Actions
Bug #13401
closedOpenSSL::SSL::SSLSocket :hostname= accessor removed
Description
Hello. I've found a small issue, but it is important for security.
Some websites will force you to use SNI. For example "httpbin.org".
openssl s_client -connect httpbin.org:443
tlsv1 alert internal error
openssl s_client -connect httpbin.org:443 -servername httpbin.org
ok
require "openssl"
require "socket"
HOST = "httpbin.org"
class SSL < OpenSSL::SSL::SSLSocket
def initialize *args
super
@hostname = HOST
end
end
socket = TCPSocket.open HOST, 443
begin
ssl_socket = SSL.new socket, OpenSSL::SSL::SSLContext.new
begin
ssl_socket.connect
puts "connected"
ensure
ssl_socket.close
end
ensure
socket.close
end
This code works fine with any ruby 2.0-2.3 and rubinius, but it failed with 2.4.0 and 2.4.1.
I can see that you've removed accessor from lib/ruby/2.4.0/openssl/ssl.rb:
if ExtConfig::HAVE_TLSEXT_HOST_NAME
attr_reader :hostname
end
ext/openssl/ossl_ssl.c:
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
/* #hostname is defined in lib/openssl/ssl.rb */
rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
#endif
So we have to use self.hostname = HOST instead of @hostname = HOST.
Please document this new behaviour in documentation. Thank you.
Actions
Like0
Like0Like0Like0