1
0
Fork 0
mirror of https://github.com/ruby/ruby.git synced 2022-11-09 12:17:21 -05:00

* lib/net/http.rb: an SSL verification (the server hostname should

be matched with its certificate's commonName) is added.
  this verification can be skipped by
  "Net::HTTP#enable_post_connection_check=(false)".
  suggested by Chris Clark <cclark at isecpartners.com>

* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
  perform SSL post connection check.

* ext/openssl/lib/openssl/ssl.c
  (OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13499 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
gotoyuzo 2007-09-23 22:21:18 +00:00
parent c9faac88af
commit 4f04f0372b
4 changed files with 32 additions and 11 deletions

View file

@ -1,3 +1,17 @@
Mon Sep 24 06:49:15 2007 GOTOU Yuuzou <gotoyuzo@notwork.org>
* lib/net/http.rb: an SSL verification (the server hostname should
be matched with its certificate's commonName) is added.
this verification can be skipped by
"Net::HTTP#enable_post_connection_check=(false)".
suggested by Chris Clark <cclark at isecpartners.com>
* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
perform SSL post connection check.
* ext/openssl/lib/openssl/ssl.c
(OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.
Sun Sep 23 09:05:05 2007 Nobuyoshi Nakada <nobu@ruby-lang.org>
* gc.c (os_obj_of, os_each_obj): hide objects to be finalized.

View file

@ -88,7 +88,7 @@ module OpenSSL
end
}
end
raise SSLError, "hostname not match"
raise SSLError, "hostname was not match with the server certificate"
end
def session

View file

@ -476,6 +476,7 @@ module Net #:nodoc:
@debug_output = nil
@use_ssl = false
@ssl_context = nil
@enable_post_connection_check = true
end
def inspect
@ -532,6 +533,9 @@ module Net #:nodoc:
false # redefined in net/https
end
# specify enabling SSL server sertificate and hostname checking.
attr_accessor :enable_post_connection_check
# Opens TCP connection and HTTP session.
#
# When this method is called with block, gives a HTTP object
@ -590,6 +594,14 @@ module Net #:nodoc:
HTTPResponse.read_new(@socket).value
end
s.connect
if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
begin
s.post_connection_check(@address)
rescue OpenSSL::SSL::SSLError => ex
raise ex if @enable_post_connection_check
warn ex.message
end
end
end
on_connect
end

View file

@ -98,6 +98,7 @@ module OpenURI
:read_timeout => true,
:ssl_ca_cert => nil,
:ssl_verify_mode => nil,
:ssl_enable_post_connection_check => true,
:ftp_active_mode => false,
}
@ -269,6 +270,10 @@ module OpenURI
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check =
options.has_key?(:ssl_enable_post_connection_check) ?
options[:ssl_enable_post_connection_check] :
Options[:ssl_enable_post_connection_check]
http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
if options[:ssl_ca_cert]
@ -289,16 +294,6 @@ module OpenURI
resp = nil
http.start {
if target.class == URI::HTTPS
# xxx: information hiding violation
sock = http.instance_variable_get(:@socket)
if sock.respond_to?(:io)
sock = sock.io # 1.9
else
sock = sock.instance_variable_get(:@socket) # 1.8
end
sock.post_connection_check(target_host)
end
req = Net::HTTP::Get.new(request_uri, header)
if options.include? :http_basic_authentication
user, pass = options[:http_basic_authentication]