Bug #10910 » ssl_verify.patch
ext/openssl/lib/openssl/ssl.rb | ||
---|---|---|
include Nonblock
|
||
def post_connection_check(hostname)
|
||
if peer_cert.nil?
|
||
msg = "Peer verification enabled, but no certificate received."
|
||
if using_anon_cipher?
|
||
msg += " Anonymous cipher suite #{cipher[0]} was negotiated. Anonymous suites must be disabled to use peer verification."
|
||
end
|
||
raise SSLError, msg
|
||
end
|
||
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
|
||
raise SSLError, "hostname \"#{hostname}\" does not match the server certificate"
|
||
end
|
||
... | ... | |
rescue SSL::Session::SessionError
|
||
nil
|
||
end
|
||
private
|
||
def using_anon_cipher?
|
||
ctx = OpenSSL::SSL::SSLContext.new
|
||
ctx.ciphers = "aNULL"
|
||
ctx.ciphers.include?(cipher)
|
||
end
|
||
end
|
||
##
|
test/openssl/test_ssl.rb | ||
---|---|---|
}
|
||
}
|
||
start_server(OpenSSL::SSL::VERIFY_NONE, true, {use_anon_cipher: true}){|server, port|
|
||
ctx = OpenSSL::SSL::SSLContext.new
|
||
ctx.ciphers = "aNULL"
|
||
server_connect(port, ctx) { |ssl|
|
||
msg = "Peer verification enabled, but no certificate received. Anonymous cipher suite " \
|
||
"ADH-AES256-GCM-SHA384 was negotiated. Anonymous suites must be disabled to use peer verification."
|
||
assert_raise_with_message(sslerr,msg){ssl.post_connection_check("localhost.localdomain")}
|
||
}
|
||
}
|
||
now = Time.now
|
||
exts = [
|
||
["keyUsage","keyEncipherment,digitalSignature",true],
|
test/openssl/utils.rb | ||
---|---|---|
ctx_proc = args[:ctx_proc]
|
||
server_proc = args[:server_proc]
|
||
ignore_listener_error = args.fetch(:ignore_listener_error, false)
|
||
use_anon_cipher = args.fetch(:use_anon_cipher, false)
|
||
server_proc ||= method(:readwrite_loop)
|
||
store = OpenSSL::X509::Store.new
|
||
store.add_cert(@ca_cert)
|
||
store.purpose = OpenSSL::X509::PURPOSE_SSL_CLIENT
|
||
ctx = OpenSSL::SSL::SSLContext.new
|
||
ctx.ciphers = "ADH-AES256-GCM-SHA384" if use_anon_cipher
|
||
ctx.cert_store = store
|
||
#ctx.extra_chain_cert = [ ca_cert ]
|
||
ctx.cert = @svr_cert
|