ruby-changes:2008
From: ko1@a...
Date: 24 Sep 2007 07:21:35 +0900
Subject: [ruby-changes:2008] gotoyuzo - Ruby:r13499 (trunk): * lib/net/http.rb: an SSL verification (the server hostname should
gotoyuzo 2007-09-24 07:21:18 +0900 (Mon, 24 Sep 2007)
New Revision: 13499
Modified files:
trunk/ChangeLog
trunk/ext/openssl/lib/openssl/ssl.rb
trunk/lib/net/http.rb
trunk/lib/open-uri.rb
Log:
* lib/net/http.rb: an SSL verification (the server hostname should
be matched with its certificate's commonName) is added.
this verification can be skipped by
"Net::HTTP#enable_post_connection_check=(false)".
suggested by Chris Clark <cclark at isecpartners.com>
* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
perform SSL post connection check.
* ext/openssl/lib/openssl/ssl.c
(OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ChangeLog?r1=13499&r2=13498
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/open-uri.rb?r1=13499&r2=13498
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/http.rb?r1=13499&r2=13498
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/openssl/ssl.rb?r1=13499&r2=13498
Index: ChangeLog
===================================================================
--- ChangeLog (revision 13498)
+++ ChangeLog (revision 13499)
@@ -1,3 +1,17 @@
+Mon Sep 24 06:49:15 2007 GOTOU Yuuzou <gotoyuzo@n...>
+
+ * lib/net/http.rb: an SSL verification (the server hostname should
+ be matched with its certificate's commonName) is added.
+ this verification can be skipped by
+ "Net::HTTP#enable_post_connection_check=(false)".
+ suggested by Chris Clark <cclark at isecpartners.com>
+
+ * lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
+ perform SSL post connection check.
+
+ * ext/openssl/lib/openssl/ssl.c
+ (OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.
+
Sun Sep 23 09:05:05 2007 Nobuyoshi Nakada <nobu@r...>
* gc.c (os_obj_of, os_each_obj): hide objects to be finalized.
Index: lib/open-uri.rb
===================================================================
--- lib/open-uri.rb (revision 13498)
+++ lib/open-uri.rb (revision 13499)
@@ -98,6 +98,7 @@
:read_timeout => true,
:ssl_ca_cert => nil,
:ssl_verify_mode => nil,
+ :ssl_enable_post_connection_check => true,
:ftp_active_mode => false,
}
@@ -269,6 +270,10 @@
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
+ http.enable_post_connection_check =
+ options.has_key?(:ssl_enable_post_connection_check) ?
+ options[:ssl_enable_post_connection_check] :
+ Options[:ssl_enable_post_connection_check]
http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
if options[:ssl_ca_cert]
@@ -289,16 +294,6 @@
resp = nil
http.start {
- if target.class == URI::HTTPS
- # xxx: information hiding violation
- sock = http.instance_variable_get(:@socket)
- if sock.respond_to?(:io)
- sock = sock.io # 1.9
- else
- sock = sock.instance_variable_get(:@socket) # 1.8
- end
- sock.post_connection_check(target_host)
- end
req = Net::HTTP::Get.new(request_uri, header)
if options.include? :http_basic_authentication
user, pass = options[:http_basic_authentication]
Index: lib/net/http.rb
===================================================================
--- lib/net/http.rb (revision 13498)
+++ lib/net/http.rb (revision 13499)
@@ -476,6 +476,7 @@
@debug_output = nil
@use_ssl = false
@ssl_context = nil
+ @enable_post_connection_check = true
end
def inspect
@@ -532,6 +533,9 @@
false # redefined in net/https
end
+ # specify enabling SSL server sertificate and hostname checking.
+ attr_accessor :enable_post_connection_check
+
# Opens TCP connection and HTTP session.
#
# When this method is called with block, gives a HTTP object
@@ -590,6 +594,14 @@
HTTPResponse.read_new(@socket).value
end
s.connect
+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+ begin
+ s.post_connection_check(@address)
+ rescue OpenSSL::SSL::SSLError => ex
+ raise ex if @enable_post_connection_check
+ warn ex.message
+ end
+ end
end
on_connect
end
Index: ext/openssl/lib/openssl/ssl.rb
===================================================================
--- ext/openssl/lib/openssl/ssl.rb (revision 13498)
+++ ext/openssl/lib/openssl/ssl.rb (revision 13499)
@@ -88,7 +88,7 @@
end
}
end
- raise SSLError, "hostname not match"
+ raise SSLError, "hostname was not match with the server certificate"
end
def session
--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml