ruby-changes:2165
From: ko1@a...
Date: 8 Oct 2007 20:15:01 +0900
Subject: [ruby-changes:2165] gotoyuzo - Ruby:r13656 (trunk): * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
gotoyuzo 2007-10-08 20:14:41 +0900 (Mon, 08 Oct 2007)
New Revision: 13656
Modified files:
trunk/ChangeLog
trunk/ext/openssl/lib/net/ftptls.rb
trunk/ext/openssl/lib/net/telnets.rb
trunk/lib/net/imap.rb
trunk/lib/net/pop.rb
trunk/lib/net/smtp.rb
Log:
* lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
be verified against server's indentity as persented in the server's
certificate. [ruby-dev:31960]
* ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto.
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/imap.rb?r1=13656&r2=13655
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/net/telnets.rb?r1=13656&r2=13655
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ChangeLog?r1=13656&r2=13655
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/smtp.rb?r1=13656&r2=13655
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/lib/net/pop.rb?r1=13656&r2=13655
http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/trunk/ext/openssl/lib/net/ftptls.rb?r1=13656&r2=13655
Index: ChangeLog
===================================================================
--- ChangeLog (revision 13655)
+++ ChangeLog (revision 13656)
@@ -1,3 +1,11 @@
+Mon Oct 8 20:06:29 2007 GOTOU Yuuzou <gotoyuzo@n...>
+
+ * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should
+ be verified against server's indentity as persented in the server's
+ certificate. [ruby-dev:31960]
+
+ * ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto.
+
Sun Oct 7 22:37:47 2007 Kouhei Sutou <kou@c...>
* test/rss/test_taxonomy.rb, test/rss/test_parser_1.0.rb,
Index: lib/net/pop.rb
===================================================================
--- lib/net/pop.rb (revision 13655)
+++ lib/net/pop.rb (revision 13656)
@@ -533,6 +533,9 @@
s = OpenSSL::SSL::SSLSocket.new(s, context)
s.sync_close = true
s.connect
+ if context.verify_mode != OpenSSL::SSL::VEIFY_NONE
+ s.post_connection_check(@address)
+ end
end
@socket = InternetMessageIO.new(s)
logging "POP session started: #{@address}:#{@port} (#{@apop ? 'APOP' : 'POP'})"
Index: lib/net/smtp.rb
===================================================================
--- lib/net/smtp.rb (revision 13655)
+++ lib/net/smtp.rb (revision 13656)
@@ -578,6 +578,9 @@
logging "TLS connection started"
s.sync_close = true
s.connect
+ if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+ s.post_connection_check(@address)
+ end
s
end
Index: lib/net/imap.rb
===================================================================
--- lib/net/imap.rb (revision 13655)
+++ lib/net/imap.rb (revision 13656)
@@ -330,19 +330,10 @@
end
# Sends a STARTTLS command to start TLS session.
- def starttls(ctx = nil)
- if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
- raise RuntimeError, "already using SSL"
- end
+ def starttls(certs = nil, verify = false)
send_command("STARTTLS") do |resp|
if resp.kind_of?(TaggedResponse) && resp.name == "OK"
- if ctx
- @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
- else
- @sock = OpenSSL::SSL::SSLSocket.new(@sock)
- end
- @sock.sync_close = true
- @sock.connect
+ start_tls_session(certs, verify)
end
end
end
@@ -906,21 +897,8 @@
@parser = ResponseParser.new
@sock = TCPSocket.open(host, port)
if usessl
- unless defined?(OpenSSL)
- raise "SSL extension not installed"
- end
+ start_tls_session(certs, verify)
@usessl = true
-
- # verify the server.
- context = SSLContext::new()
- context.ca_file = certs if certs && FileTest::file?(certs)
- context.ca_path = certs if certs && FileTest::directory?(certs)
- context.verify_mode = VERIFY_PEER if verify
- if defined?(VerifyCallbackProc)
- context.verify_callback = VerifyCallbackProc
- end
- @sock = SSLSocket.new(@sock, context)
- @sock.connect # start ssl session.
else
@usessl = false
end
@@ -1229,6 +1207,26 @@
end
end
+ def start_tls_session(certs, verify)
+ unless defined?(OpenSSL)
+ raise "SSL extension not installed"
+ end
+ if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
+ raise RuntimeError, "already using SSL"
+ end
+ context = SSLContext::new()
+ context.ca_file = certs if certs && FileTest::file?(certs)
+ context.ca_path = certs if certs && FileTest::directory?(certs)
+ context.verify_mode = VERIFY_PEER if verify
+ if defined?(VerifyCallbackProc)
+ context.verify_callback = VerifyCallbackProc
+ end
+ @sock = SSLSocket.new(@sock, context)
+ @sock.sync_close = true
+ @sock.connect
+ @sock.post_connection_check(@host) if verify
+ end
+
class RawData # :nodoc:
def send_data(imap)
imap.send!(:put_string, @data)
Index: ext/openssl/lib/net/telnets.rb
===================================================================
--- ext/openssl/lib/net/telnets.rb (revision 13655)
+++ ext/openssl/lib/net/telnets.rb (revision 13656)
@@ -134,6 +134,9 @@
@sock.verify_callback = @options['VerifyCallback']
@sock.verify_depth = @options['VerifyDepth']
@sock.connect
+ if @options['VerifyMode'] != OpenSSL::SSL::VERIFY_NONE
+ @sock.post_connection_check(@options['Host'])
+ end
@ssl = true
end
''
Index: ext/openssl/lib/net/ftptls.rb
===================================================================
--- ext/openssl/lib/net/ftptls.rb (revision 13655)
+++ ext/openssl/lib/net/ftptls.rb (revision 13656)
@@ -29,13 +29,23 @@
module Net
class FTPTLS < FTP
+ def connect(host, port=FTP_PORT)
+ @hostname = host
+ super
+ end
+
def login(user = "anonymous", passwd = nil, acct = nil)
+ store = OpenSSL::X509::Store.new
+ store.set_default_paths
ctx = OpenSSL::SSL::SSLContext.new('SSLv23')
+ ctx.cert_store = store
+ ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
ctx.key = nil
ctx.cert = nil
voidcmd("AUTH TLS")
@sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
@sock.connect
+ @sock.post_connection_check(@hostname)
super(user, passwd, acct)
voidcmd("PBSZ 0")
end
--
ML: ruby-changes@q...
Info: http://www.atdot.net/~ko1/quickml