ruby-changes:65525
From: Kazuki <ko1@a...>
Date: Tue, 16 Mar 2021 20:39:01 +0900 (JST)
Subject: [ruby-changes:65525] 81325db5f8 (master): [ruby/openssl] ssl: initialize verify_mode and verify_hostname with default values
https://git.ruby-lang.org/ruby.git/commit/?id=81325db5f8 From 81325db5f8bcd8c3e964ff6285792c2cade29b2c Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi <k@r...> Date: Sat, 18 Jul 2020 17:14:55 +0900 Subject: [ruby/openssl] ssl: initialize verify_mode and verify_hostname with default values SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer) and verify_hostname expects either true or false. However, they are set to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising. Set a proper value to them by default: verify_mode is set to OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by default. Note that this does not change the default behavior. The certificate verification was never performed unless verify_mode is set to OpenSSL::SSL::VERIFY_PEER by a user. The same applies to verify_hostname. https://github.com/ruby/openssl/commit/87d869352c --- ext/openssl/lib/openssl/ssl.rb | 2 ++ test/openssl/test_ssl.rb | 6 ++++++ 2 files changed, 8 insertions(+) diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index 8e12007..0930a53 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -122,6 +122,8 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 https://github.com/ruby/ruby/blob/trunk/ext/openssl/lib/openssl/ssl.rb#L122 def initialize(version = nil) self.options |= OpenSSL::SSL::OP_ALL self.ssl_version = version if version + self.verify_mode = OpenSSL::SSL::VERIFY_NONE + self.verify_hostname = false end ## diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 4015b05..59c9493 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -246,6 +246,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L246 end end + def test_verify_mode_default + ctx = OpenSSL::SSL::SSLContext.new + assert_equal OpenSSL::SSL::VERIFY_NONE, ctx.verify_mode + end + def test_verify_mode_server_cert start_server(ignore_listener_error: true) { |port| populated_store = OpenSSL::X509::Store.new @@ -919,6 +924,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase https://github.com/ruby/ruby/blob/trunk/test/openssl/test_ssl.rb#L924 start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port| ctx = OpenSSL::SSL::SSLContext.new + assert_equal false, ctx.verify_hostname ctx.verify_hostname = true ctx.cert_store = OpenSSL::X509::Store.new ctx.cert_store.add_cert(@ca_cert) -- cgit v1.1 -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/