ruby-changes:2008
From: ko1@a...
Date: 24 Sep 2007 07:21:35 +0900
Subject: [ruby-changes:2008] gotoyuzo - Ruby:r13499 (trunk): * lib/net/http.rb: an SSL verification (the server hostname should
gotoyuzo 2007-09-24 07:21:18 +0900 (Mon, 24 Sep 2007) New Revision: 13499 Modified files: trunk/ChangeLog trunk/ext/openssl/lib/openssl/ssl.rb trunk/lib/net/http.rb trunk/lib/open-uri.rb Log: * lib/net/http.rb: an SSL verification (the server hostname should be matched with its certificate's commonName) is added. this verification can be skipped by "Net::HTTP#enable_post_connection_check=(false)". suggested by Chris Clark <cclark at isecpartners.com> * lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to perform SSL post connection check. * ext/openssl/lib/openssl/ssl.c (OpenSSL::SSL::SSLSocket#post_connection_check): refine error message. http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ChangeLog?r1=13499&r2=13498 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/open-uri.rb?r1=13499&r2=13498 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/http.rb?r1=13499&r2=13498 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/openssl/ssl.rb?r1=13499&r2=13498 Index: ChangeLog =================================================================== --- ChangeLog (revision 13498) +++ ChangeLog (revision 13499) @@ -1,3 +1,17 @@ +Mon Sep 24 06:49:15 2007 GOTOU Yuuzou <gotoyuzo@n...> + + * lib/net/http.rb: an SSL verification (the server hostname should + be matched with its certificate's commonName) is added. + this verification can be skipped by + "Net::HTTP#enable_post_connection_check=(false)". + suggested by Chris Clark <cclark at isecpartners.com> + + * lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to + perform SSL post connection check. + + * ext/openssl/lib/openssl/ssl.c + (OpenSSL::SSL::SSLSocket#post_connection_check): refine error message. + Sun Sep 23 09:05:05 2007 Nobuyoshi Nakada <nobu@r...> * gc.c (os_obj_of, os_each_obj): hide objects to be finalized. Index: lib/open-uri.rb =================================================================== --- lib/open-uri.rb (revision 13498) +++ lib/open-uri.rb (revision 13499) @@ -98,6 +98,7 @@ :read_timeout => true, :ssl_ca_cert => nil, :ssl_verify_mode => nil, + :ssl_enable_post_connection_check => true, :ftp_active_mode => false, } @@ -269,6 +270,10 @@ if target.class == URI::HTTPS require 'net/https' http.use_ssl = true + http.enable_post_connection_check = + options.has_key?(:ssl_enable_post_connection_check) ? + options[:ssl_enable_post_connection_check] : + Options[:ssl_enable_post_connection_check] http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER store = OpenSSL::X509::Store.new if options[:ssl_ca_cert] @@ -289,16 +294,6 @@ resp = nil http.start { - if target.class == URI::HTTPS - # xxx: information hiding violation - sock = http.instance_variable_get(:@socket) - if sock.respond_to?(:io) - sock = sock.io # 1.9 - else - sock = sock.instance_variable_get(:@socket) # 1.8 - end - sock.post_connection_check(target_host) - end req = Net::HTTP::Get.new(request_uri, header) if options.include? :http_basic_authentication user, pass = options[:http_basic_authentication] Index: lib/net/http.rb =================================================================== --- lib/net/http.rb (revision 13498) +++ lib/net/http.rb (revision 13499) @@ -476,6 +476,7 @@ @debug_output = nil @use_ssl = false @ssl_context = nil + @enable_post_connection_check = true end def inspect @@ -532,6 +533,9 @@ false # redefined in net/https end + # specify enabling SSL server sertificate and hostname checking. + attr_accessor :enable_post_connection_check + # Opens TCP connection and HTTP session. # # When this method is called with block, gives a HTTP object @@ -590,6 +594,14 @@ HTTPResponse.read_new(@socket).value end s.connect + if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE + begin + s.post_connection_check(@address) + rescue OpenSSL::SSL::SSLError => ex + raise ex if @enable_post_connection_check + warn ex.message + end + end end on_connect end Index: ext/openssl/lib/openssl/ssl.rb =================================================================== --- ext/openssl/lib/openssl/ssl.rb (revision 13498) +++ ext/openssl/lib/openssl/ssl.rb (revision 13499) @@ -88,7 +88,7 @@ end } end - raise SSLError, "hostname not match" + raise SSLError, "hostname was not match with the server certificate" end def session -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml