From dc9ca079bbd37e9e6ab5caed48a665aa616aa2a1 Mon Sep 17 00:00:00 2001
From: tenderlove <tenderlove@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Mon, 27 Jul 2015 18:29:17 +0000
Subject: * ext/openssl/lib/openssl/ssl.rb (module OpenSSL): raise a more  
 helpful exception when verifying the peer connection and an   anonymous
 cipher has been selected. [ruby-core:68330] [Bug #10910]   Thanks to Chris
 Sinjakli <chris@sinjakli.co.uk> for the patch.

* test/openssl/test_ssl.rb (class OpenSSL): test for change

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@51409 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ext/openssl/lib/openssl/ssl.rb | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'ext')

diff --git a/ext/openssl/lib/openssl/ssl.rb b/ext/openssl/lib/openssl/ssl.rb
index e1b557cd68..ed33f27f1d 100644
--- a/ext/openssl/lib/openssl/ssl.rb
+++ b/ext/openssl/lib/openssl/ssl.rb
@@ -252,6 +252,14 @@ module OpenSSL
       # This method MUST be called after calling #connect to ensure that the
       # hostname of a remote peer has been verified.
       def post_connection_check(hostname)
+        if peer_cert.nil?
+          msg = "Peer verification enabled, but no certificate received."
+          if using_anon_cipher?
+            msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
+          end
+          raise SSLError, msg
+        end
+
         unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
           raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
         end
@@ -263,6 +271,14 @@ module OpenSSL
       rescue SSL::Session::SessionError
         nil
       end
+
+      private
+
+      def using_anon_cipher?
+        ctx = OpenSSL::SSL::SSLContext.new
+        ctx.ciphers = "aNULL"
+        ctx.ciphers.include?(cipher)
+      end
     end
 
     ##
-- 
cgit v1.2.3