From 3ecc791ddcc537e5eaa663254af6207e65da1a51 Mon Sep 17 00:00:00 2001
From: gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 8 Oct 2007 11:14:41 +0000
Subject: * lib/net/imap.rb, lib/net/smtp.rb, lib/net/pop.rb: hostname should  
 be verified against server's indentity as persented in the server's  
 certificate. [ruby-dev:31960]

* ext/openssl/lib/net/telnets.rb, ext/openssl/lib/net/ftptls.rb: ditto.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13656 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 lib/net/imap.rb | 48 +++++++++++++++++++++++-------------------------
 1 file changed, 23 insertions(+), 25 deletions(-)

(limited to 'lib/net/imap.rb')

diff --git a/lib/net/imap.rb b/lib/net/imap.rb
index b8239a8aba..f84229f131 100644
--- a/lib/net/imap.rb
+++ b/lib/net/imap.rb
@@ -330,19 +330,10 @@ module Net
     end
 
     # Sends a STARTTLS command to start TLS session.
-    def starttls(ctx = nil)
-      if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
-        raise RuntimeError, "already using SSL"
-      end
+    def starttls(certs = nil, verify = false)
       send_command("STARTTLS") do |resp|
         if resp.kind_of?(TaggedResponse) && resp.name == "OK"
-          if ctx
-            @sock = OpenSSL::SSL::SSLSocket.new(@sock, ctx)
-          else
-            @sock = OpenSSL::SSL::SSLSocket.new(@sock)
-          end
-          @sock.sync_close = true
-          @sock.connect
+          start_tls_session(certs, verify)
         end
       end
     end
@@ -906,21 +897,8 @@ module Net
       @parser = ResponseParser.new
       @sock = TCPSocket.open(host, port)
       if usessl
-        unless defined?(OpenSSL)
-          raise "SSL extension not installed"
-        end
+        start_tls_session(certs, verify)
         @usessl = true
-
-        # verify the server.
-        context = SSLContext::new()
-        context.ca_file = certs if certs && FileTest::file?(certs)
-        context.ca_path = certs if certs && FileTest::directory?(certs)
-        context.verify_mode = VERIFY_PEER if verify
-        if defined?(VerifyCallbackProc)
-          context.verify_callback = VerifyCallbackProc 
-        end
-        @sock = SSLSocket.new(@sock, context)
-        @sock.connect   # start ssl session.
       else
         @usessl = false
       end
@@ -1229,6 +1207,26 @@ module Net
       end
     end
 
+    def start_tls_session(certs, verify)
+      unless defined?(OpenSSL)
+        raise "SSL extension not installed"
+      end
+      if @sock.kind_of?(OpenSSL::SSL::SSLSocket)
+        raise RuntimeError, "already using SSL"
+      end
+      context = SSLContext::new()
+      context.ca_file = certs if certs && FileTest::file?(certs)
+      context.ca_path = certs if certs && FileTest::directory?(certs)
+      context.verify_mode = VERIFY_PEER if verify
+      if defined?(VerifyCallbackProc)
+        context.verify_callback = VerifyCallbackProc 
+      end
+      @sock = SSLSocket.new(@sock, context)
+      @sock.sync_close = true
+      @sock.connect
+      @sock.post_connection_check(@host) if verify
+    end
+
     class RawData # :nodoc:
       def send_data(imap)
         imap.send!(:put_string, @data)
-- 
cgit v1.2.3