Support ciphers SSLOptions setting across adapters

[olleolleolle]

Basic Info

Recently, the #1581 "Add ciphers to SSL options" was fixed, and one adapter supports it.

A good mapping-out of the rest of the adapter landscape was created by @womblep, which this Issue summarizes as a sign-post Issue, with a checklist.

About SSL ciphers

What are "ciphers"? Well, in this context, it is a setting to HTTP clients' use of SSL, telling them explicitly which SSL cipher suites should be available. The kinds of strings to accept can be seen in the openssl-ciphers documentation.

TODO: Support the ciphers option

This list of adapters is about "are we done supporting the ciphers option for it?".

• Excon: Feat: Make Excon instance to accept ciphers SSL option (#45) excon/faraday-excon#21 by @saiqulhaq
• HTTPClient: feat: add Ciphers option to SSL Option faraday-httpclient#3 by @saiqulhaq
• Net::HTTP:Persistent
• Patron
• HTTP.rb
• httpx
• Typhoeus
• Async::HTTP
• EM::HTTP

Details, per adapter

This lists what is known about the current landscape, as "developer hints".

Excon - support

option params [String] :ciphers Only use the specified SSL/TLS cipher suites; use OpenSSL cipher spec format e.g. 'HIGH:!aNULL:!3DES' or 'AES256-SHA:DES-CBC3-SHA'

• It needs to be added to OPTS_KEY

HTTPClient - supported

    # A String of OpenSSL's cipher configuration.  Default value is
    # ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH
    # See ciphers(1) man in OpenSSL for more detail.
    attr_config :ciphers

• It needs to be added to configure_ssl(client, ssl)

Net::HTTP::Persistent - supported

https://github.com/drbrain/net-http-persistent/blob/master/lib/net/http/persistent.rb#L571

• It needs to be added to https://github.com/lostisland/faraday-net_http_persistent/blob/main/lib/faraday/adapter/net_http_persistent.rb#L180

Patron - investigate

the adapter doesn't look like it does any SSL options other than verify. The Patron gem doesn't look like it supports ciphers (or many SSL settings)

HTTP.rb - supported

adapter and gem use OpenSSL SSLContext which support ciphers

• It needs to be added to https://github.com/lostisland/faraday-http/blob/master/lib/faraday/adapter/http.rb#L80

httpx - supported

uses OpenSSL SSLContext so should be able to be added to the adapter in "def ssl_options_from_env(env)"

Typhoeus - supported

using ssl_cipher_list

• needs to be added to https://github.com/dleavitt/faraday-typhoeus/blob/main/lib/faraday/adapter/typhoeus.rb#L127

Async::HTTP - supported

I am getting lost in the adapter but I think all the SSL options are passed through Async::HTTP::Faraday::Clients.make_client. Ciphers would be passed through without any change required.

EM::HTTP - supported

using cipher_list

• needs to be added to https://github.com/lostisland/faraday-em_http/blob/main/lib/faraday/adapter/em_http.rb#L76 although there are a lot of the options missing it seems

[saiqulhaq]

Hi @olleolleolle

I want to contribute to one of the adapters first. However, I am not yet knowledgeable about Chipers and their usage.
Do you have any good resources that I can read/learn before analyzing the Faraday codebase to make the changes?
So far, I only use Faraday for basic HTTP(s) requests.

[olleolleolle]

@saiqulhaq 👋 In order to clear up a little of the basics on "ciphers", I added a section to this Issue, perhaps that can lead your research.

[saiqulhaq]

Hi @olleolleolle
I just made this PR excon/faraday-excon#21.
All RSpec tests are green. I found that the adapter tests are inherited from the Faraday source code.
The tests were failing when I added unknown OPT KEYS.
However, I am not sure that my PR is enough, but this lostisland/faraday-net_http#45 doesn't modify any tests, either.

Another one for HTTPClient lostisland/faraday-httpclient#3