net-http-persistent 2.3.3 → 2.4

data/History.txt

@@ -1,10 +1,19 @@
-=== 2.3.3
+=== 2.4 / 2012-01-31
+
+* Minor Enhancement
+  * net-http-persistent now complains if OpenSSL::SSL::VERIFY_PEER is equal to
+    OpenSSL::SSL::VERIFY_NONE.  If you have a platform that is broken this way
+    you must define the constant:
+
+      I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil
+
+    at the top level of your application to disable the warning.
 
 * Bug fix
   * Fix persisting SSL sessions through HTTP proxies.  Mechanize issue #178 by
-    Robert Poor.
+    Robert Poor, net-http-persistent issues #10, #11.
 
-=== 2.3.2
+=== 2.3.2 / 2011-12-21
 
 * Bug fix
   * Finish connections that were closed by Net::HTTP so they can be restarted.

data/lib/net/http/persistent.rb

@@ -149,7 +149,7 @@ class Net::HTTP::Persistent
   ##
   # The version of Net::HTTP::Persistent you are using
 
-  VERSION = '2.3.3'
+  VERSION = '2.4'
 
   ##
   # Error class for errors raised by Net::HTTP::Persistent.  Various
@@ -715,6 +715,33 @@ class Net::HTTP::Persistent
 
     connection.verify_mode = @verify_mode
 
+    if OpenSSL::SSL::VERIFY_PEER == OpenSSL::SSL::VERIFY_NONE and
+       not Object.const_defined?(:I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG) then
+      warn <<-WARNING
+                             !!!SECURITY WARNING!!!
+
+The SSL HTTP connection to:
+
+  #{connection.address}:#{connection.port}
+
+                           !!!MAY NOT BE VERIFIED!!!
+
+On your platform your OpenSSL implementation is broken.
+
+There is no difference between the values of VERIFY_NONE and VERIFY_PEER.
+
+This means that attempting to verify the security of SSL connections may not
+work.  This exposes you to man-in-the-middle exploits, snooping on the
+contents of your connection and other dangers to the security of your data.
+
+To disable this warning define the following constant at top-level in your
+application:
+
+  I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil
+
+      WARNING
+    end
+
     if @ca_file then
       connection.ca_file = @ca_file
       connection.verify_mode = OpenSSL::SSL::VERIFY_PEER

data/lib/net/http/persistent/ssl_reuse.rb

@@ -112,7 +112,7 @@ class Net::HTTP::Persistent::SSLReuse < Net::HTTP
           @socket.writeline "Proxy-Authorization: Basic #{credential}"
         end
         @socket.writeline ''
-        HTTPResponse.read_new(@socket).value
+        Net::HTTPResponse.read_new(@socket).value
       end
       s.connect
       if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE

data/test/test_net_http_persistent.rb

@@ -965,6 +965,35 @@ class TestNetHttpPersistent < MiniTest::Unit::TestCase
     assert_equal OpenSSL::SSL::VERIFY_NONE, c.verify_mode
   end
 
+  def test_ssl_warning
+    orig_verify_peer = OpenSSL::SSL::VERIFY_PEER
+    OpenSSL::SSL.send :remove_const, :VERIFY_PEER
+    OpenSSL::SSL.send :const_set, :VERIFY_PEER, OpenSSL::SSL::VERIFY_NONE
+
+    c = Net::HTTP.new 'localhost', 80
+
+    out, err = capture_io do
+      @http.ssl c
+    end
+
+    assert_empty out
+
+    assert_match %r%localhost:80%, err
+    assert_match %r%I_KNOW_THAT_OPENSSL%, err
+
+    Object.send :const_set, :I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG, nil
+
+    assert_silent do
+      @http.ssl c
+    end
+  ensure
+    OpenSSL::SSL.send :remove_const, :VERIFY_PEER
+    OpenSSL::SSL.send :const_set, :VERIFY_PEER, orig_verify_peer
+    if Object.const_defined?(:I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG) then
+      Object.send :remove_const, :I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG
+    end
+  end
+
   def test_can_retry_change_requests
     get  = Net::HTTP::Get.new('/')
     post = Net::HTTP::Post.new('/')

