diff options
| author | gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2007-09-23 22:21:18 +0000 |
|---|---|---|
| committer | gotoyuzo <gotoyuzo@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2007-09-23 22:21:18 +0000 |
| commit | 4f04f0372bf16f0d38f02bfb0a1cd162f2dd1766 (patch) | |
| tree | 574b4e515a812f82be3fc124e7d367e6a5922fdf /lib | |
| parent | c9faac88af5744e03ad2cdcb367d5ac00f5d9eee (diff) | |
* lib/net/http.rb: an SSL verification (the server hostname should
be matched with its certificate's commonName) is added.
this verification can be skipped by
"Net::HTTP#enable_post_connection_check=(false)".
suggested by Chris Clark <cclark at isecpartners.com>
* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
perform SSL post connection check.
* ext/openssl/lib/openssl/ssl.c
(OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13499 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/net/http.rb | 12 | ||||
| -rw-r--r-- | lib/open-uri.rb | 15 |
2 files changed, 17 insertions, 10 deletions
diff --git a/lib/net/http.rb b/lib/net/http.rb index 6be3a7ca2d..c222ad3e63 100644 --- a/lib/net/http.rb +++ b/lib/net/http.rb @@ -476,6 +476,7 @@ module Net #:nodoc: @debug_output = nil @use_ssl = false @ssl_context = nil + @enable_post_connection_check = true end def inspect @@ -532,6 +533,9 @@ module Net #:nodoc: false # redefined in net/https end + # specify enabling SSL server sertificate and hostname checking. + attr_accessor :enable_post_connection_check + # Opens TCP connection and HTTP session. # # When this method is called with block, gives a HTTP object @@ -590,6 +594,14 @@ module Net #:nodoc: HTTPResponse.read_new(@socket).value end s.connect + if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE + begin + s.post_connection_check(@address) + rescue OpenSSL::SSL::SSLError => ex + raise ex if @enable_post_connection_check + warn ex.message + end + end end on_connect end diff --git a/lib/open-uri.rb b/lib/open-uri.rb index a3b5879fdc..dd0e0b5912 100644 --- a/lib/open-uri.rb +++ b/lib/open-uri.rb @@ -98,6 +98,7 @@ module OpenURI :read_timeout => true, :ssl_ca_cert => nil, :ssl_verify_mode => nil, + :ssl_enable_post_connection_check => true, :ftp_active_mode => false, } @@ -269,6 +270,10 @@ module OpenURI if target.class == URI::HTTPS require 'net/https' http.use_ssl = true + http.enable_post_connection_check = + options.has_key?(:ssl_enable_post_connection_check) ? + options[:ssl_enable_post_connection_check] : + Options[:ssl_enable_post_connection_check] http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER store = OpenSSL::X509::Store.new if options[:ssl_ca_cert] @@ -289,16 +294,6 @@ module OpenURI resp = nil http.start { - if target.class == URI::HTTPS - # xxx: information hiding violation - sock = http.instance_variable_get(:@socket) - if sock.respond_to?(:io) - sock = sock.io # 1.9 - else - sock = sock.instance_variable_get(:@socket) # 1.8 - end - sock.post_connection_check(target_host) - end req = Net::HTTP::Get.new(request_uri, header) if options.include? :http_basic_authentication user, pass = options[:http_basic_authentication] |