Sets the security level for the context. OpenSSL
limits parameters according to the level. The “parameters” include: ciphersuites, curves, key sizes, certificate signature algorithms, protocol version and so on. For example, level 1 rejects parameters offering below 80 bits of security, such as ciphersuites using MD5 for the MAC or RSA keys shorter than 1024 bits.
Note that attempts to set such parameters with insufficient security are also blocked. You need to lower the level first.
This feature is not supported in OpenSSL
< 1.1.0, and setting the level to other than 0 will raise NotImplementedError
. Level 0 means everything is permitted, the same behavior as previous versions of OpenSSL
.
See the manpage of SSL_CTX_set_security_level(3) for details.
Closes the stream for writing. The behavior of this method depends on the version of OpenSSL
and the TLS protocol in use.
Sends a ‘close_notify’ alert to the peer.
Does not wait for the peer’s ‘close_notify’ alert in response.
In TLS 1.2 and earlier:
On receipt of a ‘close_notify’ alert, responds with a ‘close_notify’ alert of its own and close down the connection immediately, discarding any pending writes.
Therefore, on TLS 1.2, this method will cause the connection to be completely shut down. On TLS 1.3, the connection will remain open for reading only.
Writes string to the SSL
connection in a non-blocking manner. Raises an SSLError
if writing would block.
Returns the result of the peer certificates verification. See verify(1) for error values and descriptions.
If no peer certificate was presented X509_V_OK is returned.
Adds a new entry with the given oid and value to this name. The oid is an object identifier defined in ASN.1. Some common OIDs are:
Country Name
Common Name
Domain Component
Organization Name
Organizational Unit Name
State or Province Name
The optional keyword parameters loc and set specify where to insert the new attribute. Refer to the manpage of X509_NAME_add_entry(3) for details. loc defaults to -1 and set defaults to 0. This appends a single-valued RDN to the end.
Adds a certificate status for certificate_id. status is the status, and must be one of these:
OpenSSL::OCSP::V_CERTSTATUS_GOOD
OpenSSL::OCSP::V_CERTSTATUS_REVOKED
OpenSSL::OCSP::V_CERTSTATUS_UNKNOWN
reason and revocation_time can be given only when status is OpenSSL::OCSP::V_CERTSTATUS_REVOKED. reason describes the reason for the revocation, and must be one of OpenSSL::OCSP::REVOKED_STATUS_* constants. revocation_time is the time when the certificate is revoked.
this_update and next_update indicate the time at which the status is verified to be correct and the time at or before which newer information will be available, respectively. next_update is optional.
extensions is an Array
of OpenSSL::X509::Extension
to be included in the SingleResponse
. This is also optional.
Note that the times, revocation_time, this_update and next_update can be specified in either of Integer
or Time
object. If they are Integer
, it is treated as the relative seconds from the current time.
Returns the status of the certificate identified by the certid. The return value may be one of these constant:
V_CERTSTATUS_GOOD
V_CERTSTATUS_REVOKED
V_CERTSTATUS_UNKNOWN
When the status is V_CERTSTATUS_REVOKED, the time at which the certificate was revoked can be retrieved by revocation_time
.
Returns the ln (long name) of the hash algorithm used to generate the issuerNameHash and the issuerKeyHash values.
Verifies the signature
for the data
using a public key pkey
. Unlike verify
, this method will not hash data
with digest
automatically.
Returns true
if the signature is successfully verified, false
otherwise. The caller must check the return value.
See sign_raw
for the signing operation and an example code.
Added in version 3.0. See also the man page EVP_PKEY_verify(3).
signature
A String
containing the signature to be verified.
Recovers the signed data from signature
using a public key pkey
. Not all signature algorithms support this operation.
Added in version 3.0. See also the man page EVP_PKEY_verify_recover(3).
signature
A String
containing the signature to be verified.
In cases of failure this field may contain an array of strings further describing the origin of the failure.
Returns the message imprint digest. For valid timestamps, this is the same value that was already given in the Request
. If status is GRANTED or GRANTED_WITH_MODS, this is never nil
.
mi = token_info.msg_imprint puts mi -> "DEADBEEF"
Returns serial number of the timestamp token. This value shall never be the same for two timestamp tokens issued by a dedicated timestamp authority. If status is GRANTED or GRANTED_WITH_MODS, this is never nil
.
Set
the message imprint digest.
Returns the message imprint (digest) of the data to be timestamped.
Specify whether the response shall contain the timestamp authority’s certificate or not. The default value is true
.
Indicates whether the response shall contain the timestamp authority’s certificate or not.