diff options
author | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-12 15:16:42 +0000 |
---|---|---|
committer | nagachika <nagachika@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2015-08-12 15:16:42 +0000 |
commit | 04a567fb4bb650b2b5c94851db6b59bd460e7da1 (patch) | |
tree | 07a27025bbd17c51fa856b5d07d76a9983a0f765 /ext | |
parent | 6cf3dc3145a48ce1ddc0e5265c4d16ce61ce9cb4 (diff) |
merge revision(s) 51409,51453: [Backport #10910]
* ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more
helpful exception when verifying the peer connection and an
anonymous cipher has been selected. [ruby-core:68330] [Bug #10910]
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for the patch.
* test/openssl/test_ssl.rb (class OpenSSL): test for change
* .travis.yml: update libssl before running tests.
Thanks to Chris Sinjakli <chris@sinjakli.co.uk> for figuring out the
travis settings!
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/branches/ruby_2_2@51554 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'ext')
-rw-r--r-- | ext/openssl/lib/openssl/ssl.rb | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb index caf0b9ae44..f9e561ae0d 100644 --- a/ext/openssl/lib/openssl/ssl.rb +++ b/ext/openssl/lib/openssl/ssl.rb @@ -228,6 +228,14 @@ module OpenSSL # This method MUST be called after calling #connect to ensure that the # hostname of a remote peer has been verified. def post_connection_check(hostname) + if peer_cert.nil? + msg = "Peer verification enabled, but no certificate received." + if using_anon_cipher? + msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification." + end + raise SSLError, msg + end + unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname) raise SSLError, "hostname \"#{hostname}\" does not match the server certificate" end @@ -239,6 +247,14 @@ module OpenSSL rescue SSL::Session::SessionError nil end + + private + + def using_anon_cipher? + ctx = OpenSSL::SSL::SSLContext.new + ctx.ciphers = "aNULL" + ctx.ciphers.include?(cipher) + end end ## |