* lib/net/http.rb: an SSL verification (the server hostname should

be matched with its certificate's commonName) is added.
  this verification can be skipped by
  "Net::HTTP#enable_post_connection_check=(false)".
  suggested by Chris Clark <cclark at isecpartners.com>

* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
  perform SSL post connection check.

* ext/openssl/lib/openssl/ssl.c
  (OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@13499 b2dd03c8-39d4-4d8f-98ff-823fe69b080e

ChangeLog

@@ -1,3 +1,17 @@
+Mon Sep 24 06:49:15 2007  GOTOU Yuuzou  <gotoyuzo@notwork.org>  
+
+	* lib/net/http.rb: an SSL verification (the server hostname should
+	  be matched with its certificate's commonName) is added.
+	  this verification can be skipped by
+	  "Net::HTTP#enable_post_connection_check=(false)".
+	  suggested by Chris Clark <cclark at isecpartners.com>
+
+	* lib/net/open-uri.rb: use Net::HTTP#enable_post_connection_check to
+	  perform SSL post connection check.
+
+	* ext/openssl/lib/openssl/ssl.c
+	(OpenSSL::SSL::SSLSocket#post_connection_check): refine error message.  
+
 Sun Sep 23 09:05:05 2007  Nobuyoshi Nakada  <nobu@ruby-lang.org>
 
 	* gc.c (os_obj_of, os_each_obj): hide objects to be finalized.

ext/openssl/lib/openssl/ssl.rb

@@ -88,7 +88,7 @@ module OpenSSL
             end
           }
         end
-        raise SSLError, "hostname not match"
+        raise SSLError, "hostname was not match with the server certificate"
       end
 
       def session

lib/net/http.rb

@@ -476,6 +476,7 @@ module Net   #:nodoc:
       @debug_output = nil
       @use_ssl = false
       @ssl_context = nil
+      @enable_post_connection_check = true
     end
 
     def inspect
@@ -532,6 +533,9 @@ module Net   #:nodoc:
       false   # redefined in net/https
     end
 
+    # specify enabling SSL server sertificate and hostname checking.
+    attr_accessor :enable_post_connection_check
+
     # Opens TCP connection and HTTP session.
     # 
     # When this method is called with block, gives a HTTP object
@@ -590,6 +594,14 @@ module Net   #:nodoc:
           HTTPResponse.read_new(@socket).value
         end
         s.connect
+        if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
+          begin
+            s.post_connection_check(@address)
+          rescue OpenSSL::SSL::SSLError => ex
+            raise ex if @enable_post_connection_check
+            warn ex.message
+          end
+        end
       end
       on_connect
     end

lib/open-uri.rb

@@ -98,6 +98,7 @@ module OpenURI
     :read_timeout => true,
     :ssl_ca_cert => nil,
     :ssl_verify_mode => nil,
+    :ssl_enable_post_connection_check => true,
     :ftp_active_mode => false,
   }
 
@@ -269,6 +270,10 @@ module OpenURI
     if target.class == URI::HTTPS
       require 'net/https'
       http.use_ssl = true
+      http.enable_post_connection_check = 
+        options.has_key?(:ssl_enable_post_connection_check) ?
+        options[:ssl_enable_post_connection_check] :
+        Options[:ssl_enable_post_connection_check]
       http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
       store = OpenSSL::X509::Store.new
       if options[:ssl_ca_cert]
@@ -289,16 +294,6 @@ module OpenURI
 
     resp = nil
     http.start {
-      if target.class == URI::HTTPS
-        # xxx: information hiding violation
-        sock = http.instance_variable_get(:@socket)
-        if sock.respond_to?(:io)
-          sock = sock.io # 1.9
-        else
-          sock = sock.instance_variable_get(:@socket) # 1.8
-        end
-        sock.post_connection_check(target_host)
-      end
       req = Net::HTTP::Get.new(request_uri, header)
       if options.include? :http_basic_authentication
         user, pass = options[:http_basic_authentication]