Skip to content

Add SSL peer verification to start_tls function #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

Add SSL peer verification to start_tls function #87

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d1cf134
Enable verifing the TLS connection in start_tls
barn May 6, 2014
8044844
Update documentation on start_tls method.
barn May 6, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 24 additions & 8 deletions lib/net/ldap.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -456,9 +456,8 @@ def authenticate(username, password)
# additional capabilities are added, more configuration values will be
# added here.
#
# Currently, the only supported argument is { :method => :simple_tls }.
# (Equivalently, you may pass the symbol :simple_tls all by itself,
# without enclosing it in a Hash.)
# The supported methods are { :method => :simple_tls } and { :method =>
# :start_tls }.
#
# The :simple_tls encryption method encrypts <i>all</i> communications
# with the LDAP server. It completely establishes SSL/TLS encryption with
Expand All @@ -479,9 +478,13 @@ def authenticate(username, password)
# standard port for simple-TLS encrypted connections is 636. Be sure you
# are using the correct port.
#
# <i>[Note: a future version of Net::LDAP will support the STARTTLS LDAP
# control, which will enable encrypted communications on the same TCP port
# used for unencrypted connections.]</i>
# Using :start_tls you are able to verify the peer in the TLS
# negotiation. To verify the peer, you can add the :cafile element
# with the path to a file containing one or more valid PEM formatted
# CA certificates. For example:
# { :method => :start_tls, :cafile => '/etc/ssl/cafile.pem' }
# Net::Ldap will raise an exception if the CA file doesn't exist, or if
# the peer fails TLS verification.
def encryption(args)
case args
when :simple_tls, :start_tls
Expand Down Expand Up @@ -1160,9 +1163,19 @@ def getbyte
end
end

def self.wrap_with_ssl(io)
def self.wrap_with_ssl(io,*args)

raise Net::LDAP::LdapError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
ctx = OpenSSL::SSL::SSLContext.new
# If we've been given a cafile in the arguments hash, then we want to
# actually verify the TLS connection rather than just the default of
# NO_VERIFY.
if args.last.instance_of?(Hash) && args.last.has_key?(:cafile)
cafile = args.last[:cafile]
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER
raise "CA file '#{cafile}' doesn't exist" unless File.exists? cafile
ctx.ca_file = cafile
end
conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
conn.connect
conn.sync_close = true
Expand Down Expand Up @@ -1213,8 +1226,11 @@ def setup_encryption(args)
raise Net::LDAP::LdapError, "no start_tls result" if be.nil?
pdu = Net::LDAP::PDU.new(be)
raise Net::LDAP::LdapError, "no start_tls result" if pdu.nil?

a = { :cafile => args[:cafile] } if args[:cafile]

if pdu.result_code.zero?
@conn = self.class.wrap_with_ssl(@conn)
@conn = self.class.wrap_with_ssl(@conn,a)
else
raise Net::LDAP::LdapError, "start_tls failed: #{pdu.result_code}"
end
Expand Down