Module: OpenSSL::SSL
- Defined in:
- lib/jopenssl21/openssl/ssl.rb,
lib/jopenssl18/openssl/ssl-internal.rb,
lib/jopenssl19/openssl/ssl-internal.rb
Defined Under Namespace
Modules: Nonblock, SocketForwarder Classes: SSLServer, SSLSocket
Class Method Summary collapse
-
.verify_certificate_identity(cert, hostname) ⇒ Object
FIXME: Using the old non-ASN1 logic here because our ASN1 appears to return the wrong types for some decoded objects.
Class Method Details
.verify_certificate_identity(cert, hostname) ⇒ Object
FIXME: Using the old non-ASN1 logic here because our ASN1 appears to return the wrong types for some decoded objects. See #1102
63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 |
# File 'lib/jopenssl21/openssl/ssl.rb', line 63 def verify_certificate_identity(cert, hostname) should_verify_common_name = true cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ext.value.split(/,\s+/).each{|general_name| if /\ADNS:(.*)/ =~ general_name should_verify_common_name = false reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname # NOTE: somehow we need the IP: canonical form # seems there were failures elsewhere when not # not sure how that's possible possible to-do! elsif /\AIP(?: Address)?:(.*)/ =~ general_name #elsif /\AIP Address:(.*)/ =~ general_name should_verify_common_name = false return true if $1 == hostname end } } if should_verify_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname end } end return false end |