Return a Hash for RJIT statistics. --rjit-stats makes more information available.
Returns a Gem::Security::TrustDir which wraps the directory where trusted certificates live.
Enumerates the trusted certificates via Gem::Security::TrustDir.
Terminates the RubyGems process with the given exit_code
Check if --yjit-stats is used.
Return a hash for statistics generated for the --yjit-stats command line option. Return nil when option is not passed or unavailable. If a symbol argument is provided, return only the value for the named stat. If any other type is provided, raises TypeError.
Discard existing compiled code to reclaim memory and allow for recompilations in the future.
Serializes the DH parameters to a PEM-encoding.
Note that any existing per-session public/private keys will not get encoded, just the Diffie-Hellman parameters will be encoded.
PEM-encoded parameters will look like:
-----BEGIN DH PARAMETERS----- [...] -----END DH PARAMETERS-----
See also public_to_pem (X.509 SubjectPublicKeyInfo) and private_to_pem (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) for serialization with the private or public key components.
Serializes a private or public key to a PEM-encoding.
Serializes it into an X.509 SubjectPublicKeyInfo. The parameters cipher and password are ignored.
A PEM-encoded key will look like:
-----BEGIN PUBLIC KEY----- [...] -----END PUBLIC KEY-----
Consider using public_to_pem instead. This serializes the key into an X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a private key.
Serializes it into a traditional OpenSSL DSAPrivateKey.
A PEM-encoded key will look like:
-----BEGIN DSA PRIVATE KEY----- [...] -----END DSA PRIVATE KEY-----
Serializes it into a traditional OpenSSL DSAPrivateKey and encrypts it in OpenSSL’s traditional PEM encryption format. cipher must be a cipher name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
An encrypted PEM-encoded key will look like:
-----BEGIN DSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 [...] -----END DSA PRIVATE KEY-----
Note that this format uses MD5 to derive the encryption key, and hence will not be available on FIPS-compliant systems.
This method is kept for compatibility. This should only be used when the traditional, non-standard OpenSSL format is required.
Consider using public_to_pem (X.509 SubjectPublicKeyInfo) or private_to_pem (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
Obtains a list of all predefined curves by the OpenSSL. Curve names are returned as sn.
See the OpenSSL documentation for EC_get_builtin_curves().
Serializes a private or public key to a PEM-encoding.
Serializes it into an X.509 SubjectPublicKeyInfo. The parameters cipher and password are ignored.
A PEM-encoded key will look like:
-----BEGIN PUBLIC KEY----- [...] -----END PUBLIC KEY-----
Consider using public_to_pem instead. This serializes the key into an X.509 SubjectPublicKeyInfo regardless of whether it is a public key or a private key.
Serializes it into a SEC 1/RFC 5915 ECPrivateKey.
A PEM-encoded key will look like:
-----BEGIN EC PRIVATE KEY----- [...] -----END EC PRIVATE KEY-----
Serializes it into a SEC 1/RFC 5915 ECPrivateKey and encrypts it in OpenSSL’s traditional PEM encryption format. cipher must be a cipher name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
An encrypted PEM-encoded key will look like:
-----BEGIN EC PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 [...] -----END EC PRIVATE KEY-----
Note that this format uses MD5 to derive the encryption key, and hence will not be available on FIPS-compliant systems.
This method is kept for compatibility. This should only be used when the SEC 1/RFC 5915 ECPrivateKey format is required.
Consider using public_to_pem (X.509 SubjectPublicKeyInfo) or private_to_pem (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
Verifies data using the Probabilistic Signature Scheme (RSA-PSS).
The return value is true if the signature is valid, false otherwise. RSAError will be raised if an error occurs.
See sign_pss for the signing operation and an example code.
A String containing the message digest algorithm name.
A String. The data to be signed.
The length in octets of the salt. Two special values are reserved: :digest means the digest length, and :auto means automatically determining the length based on the signature.
The hash algorithm used in MGF1.
Serializes a private or public key to a PEM-encoding.
Serializes it into an X.509 SubjectPublicKeyInfo. The parameters cipher and password are ignored.
A PEM-encoded key will look like:
-----BEGIN PUBLIC KEY----- [...] -----END PUBLIC KEY-----
Consider using public_to_pem instead. This serializes the key into an X.509 SubjectPublicKeyInfo regardless of whether the key is a public key or a private key.
Serializes it into a PKCS #1 RSAPrivateKey.
A PEM-encoded key will look like:
-----BEGIN RSA PRIVATE KEY----- [...] -----END RSA PRIVATE KEY-----
Serializes it into a PKCS #1 RSAPrivateKey and encrypts it in OpenSSL’s traditional PEM encryption format. cipher must be a cipher name understood by OpenSSL::Cipher.new or an instance of OpenSSL::Cipher.
An encrypted PEM-encoded key will look like:
-----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,733F5302505B34701FC41F5C0746E4C0 [...] -----END RSA PRIVATE KEY-----
Note that this format uses MD5 to derive the encryption key, and hence will not be available on FIPS-compliant systems.
This method is kept for compatibility. This should only be used when the PKCS #1 RSAPrivateKey format is required.
Consider using public_to_pem (X.509 SubjectPublicKeyInfo) or private_to_pem (PKCS #8 PrivateKeyInfo or EncryptedPrivateKeyInfo) instead.
Sets the list of “supported elliptic curves” for this context.
For a TLS client, the list is directly used in the Supported Elliptic Curves Extension. For a server, the list is used by OpenSSL to determine the set of shared curves. OpenSSL will pick the most appropriate one from it.
ctx1 = OpenSSL::SSL::SSLContext.new ctx1.ecdh_curves = "X25519:P-256:P-224" svr = OpenSSL::SSL::SSLServer.new(tcp_svr, ctx1) Thread.new { svr.accept } ctx2 = OpenSSL::SSL::SSLContext.new ctx2.ecdh_curves = "P-256" cli = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx2) cli.connect p cli.tmp_key.group.curve_name # => "prime256v1" (is an alias for NIST P-256)
Returns the security level for the context.
See also OpenSSL::SSL::SSLContext#security_level=.
Sets the security level for the context. OpenSSL limits parameters according to the level. The “parameters” include: ciphersuites, curves, key sizes, certificate signature algorithms, protocol version and so on. For example, level 1 rejects parameters offering below 80 bits of security, such as ciphersuites using MD5 for the MAC or RSA keys shorter than 1024 bits.
Note that attempts to set such parameters with insufficient security are also blocked. You need to lower the level first.
This feature is not supported in OpenSSL < 1.1.0, and setting the level to other than 0 will raise NotImplementedError. Level 0 means everything is permitted, the same behavior as previous versions of OpenSSL.
See the manpage of SSL_CTX_set_security_level(3) for details.
Close the stream for reading. This method is ignored by OpenSSL as there is no reasonable way to implement it, but exists for compatibility with IO.
Creates a new X509::Extension with passed values. See also x509v3_config(5).
Returns the certificate which caused the error.
See also the man page X509_STORE_CTX_get_current_cert(3).
Returns the CRL which caused the error.
See also the man page X509_STORE_CTX_get_current_crl(3).