metadata

@@ -1,13 +1,12 @@
 --- !ruby/object:Gem::Specification 
 name: net-http-persistent
 version: !ruby/object:Gem::Version 
-  hash: 5
+  hash: 11
   prerelease: 
   segments: 
   - 2
-  - 3
-  - 3
-  version: 2.3.3
+  - 4
+  version: "2.4"
 platform: ruby
 authors: 
 - Eric Hodel
@@ -16,9 +15,9 @@ bindir: bin
 cert_chain: 
 - |
   -----BEGIN CERTIFICATE-----
-  MIIDNjCCAh6gAwIBAgIBADANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
+  MIIDVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQUFADBBMRAwDgYDVQQDDAdkcmJy
   YWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZFgNu
-  ZXQwHhcNMDcxMjIxMDIwNDE0WhcNMDgxMjIwMDIwNDE0WjBBMRAwDgYDVQQDDAdk
+  ZXQwHhcNMTIwMTMxMDEwMzUyWhcNMTMwMTMwMDEwMzUyWjBBMRAwDgYDVQQDDAdk
   cmJyYWluMRgwFgYKCZImiZPyLGQBGRYIc2VnbWVudDcxEzARBgoJkiaJk/IsZAEZ
   FgNuZXQwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbbgLrGLGIDE76
   LV/cvxdEzCuYuS3oG9PrSZnuDweySUfdp/so0cDq+j8bqy6OzZSw07gdjwFMSd6J
@@ -26,17 +25,17 @@ cert_chain:
   Gj/okWrQl0NjYOYBpDi+9PPmaH2RmLJu0dB/NylsDnW5j6yN1BEI8MfJRR+HRKZY
   mUtgzBwF1V4KIZQ8EuL6I/nHVu07i6IkrpAgxpXUfdJQJi0oZAqXurAV3yTxkFwd
   g62YrrW26mDe+pZBzR6bpLE+PmXCzz7UxUq3AE0gPHbiMXie3EFE0oxnsU3lIduh
-  sCANiQ8BAgMBAAGjOTA3MAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
-  BBS5k4Z75VSpdM0AclG2UvzFA/VW5DANBgkqhkiG9w0BAQUFAAOCAQEAHagT4lfX
-  kP/hDaiwGct7XPuVGbrOsKRVD59FF5kETBxEc9UQ1clKWngf8JoVuEoKD774dW19
-  bU0GOVWO+J6FMmT/Cp7nuFJ79egMf/gy4gfUfQMuvfcr6DvZUPIs9P/TlK59iMYF
-  DIOQ3DxdF3rMzztNUCizN4taVscEsjCcgW6WkUJnGdqlu3OHWpQxZBJkBTjPCoc6
-  UW6on70SFPmAy/5Cq0OJNGEWBfgD9q7rrs/X8GGwUWqXb85RXnUVi/P8Up75E0ag
-  14jEc90kN+C7oI/AGCBN0j6JnEtYIEJZibjjDJTSMWlUKKkj30kq7hlUC2CepJ4v
-  x52qPcexcYZR7w==
+  sCANiQ8BAgMBAAGjWjBYMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgSwMB0GA1UdDgQW
+  BBS5k4Z75VSpdM0AclG2UvzFA/VW5DAfBgNVHREEGDAWgRRkcmJyYWluQHNlZ21l
+  bnQ3Lm5ldDANBgkqhkiG9w0BAQUFAAOCAQEAge3LmAU2QbrS2/grAEmRu3bCCHrQ
+  NSc6j+p53VJ1DraNWEMY3D90F/SKzsI0SYgZb71i49k+pNA2CVXzEJAY7agZbjWJ
+  UbgGKN8u9SGbIoQPBPIl97JPIGlR7AoEdmlWyFySaZD4o6+Q0onUXIV+P/KrYTVb
+  Zj/NEjHGrvskpDzlYI2LvG71DFp1o0hfIZzdvfWLAMVqtuEjJ6QrUm9FttR06rNo
+  itgEKl/tNI4M9oKJT0faQ5PvJ70ualcLnwkBLyJVd2r8qwxfjUAjKF8iMpBSb98s
+  YJY7T/W2n+eWy8WuPhzVUkyzguj0bQe27NDeabgCh2mHd4Hynk2AkYh8MQ==
   -----END CERTIFICATE-----
 
-date: 2011-12-21 00:00:00 Z
+date: 2012-01-31 00:00:00 Z
 dependencies: 
 - !ruby/object:Gem::Dependency 
   name: minitest
@@ -46,28 +45,43 @@ dependencies:
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 15
+        hash: 23
         segments: 
         - 2
-        - 6
-        version: "2.6"
+        - 10
+        version: "2.10"
   type: :development
   version_requirements: *id001
 - !ruby/object:Gem::Dependency 
-  name: hoe
+  name: rdoc
   prerelease: false
   requirement: &id002 !ruby/object:Gem::Requirement 
     none: false
     requirements: 
     - - ~>
       - !ruby/object:Gem::Version 
-        hash: 27
+        hash: 19
         segments: 
-        - 2
-        - 12
-        version: "2.12"
+        - 3
+        - 10
+        version: "3.10"
   type: :development
   version_requirements: *id002
+- !ruby/object:Gem::Dependency 
+  name: hoe
+  prerelease: false
+  requirement: &id003 !ruby/object:Gem::Requirement 
+    none: false
+    requirements: 
+    - - ~>
+      - !ruby/object:Gem::Version 
+        hash: 25
+        segments: 
+        - 2
+        - 13
+        version: "2.13"
+  type: :development
+  version_requirements: *id003
 description: |-
   Manages persistent connections using Net::HTTP plus a speed fix for Ruby 1.8.
   It's thread-safe too!