diff options
| author | Kazuki Yamaguchi <k@rhe.jp> | 2016-06-27 21:41:05 +0900 |
|---|---|---|
| committer | Kazuki Yamaguchi <k@rhe.jp> | 2016-07-23 23:28:40 +0900 |
| commit | 028e495734e9e6aa5dba1a2e130b08f66cf31a21 (patch) | |
| tree | 263cfa336fc4efb66dd74e1b14594ba8ebbf91d7 /lib | |
| parent | 6c387d4cf1e9cc1a304cb71260079ba9a8db022d (diff) | |
| download | ruby-openssl-028e495734e9e6aa5dba1a2e130b08f66cf31a21.tar.gz | |
ssl: add verify_hostname option to SSLContexttopic/ssl-verify-hostname
If a client sets this to true and enables SNI with SSLSocket#hostname=,
the hostname verification on the server certificate is performed
automatically during the handshake using
OpenSSL::SSL.verify_certificate_identity().
Currently an user who wants to do the hostname verification needs to
call SSLSocket#post_connection_check explicitly after the TLS connection
is established.
This commit also enables the option in SSLContext::DEFAULT_PARAMS.
Applications using SSLContext#set_params may be affected by this.
[GH ruby/openssl#8]
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/openssl/ssl.rb | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb index 9cac6925..a8059cba 100644 --- a/lib/openssl/ssl.rb +++ b/lib/openssl/ssl.rb @@ -19,6 +19,7 @@ module OpenSSL DEFAULT_PARAMS = { :ssl_version => "SSLv23", :verify_mode => OpenSSL::SSL::VERIFY_PEER, + :verify_hostname => true, :ciphers => %w{ ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 @@ -71,7 +72,7 @@ module OpenSSL "session_get_cb", "session_new_cb", "session_remove_cb", "tmp_ecdh_callback", "servername_cb", "npn_protocols", "alpn_protocols", "alpn_select_cb", - "npn_select_cb"].map { |x| "@#{x}" } + "npn_select_cb", "verify_hostname"].map { |x| "@#{x}" } # A callback invoked when DH parameters are required. # @@ -107,13 +108,17 @@ module OpenSSL end ## - # Sets the parameters for this SSL context to the values in +params+. + # call-seq: + # ctx.set_params(params = {}) -> params + # + # Sets saner defaults optimized for the use with HTTP-like protocols. + # + # If a Hash +params+ is given, the parameters are overridden with it. # The keys in +params+ must be assignment methods on SSLContext. # # If the verify_mode is not VERIFY_NONE and ca_file, ca_path and # cert_store are not set then the system default certificate store is # used. - def set_params(params={}) params = DEFAULT_PARAMS.merge(params) params.each{|name, value| self.__send__("#{name}=", value) } |