mirror of
https://github.com/ruby/ruby.git
synced 2022-11-09 12:17:21 -05:00
* lib/net/http.rb: an SSL verification (the server hostname should
be matched with its certificate's commonName) is added. this verification can be skipped by "Net::HTTP#enable_post_connection_check=(false)". suggested by Chris Clark <cclark at isecpartners.com> * lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to perform SSL post connection check. * ext/openssl/lib/openssl/ssl.c (OpenSSL::SSL::SSLSocket#post_connection_check): refine error message. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13499 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
This commit is contained in:
parent
c9faac88af
commit
4f04f0372b
4 changed files with 32 additions and 11 deletions
14
ChangeLog
14
ChangeLog
|
@ -1,3 +1,17 @@
|
|||
Mon Sep 24 06:49:15 2007 GOTOU Yuuzou <gotoyuzo@notwork.org>
|
||||
|
||||
* lib/net/http.rb: an SSL verification (the server hostname should
|
||||
be matched with its certificate's commonName) is added.
|
||||
this verification can be skipped by
|
||||
"Net::HTTP#enable_post_connection_check=(false)".
|
||||
suggested by Chris Clark <cclark at isecpartners.com>
|
||||
|
||||
* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
|
||||
perform SSL post connection check.
|
||||
|
||||
* ext/openssl/lib/openssl/ssl.c
|
||||
(OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.
|
||||
|
||||
Sun Sep 23 09:05:05 2007 Nobuyoshi Nakada <nobu@ruby-lang.org>
|
||||
|
||||
* gc.c (os_obj_of, os_each_obj): hide objects to be finalized.
|
||||
|
|
|
@ -88,7 +88,7 @@ module OpenSSL
|
|||
end
|
||||
}
|
||||
end
|
||||
raise SSLError, "hostname not match"
|
||||
raise SSLError, "hostname was not match with the server certificate"
|
||||
end
|
||||
|
||||
def session
|
||||
|
|
|
@ -476,6 +476,7 @@ module Net #:nodoc:
|
|||
@debug_output = nil
|
||||
@use_ssl = false
|
||||
@ssl_context = nil
|
||||
@enable_post_connection_check = true
|
||||
end
|
||||
|
||||
def inspect
|
||||
|
@ -532,6 +533,9 @@ module Net #:nodoc:
|
|||
false # redefined in net/https
|
||||
end
|
||||
|
||||
# specify enabling SSL server sertificate and hostname checking.
|
||||
attr_accessor :enable_post_connection_check
|
||||
|
||||
# Opens TCP connection and HTTP session.
|
||||
#
|
||||
# When this method is called with block, gives a HTTP object
|
||||
|
@ -590,6 +594,14 @@ module Net #:nodoc:
|
|||
HTTPResponse.read_new(@socket).value
|
||||
end
|
||||
s.connect
|
||||
if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
|
||||
begin
|
||||
s.post_connection_check(@address)
|
||||
rescue OpenSSL::SSL::SSLError => ex
|
||||
raise ex if @enable_post_connection_check
|
||||
warn ex.message
|
||||
end
|
||||
end
|
||||
end
|
||||
on_connect
|
||||
end
|
||||
|
|
|
@ -98,6 +98,7 @@ module OpenURI
|
|||
:read_timeout => true,
|
||||
:ssl_ca_cert => nil,
|
||||
:ssl_verify_mode => nil,
|
||||
:ssl_enable_post_connection_check => true,
|
||||
:ftp_active_mode => false,
|
||||
}
|
||||
|
||||
|
@ -269,6 +270,10 @@ module OpenURI
|
|||
if target.class == URI::HTTPS
|
||||
require 'net/https'
|
||||
http.use_ssl = true
|
||||
http.enable_post_connection_check =
|
||||
options.has_key?(:ssl_enable_post_connection_check) ?
|
||||
options[:ssl_enable_post_connection_check] :
|
||||
Options[:ssl_enable_post_connection_check]
|
||||
http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
|
||||
store = OpenSSL::X509::Store.new
|
||||
if options[:ssl_ca_cert]
|
||||
|
@ -289,16 +294,6 @@ module OpenURI
|
|||
|
||||
resp = nil
|
||||
http.start {
|
||||
if target.class == URI::HTTPS
|
||||
# xxx: information hiding violation
|
||||
sock = http.instance_variable_get(:@socket)
|
||||
if sock.respond_to?(:io)
|
||||
sock = sock.io # 1.9
|
||||
else
|
||||
sock = sock.instance_variable_get(:@socket) # 1.8
|
||||
end
|
||||
sock.post_connection_check(target_host)
|
||||
end
|
||||
req = Net::HTTP::Get.new(request_uri, header)
|
||||
if options.include? :http_basic_authentication
|
||||
user, pass = options[:http_basic_authentication]
|
||||
|
|
Loading…
Reference in a new issue