #{clients.join("\n  # * ")}
       #
-      # This list represents version #{json["version"]} of the #{level} configuration
-      # available at #{json["href"]}.
+      # This list represents version #{guidelines.version} of the #{level} configuration
+      # available at #{guidelines.href}.
       #
       # See https://wiki.mozilla.org/Security/Server_Side_TLS for details.
       CIPHER_SUITES_#{level.upcase} = "#{ciphersuites.join(":")}"

diff --git a/src/openssl/ssl/defaults.cr b/src/openssl/ssl/defaults.cr