25
:ssl_version => "SSLv23",
26
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
27
:ciphers => "ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW",
28
:options => OpenSSL::SSL::OP_ALL,
31
DEFAULT_CERT_STORE = OpenSSL::X509::Store.new
32
DEFAULT_CERT_STORE.set_default_paths
33
if defined?(OpenSSL::X509::V_FLAG_CRL_CHECK_ALL)
34
DEFAULT_CERT_STORE.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
37
def set_params(params={})
38
params = DEFAULT_PARAMS.merge(params)
39
params.each{|name, value| self.__send__("#{name}=", value) }
40
if self.verify_mode != OpenSSL::SSL::VERIFY_NONE
41
unless self.ca_file or self.ca_path or self.cert_store
42
self.cert_store = DEFAULT_CERT_STORE
23
49
module SocketForwarder
88
def verify_certificate_identity(cert, hostname)
89
should_verify_common_name = true
90
cert.extensions.each{|ext|
91
next if ext.oid != "subjectAltName"
92
ext.value.split(/,\s+/).each{|general_name|
93
if /\ADNS:(.*)/ =~ general_name
94
should_verify_common_name = false
95
reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
96
return true if /\A#{reg}\z/i =~ hostname
97
elsif /\AIP Address:(.*)/ =~ general_name
98
should_verify_common_name = false
99
return true if $1 == hostname
103
if should_verify_common_name
104
cert.subject.to_a.each{|oid, value|
106
reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
107
return true if /\A#{reg}\z/i =~ hostname
113
module_function :verify_certificate_identity
64
117
include SocketForwarder
67
120
def post_connection_check(hostname)
68
check_common_name = true
70
cert.extensions.each{|ext|
71
next if ext.oid != "subjectAltName"
72
ext.value.split(/,\s+/).each{|general_name|
73
if /\ADNS:(.*)/ =~ general_name
74
check_common_name = false
75
reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
76
return true if /\A#{reg}\z/i =~ hostname
77
elsif /\AIP Address:(.*)/ =~ general_name
78
check_common_name = false
79
return true if $1 == hostname
84
cert.subject.to_a.each{|oid, value|
86
reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
87
return true if /\A#{reg}\z/i =~ hostname
121
unless OpenSSL::SSL.verify_certificate_identity(peer_cert, hostname)
122
raise SSLError, "hostname was not match with the server certificate"
91
raise SSLError, "hostname not match"