From f524514242e3f1c1cce18f0194bc0805beb21b5b Mon Sep 17 00:00:00 2001
From: nick evans <nick@rubinick.dev>
Date: Mon, 15 Dec 2025 14:11:08 -0500
Subject: [PATCH] Don't modify SSLContext::DEFAULT_PARAMS

The OpenSSL::SSL::SSLContext#set_params has had secure defaults since
ruby 2.4 or 2.5.  Since support for ruby versions prior to 3.1 has been
dropped, there's no need to modify this anymore.

Also, the openssl 4.0 gem now _freezes_ the `DEFAULT_PARAMS` hash.  So
this is needed for compatibility with both openssl 4.0 and ruby 4.0.
---
 lib/vault.rb | 9 ---------
 1 file changed, 9 deletions(-)

diff --git a/lib/vault.rb b/lib/vault.rb
index dc9066a1..12778b16 100644
--- a/lib/vault.rb
+++ b/lib/vault.rb
@@ -20,15 +20,6 @@ class << self
     def setup!
       @client = Vault::Client.new
 
-      # Set secure SSL options
-      OpenSSL::SSL::SSLContext::DEFAULT_PARAMS.tap do |opts|
-        opts[:options] &= ~OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS if defined?(OpenSSL::SSL::OP_DONT_INSERT_EMPTY_FRAGMENTS)
-        opts[:options] |= OpenSSL::SSL::OP_NO_COMPRESSION if defined?(OpenSSL::SSL::OP_NO_COMPRESSION)
-        opts[:options] |= OpenSSL::SSL::OP_NO_SSLv2 if defined?(OpenSSL::SSL::OP_NO_SSLv2)
-        opts[:options] |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3)
-      end
-      
-
       self
     end