Add #verify_hostname= and #verify_hostname to skip hostname verification

According to ruby/openssl#60, > Currently an user who wants to do the hostname verification needs to call SSLSocket#post_connection_check explicitly after the TLS connection is established. if an user who wants to skip the hostname verification, SSLSocket#post_connection_check doesn't need to be called
ganmacs · Jan 23, 2020 · ff01b83 · ff01b83
1 parent 890200e
commit ff01b83
Showing 1 changed file with 11 additions and 3 deletions.
diff --git a/lib/net/http.rb b/lib/net/http.rb
@@ -844,6 +844,7 @@ def use_ssl=(flag)
       :@verify_callback,
       :@verify_depth,
       :@verify_mode,
+      :@verify_hostname,
     ]
     SSL_ATTRIBUTES = [
       :ca_file,
@@ -859,6 +860,7 @@ def use_ssl=(flag)
       :verify_callback,
       :verify_depth,
       :verify_mode,
+      :verify_hostname,
     ]
 
     # Sets path of a CA certification file in PEM format.
@@ -908,6 +910,10 @@ def use_ssl=(flag)
     # OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER are acceptable.
     attr_accessor :verify_mode
 
+    # Sets to check the server certificate is valid for the hostname.
+    # See OpenSSL::SSL::SSLContext#verify_hostname=
+    attr_accessor :verify_hostname
+
     # Returns the X.509 certificates the server presented.
     def peer_cert
       if not use_ssl? or not @socket
@@ -986,9 +992,11 @@ def connect
         ssl_parameters = Hash.new
         iv_list = instance_variables
         SSL_IVNAMES.each_with_index do |ivname, i|
-          if iv_list.include?(ivname) and
+          if iv_list.include?(ivname)
             value = instance_variable_get(ivname)
-            ssl_parameters[SSL_ATTRIBUTES[i]] = value if value
+            unless value.nil?
+              ssl_parameters[SSL_ATTRIBUTES[i]] = value
+            end
           end
         end
         @ssl_context = OpenSSL::SSL::SSLContext.new
@@ -1007,7 +1015,7 @@ def connect
           s.session = @ssl_session
         end
         ssl_socket_connect(s, @open_timeout)
-        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        if (@ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE) && @ssl_context.verify_hostname
           s.post_connection_check(@address)
         end
         D "SSL established, protocol: #{s.ssl_version}, cipher: #{s.cipher[0]}"