Add #verify_hostname= and #verify_hostname to skip hostname verificat…

…ion (#2858) According to ruby/openssl#60, > Currently an user who wants to do the hostname verification needs to call SSLSocket#post_connection_check explicitly after the TLS connection is established. if an user who wants to skip the hostname verification, SSLSocket#post_connection_check doesn't need to be called https://bugs.ruby-lang.org/issues/16555
ruby · Feb 21, 2020 · 0395d76 · 0395d76
1 parent 55e17fa
commit 0395d76
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 3 deletions.
diff --git a/lib/net/http.rb b/lib/net/http.rb
@@ -844,6 +844,7 @@ def use_ssl=(flag)
       :@verify_callback,
       :@verify_depth,
       :@verify_mode,
+      :@verify_hostname,
     ]
     SSL_ATTRIBUTES = [
       :ca_file,
@@ -859,6 +860,7 @@ def use_ssl=(flag)
       :verify_callback,
       :verify_depth,
       :verify_mode,
+      :verify_hostname,
     ]
 
     # Sets path of a CA certification file in PEM format.
@@ -908,6 +910,10 @@ def use_ssl=(flag)
     # OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER are acceptable.
     attr_accessor :verify_mode
 
+    # Sets to check the server certificate is valid for the hostname.
+    # See OpenSSL::SSL::SSLContext#verify_hostname=
+    attr_accessor :verify_hostname
+
     # Returns the X.509 certificates the server presented.
     def peer_cert
       if not use_ssl? or not @socket
@@ -986,9 +992,11 @@ def connect
         ssl_parameters = Hash.new
         iv_list = instance_variables
         SSL_IVNAMES.each_with_index do |ivname, i|
-          if iv_list.include?(ivname) and
+          if iv_list.include?(ivname)
             value = instance_variable_get(ivname)
-            ssl_parameters[SSL_ATTRIBUTES[i]] = value if value
+            unless value.nil?
+              ssl_parameters[SSL_ATTRIBUTES[i]] = value
+            end
           end
         end
         @ssl_context = OpenSSL::SSL::SSLContext.new
@@ -1007,7 +1015,7 @@ def connect
           s.session = @ssl_session
         end
         ssl_socket_connect(s, @open_timeout)
-        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        if (@ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE) && @ssl_context.verify_hostname
           s.post_connection_check(@address)
         end
         D "SSL established, protocol: #{s.ssl_version}, cipher: #{s.cipher[0]}"

diff --git a/test/net/http/test_https.rb b/test/net/http/test_https.rb
@@ -204,6 +204,29 @@ def test_verify_none
     skip $!
   end
 
+  def test_skip_hostname_verfiction
+    TestNetHTTPUtils.clean_http_proxy_env do
+      http = Net::HTTP.new('invalid_servername', config('port'))
+      http.ipaddr = config('host')
+      http.use_ssl = true
+      http.cert_store = TEST_STORE
+      http.verify_hostname = false
+      assert_nothing_raised { http.start }
+    end
+  end
+
+  def test_fail_if_verify_hostname_is_true
+    TestNetHTTPUtils.clean_http_proxy_env do
+      http = Net::HTTP.new('invalid_servername', config('port'))
+      http.ipaddr = config('host')
+      http.use_ssl = true
+      http.cert_store = TEST_STORE
+      http.verify_hostname = true
+      @log_tester = lambda { |_| }
+      assert_raise(OpenSSL::SSL::SSLError) { http.start }
+    end
+  end
+
   def test_certificate_verify_failure
     http = Net::HTTP.new("localhost", config("port"))
     http.use_ssl = true