ssl_allow_cname 0.1.3 → 0.1.4
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/README.md +51 -4
- data/lib/ssl_allow_cname.rb +6 -0
- data/lib/ssl_allow_cname/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a3b389210ba7957980da18153a64873506de72e1
|
|
4
|
+
data.tar.gz: a3e4f3f79048eb0e5908aedc24de736623b82915
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 910e208f3d9d38c2b69da7bff3f141e0aa317078756fa25411886d0180cea3bfc995594b06692ec504156f1c27dff45bcfc6c8c1d3eae4870b591bc44c640f1b
|
|
7
|
+
data.tar.gz: eb215150b1059368209e14357e3f7c141745a294262ca3c5f2bd18f94877a8150c57d5b72a77e20a7f23f7eccf4a993f3a88f513516a471afbf1fde420725c73
|
data/README.md
CHANGED
|
@@ -1,6 +1,53 @@
|
|
|
1
|
-
#
|
|
1
|
+
# ssl_allow_cname
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
proc, or array of any of the preceding.
|
|
3
|
+
`ssl_allow_cname` adds a parameter to Ruby's OpenSSL library: `allow_cname`.
|
|
5
4
|
|
|
6
|
-
This is
|
|
5
|
+
This is for cases when you don't care about the host matching the CommonName or
|
|
6
|
+
a SubjectAlternateName of a certificate (e.g., you've got other security
|
|
7
|
+
measures), but surely don't want to turn off all peer verification.
|
|
8
|
+
|
|
9
|
+
Here's an example:
|
|
10
|
+
|
|
11
|
+
```ruby
|
|
12
|
+
# This actually works, using the Ruby redis client's SSL support:
|
|
13
|
+
|
|
14
|
+
redis = Redis.new(
|
|
15
|
+
# Say the other side of this connection has a certificate you've signed, but
|
|
16
|
+
# you don't care what VPS instance it ends on with an arbitrary IP.
|
|
17
|
+
url: 'rediss://198.199.120.202/',
|
|
18
|
+
ssl_params: {
|
|
19
|
+
# And you only trust yourself as a CA.
|
|
20
|
+
ca_file: '/etc/ssl/metermd/metermd-ca.crt',
|
|
21
|
+
|
|
22
|
+
# And the following cert has been signed by your CA, and the key's valid...
|
|
23
|
+
cert: OpenSSL::X509::Certificate.new(File.read('/etc/ssl/metermd/redis-client.crt')),
|
|
24
|
+
key: OpenSSL::PKey::RSA.new(File.read('/etc/ssl/metermd/redis-client.keydh')),
|
|
25
|
+
|
|
26
|
+
# You just care that you've authorized this certificate for this purpose,
|
|
27
|
+
# and rely on the security of your CA being legit.
|
|
28
|
+
allow_cname: 'redis-server'
|
|
29
|
+
}
|
|
30
|
+
)
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Using the `allow_cname` option disables host verification, but specifying
|
|
34
|
+
`allow_cname: :match` will give you the same behavior as peer verification.
|
|
35
|
+
When you don't specify `allow_cname`, everything works the same as out-of-the-
|
|
36
|
+
box.
|
|
37
|
+
|
|
38
|
+
The value passed to `allow_cname` can take a few forms:
|
|
39
|
+
|
|
40
|
+
* A `String`, which means the CommonName presented must exactly match what
|
|
41
|
+
you've specified.
|
|
42
|
+
* A `Regexp`, which will pass if it matches the CommonName of the peer
|
|
43
|
+
certificate.
|
|
44
|
+
* A `Proc`, which can accept either `(common_name)` or `(common_name, host)`
|
|
45
|
+
argument lists. Return `true` if you like it, false otherwise.
|
|
46
|
+
* The symbol `:match`, which accepts anything OpenSSL would've considered
|
|
47
|
+
valid.
|
|
48
|
+
* An `Array` of any of the above, which **operates in an OR, not AND,
|
|
49
|
+
fashion.**
|
|
50
|
+
|
|
51
|
+
For simplicity, and to make it easier to not get wrong, `ssl_allow_cname` does
|
|
52
|
+
not consider SubjectAlternateNames, just the first CommonName. If you're
|
|
53
|
+
running your own CA, you'll be able to arrange this.
|
data/lib/ssl_allow_cname.rb
CHANGED
|
@@ -10,6 +10,11 @@ module SslAllowCname
|
|
|
10
10
|
def post_connection_check(hostname)
|
|
11
11
|
return super if context.allow_cname.nil?
|
|
12
12
|
|
|
13
|
+
if peer_cert.nil?
|
|
14
|
+
msg = "allow_cname specified, but peer presented no certificate"
|
|
15
|
+
raise OpenSSL::SSL::SSLError, msg
|
|
16
|
+
end
|
|
17
|
+
|
|
13
18
|
cname = peer_cert.subject.to_a.map do |oid, value|
|
|
14
19
|
oid == 'CN' ? value : nil
|
|
15
20
|
end.compact.first
|
|
@@ -36,6 +41,7 @@ module SslAllowCname
|
|
|
36
41
|
"predicate in :allow_cname. Use :match " +
|
|
37
42
|
"to get normal CommonName/Host validation"
|
|
38
43
|
end
|
|
44
|
+
true
|
|
39
45
|
end
|
|
40
46
|
end
|
|
41
47
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ssl_allow_cname
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike A. Owens
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-08-
|
|
11
|
+
date: 2016-08-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|