Falcon SourceFalconEnvironmentTLS

module TLS

Provides an environment that exposes a TLS context for hosting a secure web application.

Definitions

def ssl_session_id

The default session identifier for the session cache.

Signature
returns String

Implementation

 
def ssl_session_id
	"falcon"
end

def ssl_ciphers

The supported ciphers.

Signature
returns Array(String)

Implementation

 
def ssl_ciphers
	Falcon::TLS::SERVER_CIPHERS
end

def ssl_certificate_path

The public certificate path.

Signature
returns String

Implementation

 
def ssl_certificate_path
	File.expand_path("ssl/certificate.pem", root)
end

def ssl_certificates

The list of certificates loaded from that path.

Signature
returns Array(OpenSSL::X509::Certificate)

Implementation

 
def ssl_certificates
	OpenSSL::X509::Certificate.load_file(ssl_certificate_path)
end

def ssl_certificate

The main certificate.

Signature
returns OpenSSL::X509::Certificate

Implementation

 
def ssl_certificate
	ssl_certificates[0]
end

def ssl_certificate_chain

The certificate chain.

Signature
returns Array(OpenSSL::X509::Certificate)

Implementation

 
def ssl_certificate_chain
	ssl_certificates[1..-1]
end

def ssl_private_key_path

The private key path.

Signature
returns String

Implementation

 
def ssl_private_key_path
	File.expand_path("ssl/private.key", root)
end

def ssl_private_key

The private key.

Signature
returns OpenSSL::PKey::RSA

Implementation

 
def ssl_private_key
	OpenSSL::PKey::RSA.new(File.read(ssl_private_key_path))
end

def ssl_context

The SSL context to use for incoming connections.

Signature
returns OpenSSL::SSL::SSLContext

Implementation

 
def ssl_context
	OpenSSL::SSL::SSLContext.new.tap do |context|
		context.add_certificate(ssl_certificate, ssl_private_key, ssl_certificate_chain)
		
		context.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_CLIENT
		context.session_id_context = ssl_session_id
		
		context.alpn_select_cb = lambda do |protocols|
			if protocols.include? "h2"
				return "h2"
			elsif protocols.include? "http/1.1"
				return "http/1.1"
			elsif protocols.include? "http/1.0"
				return "http/1.0"
			else
				return nil
			end
		end
		
		# TODO Ruby 2.4 requires using ssl_version.
		context.ssl_version = :TLSv1_2_server
		
		context.set_params(
			ciphers: ssl_ciphers,
			verify_mode: OpenSSL::SSL::VERIFY_NONE,
		)
		
		context.setup
	end
end