ssl_allow_cname 0.1.3 → 0.1.4

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: cd9a1a0a538978860ac3c85759c5b63e123353e1
4
- data.tar.gz: 38374a3700d5292652387643fcc9ad404faed984
3
+ metadata.gz: a3b389210ba7957980da18153a64873506de72e1
4
+ data.tar.gz: a3e4f3f79048eb0e5908aedc24de736623b82915
5
5
  SHA512:
6
- metadata.gz: cbaa6fd49e2bd2d432e021726a31601e3a31d1e4c993784370230ce228142f2ed39c99120df3e8ef6ccc1bad93b370f654b8d70e1e0d37ae23de3550b5949aa1
7
- data.tar.gz: 651865332f539e2aa1db220ff46eb45d58dc7eb9326bb8f92c5e55f961505d5e2608dcd8a68e67349f2ff88a65dd16681f3010e69609a3f10061332225a267cd
6
+ metadata.gz: 910e208f3d9d38c2b69da7bff3f141e0aa317078756fa25411886d0180cea3bfc995594b06692ec504156f1c27dff45bcfc6c8c1d3eae4870b591bc44c640f1b
7
+ data.tar.gz: eb215150b1059368209e14357e3f7c141745a294262ca3c5f2bd18f94877a8150c57d5b72a77e20a7f23f7eccf4a993f3a88f513516a471afbf1fde420725c73
data/README.md CHANGED
@@ -1,6 +1,53 @@
1
- # SslAllowCname
1
+ # ssl_allow_cname
2
2
 
3
- This adds an SSL parameter: 'allow_cname', which can be a string, regexp, or
4
- proc, or array of any of the preceding.
3
+ `ssl_allow_cname` adds a parameter to Ruby's OpenSSL library: `allow_cname`.
5
4
 
6
- This is will be further documented in the future.
5
+ This is for cases when you don't care about the host matching the CommonName or
6
+ a SubjectAlternateName of a certificate (e.g., you've got other security
7
+ measures), but surely don't want to turn off all peer verification.
8
+
9
+ Here's an example:
10
+
11
+ ```ruby
12
+ # This actually works, using the Ruby redis client's SSL support:
13
+
14
+ redis = Redis.new(
15
+ # Say the other side of this connection has a certificate you've signed, but
16
+ # you don't care what VPS instance it ends on with an arbitrary IP.
17
+ url: 'rediss://198.199.120.202/',
18
+ ssl_params: {
19
+ # And you only trust yourself as a CA.
20
+ ca_file: '/etc/ssl/metermd/metermd-ca.crt',
21
+
22
+ # And the following cert has been signed by your CA, and the key's valid...
23
+ cert: OpenSSL::X509::Certificate.new(File.read('/etc/ssl/metermd/redis-client.crt')),
24
+ key: OpenSSL::PKey::RSA.new(File.read('/etc/ssl/metermd/redis-client.keydh')),
25
+
26
+ # You just care that you've authorized this certificate for this purpose,
27
+ # and rely on the security of your CA being legit.
28
+ allow_cname: 'redis-server'
29
+ }
30
+ )
31
+ ```
32
+
33
+ Using the `allow_cname` option disables host verification, but specifying
34
+ `allow_cname: :match` will give you the same behavior as peer verification.
35
+ When you don't specify `allow_cname`, everything works the same as out-of-the-
36
+ box.
37
+
38
+ The value passed to `allow_cname` can take a few forms:
39
+
40
+ * A `String`, which means the CommonName presented must exactly match what
41
+ you've specified.
42
+ * A `Regexp`, which will pass if it matches the CommonName of the peer
43
+ certificate.
44
+ * A `Proc`, which can accept either `(common_name)` or `(common_name, host)`
45
+ argument lists. Return `true` if you like it, false otherwise.
46
+ * The symbol `:match`, which accepts anything OpenSSL would've considered
47
+ valid.
48
+ * An `Array` of any of the above, which **operates in an OR, not AND,
49
+ fashion.**
50
+
51
+ For simplicity, and to make it easier to not get wrong, `ssl_allow_cname` does
52
+ not consider SubjectAlternateNames, just the first CommonName. If you're
53
+ running your own CA, you'll be able to arrange this.
@@ -10,6 +10,11 @@ module SslAllowCname
10
10
  def post_connection_check(hostname)
11
11
  return super if context.allow_cname.nil?
12
12
 
13
+ if peer_cert.nil?
14
+ msg = "allow_cname specified, but peer presented no certificate"
15
+ raise OpenSSL::SSL::SSLError, msg
16
+ end
17
+
13
18
  cname = peer_cert.subject.to_a.map do |oid, value|
14
19
  oid == 'CN' ? value : nil
15
20
  end.compact.first
@@ -36,6 +41,7 @@ module SslAllowCname
36
41
  "predicate in :allow_cname. Use :match " +
37
42
  "to get normal CommonName/Host validation"
38
43
  end
44
+ true
39
45
  end
40
46
  end
41
47
  end
@@ -1,3 +1,3 @@
1
1
  module SslAllowCname
2
- VERSION = "0.1.3"
2
+ VERSION = "0.1.4"
3
3
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: ssl_allow_cname
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.1.3
4
+ version: 0.1.4
5
5
  platform: ruby
6
6
  authors:
7
7
  - Mike A. Owens
8
8
  autorequire:
9
9
  bindir: exe
10
10
  cert_chain: []
11
- date: 2016-08-10 00:00:00.000000000 Z
11
+ date: 2016-08-11 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: bundler