summaryrefslogtreecommitdiff
path: root/ext/openssl/lib/openssl/ssl.rb
diff options
context:
space:
mode:
authorgotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2007-12-17 12:18:28 +0000
committergotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>2007-12-17 12:18:28 +0000
commit2c038353963843b8dfa7850b0b34023437b2174d (patch)
tree00d06acd1501616b4e9a19796196981bc7109bd1 /ext/openssl/lib/openssl/ssl.rb
parentd6a70c4bb71ff6d29231878be398c7775a90007c (diff)
* ext/openssl/ossl_ssl.c (ossl_sslctx_set_ssl_version):
new method OpenSSL::SSL::SSLContext#ssl_version to wrap SSL_CTX_set_ssl_version. * ext/openssl/ossl_ssl.c (ossl_ssl_get_verify_result): new method OpenSSL::SSL::SSLSocket#verify_result to wrap SSL_get_verrify_result. * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL::SSLContext.build): new method to build OpenSSL::SSL::SSLContext with Hash parameters. this method provides safety default parameters than SSLContext.new. * ext/openssl/lib/openssl/ssl.rb (OpenSSL::SSL.verify_cetificate_identity): new module function: pull out identity verification process from OpenSSL::SSL::SSLSocket#post_connection_check. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@14270 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext/openssl/lib/openssl/ssl.rb')
-rw-r--r--ext/openssl/lib/openssl/ssl.rb78
1 files changed, 55 insertions, 23 deletions
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index ad9559f6b6..63d6690eb4 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -20,6 +20,31 @@ require "fcntl"
module OpenSSL
module SSL
+ class SSLContext
+ class <<self
+ def build(params={})
+ default_params = {
+ :ssl_version => "SSLv23",
+ :verify_mode => OpenSSL::SSL::VERIFY_PEER,
+ :ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
+ :options => OpenSSL::SSL::OP_ALL,
+ }
+ params = default_params.merge(params)
+ ctx = new()
+ params.each{|name, value| ctx.__send__("#{name}=", value) }
+ ctx.verify_mode ||= OpenSSL::SSL::VERIFY_NONE
+ if ctx.verify_mode != OpenSSL::SSL::VERIFY_NONE
+ unless ctx.ca_file or ctx.ca_path or
+ ctx.cert_store or ctx.verify_callback
+ ctx.cert_store = OpenSSL::X509::Store.new
+ ctx.cert_store.set_default_paths
+ end
+ end
+ return ctx
+ end
+ end
+ end
+
module SocketForwarder
def addr
to_io.addr
@@ -59,36 +84,43 @@ module OpenSSL
end
end
+ def verify_certificate_identity(cert, hostname)
+ should_verify_common_name = true
+ cert.extensions.each{|ext|
+ next if ext.oid != "subjectAltName"
+ ext.value.split(/,\s+/).each{|general_name|
+ if /\ADNS:(.*)/ =~ general_name
+ should_verify_common_name = false
+ reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
+ return true if /\A#{reg}\z/i =~ hostname
+ elsif /\AIP Address:(.*)/ =~ general_name
+ should_verify_common_name = false
+ return true if $1 == hostname
+ end
+ }
+ }
+ if should_verify_common_name
+ cert.subject.to_a.each{|oid, value|
+ if oid == "CN"
+ reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
+ return true if /\A#{reg}\z/i =~ hostname
+ end
+ }
+ end
+ return false
+ end
+ module_function :verify_certificate_identity
+
class SSLSocket
include Buffering
include SocketForwarder
include Nonblock
def post_connection_check(hostname)
- check_common_name = true
- cert = peer_cert
- cert.extensions.each{|ext|
- next if ext.oid != "subjectAltName"
- ext.value.split(/,\s+/).each{|general_name|
- if /\ADNS:(.*)/ =~ general_name
- check_common_name = false
- reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
- return true if /\A#{reg}\z/i =~ hostname
- elsif /\AIP Address:(.*)/ =~ general_name
- check_common_name = false
- return true if $1 == hostname
- end
- }
- }
- if check_common_name
- cert.subject.to_a.each{|oid, value|
- if oid == "CN"
- reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
- return true if /\A#{reg}\z/i =~ hostname
- end
- }
+ unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
+ raise SSLError, "hostname was not match with the server certificate"
end
- raise SSLError, "hostname was not match with the server certificate"
+ return true
end
def session