Add #verify_hostname= and #verify_hostname to skip hostname verification (#2858)

According to https://github.com/ruby/openssl/pull/60, > Currently an user who wants to do the hostname verification needs to call SSLSocket#post_connection_check explicitly after the TLS connection is established. if an user who wants to skip the hostname verification, SSLSocket#post_connection_check doesn't need to be called https://bugs.ruby-lang.org/issues/16555
2020-01-23 17:23:17 +09:00 · 2020-01-23 17:23:17 +09:00 · be6931f7f7
--- a/lib/net/http.rb
+++ b/lib/net/http.rb
@ -844,6 +844,7 @@ module Net   #:nodoc:
      :@verify_callback,
      :@verify_depth,
      :@verify_mode,
+      :@verify_hostname,
    ]
    SSL_ATTRIBUTES = [
      :ca_file,
@ -859,6 +860,7 @@ module Net   #:nodoc:
      :verify_callback,
      :verify_depth,
      :verify_mode,
+      :verify_hostname,
    ]

    # Sets path of a CA certification file in PEM format.
@ -908,6 +910,10 @@ module Net   #:nodoc:
    # OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER are acceptable.
    attr_accessor :verify_mode

+    # Sets to check the server certificate is valid for the hostname.
+    # See OpenSSL::SSL::SSLContext#verify_hostname=
+    attr_accessor :verify_hostname
+
    # Returns the X.509 certificates the server presented.
    def peer_cert
      if not use_ssl? or not @socket
@ -986,9 +992,11 @@ module Net   #:nodoc:
        ssl_parameters = Hash.new
        iv_list = instance_variables
        SSL_IVNAMES.each_with_index do |ivname, i|
-          if iv_list.include?(ivname) and
+          if iv_list.include?(ivname)
            value = instance_variable_get(ivname)
-            ssl_parameters[SSL_ATTRIBUTES[i]] = value if value
+            unless value.nil?
+              ssl_parameters[SSL_ATTRIBUTES[i]] = value
+            end
          end
        end
        @ssl_context = OpenSSL::SSL::SSLContext.new
@ -1007,7 +1015,7 @@ module Net   #:nodoc:
          s.session = @ssl_session
        end
        ssl_socket_connect(s, @open_timeout)
-        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+        if (@ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE) && @ssl_context.verify_hostname
          s.post_connection_check(@address)
        end
        D "SSL established, protocol: #{s.ssl_version}, cipher: #{s.cipher[0]}"
--- a/test/net/http/test_https.rb
+++ b/test/net/http/test_https.rb
@ -204,6 +204,29 @@ class TestNetHTTPS < Test::Unit::TestCase
    skip $!
  end

+  def test_skip_hostname_verfiction
+    TestNetHTTPUtils.clean_http_proxy_env do
+      http = Net::HTTP.new('invalid_servername', config('port'))
+      http.ipaddr = config('host')
+      http.use_ssl = true
+      http.cert_store = TEST_STORE
+      http.verify_hostname = false
+      assert_nothing_raised { http.start }
+    end
+  end
+
+  def test_fail_if_verify_hostname_is_true
+    TestNetHTTPUtils.clean_http_proxy_env do
+      http = Net::HTTP.new('invalid_servername', config('port'))
+      http.ipaddr = config('host')
+      http.use_ssl = true
+      http.cert_store = TEST_STORE
+      http.verify_hostname = true
+      @log_tester = lambda { |_| }
+      assert_raise(OpenSSL::SSL::SSLError) { http.start }
+    end
+  end
+
  def test_certificate_verify_failure
    http = Net::HTTP.new("localhost", config("port"))
    http.use_ssl = true