From 69aa6f4c4d48b4302bab047237fd52d2e719ef0a Mon Sep 17 00:00:00 2001 From: Juri Linkov Date: Fri, 14 Feb 2020 14:43:51 +0200 Subject: [PATCH 1/3] Don't verify hostname when verify_hostname is false in tls_options --- lib/net/ldap/connection.rb | 6 ++++-- test/integration/test_bind.rb | 20 ++++++++++++++++++++ 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index b01984f4..5cc51b45 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -53,8 +53,10 @@ def open_connection(server) prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout) if encryption if encryption[:tls_options] && - encryption[:tls_options][:verify_mode] && - encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE + (encryption[:tls_options][:verify_mode] && + encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE || + encryption[:tls_options].key?(:verify_hostname) && + encryption[:tls_options][:verify_hostname] == false) warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'" else @conn.post_connection_check(host) diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index 7df263c1..e529dd64 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -47,6 +47,26 @@ def test_bind_tls_with_cafile @ldap.get_operation_result.inspect end + def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_passes + @ldap.host = INTEGRATION_HOSTNAME + @ldap.encryption( + method: :start_tls, + tls_options: { verify_hostname: false }, + ) + assert @ldap.bind(BIND_CREDS), + @ldap.get_operation_result.inspect + end + + def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_opt_merge_passes + @ldap.host = '127.0.0.1' + @ldap.encryption( + method: :start_tls, + tls_options: TLS_OPTS.merge(verify_hostname: false), + ) + assert @ldap.bind(BIND_CREDS), + @ldap.get_operation_result.inspect + end + def test_bind_tls_with_bad_hostname_verify_none_no_ca_passes @ldap.host = INTEGRATION_HOSTNAME @ldap.encryption( From b3c35704286d17c740276cfe70a07cf5d2b7ab22 Mon Sep 17 00:00:00 2001 From: Juri Linkov Date: Tue, 18 Feb 2020 10:27:36 +0200 Subject: [PATCH 2/3] Fix tests --- test/integration/test_bind.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index e529dd64..1b4cb88e 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -48,10 +48,12 @@ def test_bind_tls_with_cafile end def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_passes - @ldap.host = INTEGRATION_HOSTNAME + @ldap.host = '127.0.0.1' @ldap.encryption( method: :start_tls, - tls_options: { verify_hostname: false }, + tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER, + verify_hostname: false, + ca_file: CA_FILE }, ) assert @ldap.bind(BIND_CREDS), @ldap.get_operation_result.inspect @@ -61,7 +63,9 @@ def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_opt_merge_passes @ldap.host = '127.0.0.1' @ldap.encryption( method: :start_tls, - tls_options: TLS_OPTS.merge(verify_hostname: false), + tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER, + verify_hostname: false, + ca_file: CA_FILE), ) assert @ldap.bind(BIND_CREDS), @ldap.get_operation_result.inspect From 6211d5fa08ffe1c6d86835d056ad6cab19d173bf Mon Sep 17 00:00:00 2001 From: Juri Linkov Date: Tue, 18 Feb 2020 10:53:46 +0200 Subject: [PATCH 3/3] Omit tests in Ruby versions where OpenSSL doesn't support :verify_hostname --- test/integration/test_bind.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index 1b4cb88e..2552e6ee 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -48,6 +48,8 @@ def test_bind_tls_with_cafile end def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_passes + omit_unless TLS_OPTS.key?(:verify_hostname) + @ldap.host = '127.0.0.1' @ldap.encryption( method: :start_tls, @@ -60,6 +62,8 @@ def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_passes end def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_opt_merge_passes + omit_unless TLS_OPTS.key?(:verify_hostname) + @ldap.host = '127.0.0.1' @ldap.encryption( method: :start_tls,