diff options
author | Kazuki Yamaguchi <k@rhe.jp> | 2020-07-18 17:14:55 +0900 |
---|---|---|
committer | Kazuki Yamaguchi <k@rhe.jp> | 2020-07-18 20:37:48 +0900 |
commit | 87d869352c34f678e15dc728880756a5a4448a3c (patch) | |
tree | e431f5419d344934ecf1cb5282ebac5b885d73e9 | |
parent | 1ccdc05662a7817e8fe7a73ed589a8b092b527ac (diff) | |
download | ruby-openssl-87d869352c34f678e15dc728880756a5a4448a3c.tar.gz |
ssl: initialize verify_mode and verify_hostname with default valuesky/ssl-attr-default-values
SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer)
and verify_hostname expects either true or false. However, they are set
to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising.
Set a proper value to them by default: verify_mode is set to
OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by
default.
Note that this does not change the default behavior. The certificate
verification was never performed unless verify_mode is set to
OpenSSL::SSL::VERIFY_PEER by a user. The same applies to
verify_hostname.
-rw-r--r-- | lib/openssl/ssl.rb | 2 | ||||
-rw-r--r-- | test/openssl/test_ssl.rb | 6 |
2 files changed, 8 insertions, 0 deletions
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 8554ada0..438daab0 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -122,6 +122,8 @@ YoaOffgTf5qxiwkjnlVZQc3whgnEt9FpVMvQ9eknyeGB5KHfayAc3+hUAvI3/Cr3 def initialize(version = nil) self.options |= OpenSSL::SSL::OP_ALL self.ssl_version = version if version + self.verify_mode = OpenSSL::SSL::VERIFY_NONE + self.verify_hostname = false end ## diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb index 4015b050..59c94932 100644 --- a/test/openssl/test_ssl.rb +++ b/test/openssl/test_ssl.rb @@ -246,6 +246,11 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase end end + def test_verify_mode_default + ctx = OpenSSL::SSL::SSLContext.new + assert_equal OpenSSL::SSL::VERIFY_NONE, ctx.verify_mode + end + def test_verify_mode_server_cert start_server(ignore_listener_error: true) { |port| populated_store = OpenSSL::X509::Store.new @@ -919,6 +924,7 @@ class OpenSSL::TestSSL < OpenSSL::SSLTestCase start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port| ctx = OpenSSL::SSL::SSLContext.new + assert_equal false, ctx.verify_hostname ctx.verify_hostname = true ctx.cert_store = OpenSSL::X509::Store.new ctx.cert_store.add_cert(@ca_cert) |