ssl_allow_cname 0.1.3 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/README.md +51 -4
- data/lib/ssl_allow_cname.rb +6 -0
- data/lib/ssl_allow_cname/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: a3b389210ba7957980da18153a64873506de72e1
|
|
4
|
+
data.tar.gz: a3e4f3f79048eb0e5908aedc24de736623b82915
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 910e208f3d9d38c2b69da7bff3f141e0aa317078756fa25411886d0180cea3bfc995594b06692ec504156f1c27dff45bcfc6c8c1d3eae4870b591bc44c640f1b
|
|
7
|
+
data.tar.gz: eb215150b1059368209e14357e3f7c141745a294262ca3c5f2bd18f94877a8150c57d5b72a77e20a7f23f7eccf4a993f3a88f513516a471afbf1fde420725c73
|
data/README.md
CHANGED
|
@@ -1,6 +1,53 @@
|
|
|
1
|
-
#
|
|
1
|
+
# ssl_allow_cname
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
proc, or array of any of the preceding.
|
|
3
|
+
`ssl_allow_cname` adds a parameter to Ruby's OpenSSL library: `allow_cname`.
|
|
5
4
|
|
|
6
|
-
This is
|
|
5
|
+
This is for cases when you don't care about the host matching the CommonName or
|
|
6
|
+
a SubjectAlternateName of a certificate (e.g., you've got other security
|
|
7
|
+
measures), but surely don't want to turn off all peer verification.
|
|
8
|
+
|
|
9
|
+
Here's an example:
|
|
10
|
+
|
|
11
|
+
```ruby
|
|
12
|
+
# This actually works, using the Ruby redis client's SSL support:
|
|
13
|
+
|
|
14
|
+
redis = Redis.new(
|
|
15
|
+
# Say the other side of this connection has a certificate you've signed, but
|
|
16
|
+
# you don't care what VPS instance it ends on with an arbitrary IP.
|
|
17
|
+
url: 'rediss://198.199.120.202/',
|
|
18
|
+
ssl_params: {
|
|
19
|
+
# And you only trust yourself as a CA.
|
|
20
|
+
ca_file: '/etc/ssl/metermd/metermd-ca.crt',
|
|
21
|
+
|
|
22
|
+
# And the following cert has been signed by your CA, and the key's valid...
|
|
23
|
+
cert: OpenSSL::X509::Certificate.new(File.read('/etc/ssl/metermd/redis-client.crt')),
|
|
24
|
+
key: OpenSSL::PKey::RSA.new(File.read('/etc/ssl/metermd/redis-client.keydh')),
|
|
25
|
+
|
|
26
|
+
# You just care that you've authorized this certificate for this purpose,
|
|
27
|
+
# and rely on the security of your CA being legit.
|
|
28
|
+
allow_cname: 'redis-server'
|
|
29
|
+
}
|
|
30
|
+
)
|
|
31
|
+
```
|
|
32
|
+
|
|
33
|
+
Using the `allow_cname` option disables host verification, but specifying
|
|
34
|
+
`allow_cname: :match` will give you the same behavior as peer verification.
|
|
35
|
+
When you don't specify `allow_cname`, everything works the same as out-of-the-
|
|
36
|
+
box.
|
|
37
|
+
|
|
38
|
+
The value passed to `allow_cname` can take a few forms:
|
|
39
|
+
|
|
40
|
+
* A `String`, which means the CommonName presented must exactly match what
|
|
41
|
+
you've specified.
|
|
42
|
+
* A `Regexp`, which will pass if it matches the CommonName of the peer
|
|
43
|
+
certificate.
|
|
44
|
+
* A `Proc`, which can accept either `(common_name)` or `(common_name, host)`
|
|
45
|
+
argument lists. Return `true` if you like it, false otherwise.
|
|
46
|
+
* The symbol `:match`, which accepts anything OpenSSL would've considered
|
|
47
|
+
valid.
|
|
48
|
+
* An `Array` of any of the above, which **operates in an OR, not AND,
|
|
49
|
+
fashion.**
|
|
50
|
+
|
|
51
|
+
For simplicity, and to make it easier to not get wrong, `ssl_allow_cname` does
|
|
52
|
+
not consider SubjectAlternateNames, just the first CommonName. If you're
|
|
53
|
+
running your own CA, you'll be able to arrange this.
|
data/lib/ssl_allow_cname.rb
CHANGED
|
@@ -10,6 +10,11 @@ module SslAllowCname
|
|
|
10
10
|
def post_connection_check(hostname)
|
|
11
11
|
return super if context.allow_cname.nil?
|
|
12
12
|
|
|
13
|
+
if peer_cert.nil?
|
|
14
|
+
msg = "allow_cname specified, but peer presented no certificate"
|
|
15
|
+
raise OpenSSL::SSL::SSLError, msg
|
|
16
|
+
end
|
|
17
|
+
|
|
13
18
|
cname = peer_cert.subject.to_a.map do |oid, value|
|
|
14
19
|
oid == 'CN' ? value : nil
|
|
15
20
|
end.compact.first
|
|
@@ -36,6 +41,7 @@ module SslAllowCname
|
|
|
36
41
|
"predicate in :allow_cname. Use :match " +
|
|
37
42
|
"to get normal CommonName/Host validation"
|
|
38
43
|
end
|
|
44
|
+
true
|
|
39
45
|
end
|
|
40
46
|
end
|
|
41
47
|
end
|
metadata
CHANGED
|
@@ -1,14 +1,14 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: ssl_allow_cname
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.1.
|
|
4
|
+
version: 0.1.4
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Mike A. Owens
|
|
8
8
|
autorequire:
|
|
9
9
|
bindir: exe
|
|
10
10
|
cert_chain: []
|
|
11
|
-
date: 2016-08-
|
|
11
|
+
date: 2016-08-11 00:00:00.000000000 Z
|
|
12
12
|
dependencies:
|
|
13
13
|
- !ruby/object:Gem::Dependency
|
|
14
14
|
name: bundler
|