Module: OpenSSL::SSL

Defined in:
ossl_ssl.c,
lib/openssl/ssl.rb,
ossl_ssl.c,
ossl_ssl_session.c

Overview

Use SSLContext to set up the parameters for a TLS (former SSL) connection. Both client and server TLS connections are supported, SSLSocket and SSLServer may be used in conjunction with an instance of SSLContext to set up connections.

Defined Under Namespace

Modules: Nonblock, SocketForwarder Classes: SSLContext, SSLError, SSLErrorWaitReadable, SSLErrorWaitWritable, SSLServer, SSLSocket, Session

Class Method Summary collapse

Class Method Details

.verify_certificate_identity(cert, hostname) ⇒ Object


97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# File 'lib/openssl/ssl.rb', line 97

def verify_certificate_identity(cert, hostname)
  should_verify_common_name = true
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
    sequence = OpenSSL::ASN1.decode(ostr.value)
    sequence.value.each{|san|
      case san.tag
      when 2 # dNSName in GeneralName (RFC5280)
        should_verify_common_name = false
        reg = Regexp.escape(san.value).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      when 7 # iPAddress in GeneralName (RFC5280)
        should_verify_common_name = false        # follows GENERAL_NAME_print() in x509v3/v3_alt.c

        if san.value.size == 4
          return true if san.value.unpack('C*').join('.') == hostname
        elsif san.value.size == 16
          return true if san.value.unpack('n*').map { |e| sprintf("%X", e) }.join(':') == hostname
        end
      end
    }
  }
  if should_verify_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN"
        reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      end
    }
  end
  return false
end