Handle verify hostname ssl option (#1428)

2025-10-03 00:02:48 -04:00 · 2022-07-01 03:26:16 +06:00 · 2022-07-01 03:26:16 +06:00 · d420a12a57
commit d420a12a57
parent fcb2003178
7 changed files with 28 additions and 3 deletions
--- a/.rubocop.yml
+++ b/.rubocop.yml
@ -119,7 +119,7 @@ Performance/StringInclude: # (new in 1.7)
 Performance/Sum: # (new in 1.8)
  Enabled: true

-Gemspec/DateAssignment: # (new in 1.10)
+Gemspec/DeprecatedAttributeAssignment:
  Enabled: true
 Layout/LineEndStringConcatenationIndentation: # (new in 1.18)
  Enabled: true
--- a/lib/faraday/options/ssl_options.rb
+++ b/lib/faraday/options/ssl_options.rb
@ -6,6 +6,10 @@ module Faraday
  # @!attribute verify
  #   @return [Boolean] whether to verify SSL certificates or not
  #
+  # @!attribute verify_hostname
+  #   @return [Boolean] whether to enable hostname verification on server certificates
+  #           during the handshake or not (see https://github.com/ruby/openssl/pull/60)
+  #
  # @!attribute ca_file
  #   @return [String] CA file
  #
@ -41,7 +45,8 @@ module Faraday
  #
  # @!attribute max_version
  #   @return [String, Symbol] maximum SSL version (see https://ruby-doc.org/stdlib-2.5.1/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html#method-i-max_version-3D)
-  class SSLOptions < Options.new(:verify, :ca_file, :ca_path, :verify_mode,
+  class SSLOptions < Options.new(:verify, :verify_hostname,
+                                 :ca_file, :ca_path, :verify_mode,
                                 :cert_store, :client_cert, :client_key,
                                 :certificate, :private_key, :verify_depth,
                                 :version, :min_version, :max_version)
@ -55,5 +60,10 @@ module Faraday
    def disable?
      !verify?
    end
+
+    # @return [Boolean] true if should verify_hostname
+    def verify_hostname?
+      verify_hostname != false
+    end
  end
 end
--- a/spec/faraday/connection_spec.rb
+++ b/spec/faraday/connection_spec.rb
@ -131,6 +131,12 @@ RSpec.describe Faraday::Connection do
      it { expect(subject.ssl.verify?).to be_falsey }
    end

+    context 'with verify_hostname false' do
+      let(:options) { { ssl: { verify_hostname: false } } }
+
+      it { expect(subject.ssl.verify_hostname?).to be_falsey }
+    end
+
    context 'with empty block' do
      let(:conn) { Faraday::Connection.new {} }

--- a/spec/faraday/options/env_spec.rb
+++ b/spec/faraday/options/env_spec.rb
@ -27,6 +27,12 @@ RSpec.describe Faraday::Env do
    expect(ssl.fetch(:verify, true)).to be_falsey
  end

+  it 'handle verify_hostname when fetching' do
+    ssl = Faraday::SSLOptions.new
+    ssl.verify_hostname = true
+    expect(ssl.fetch(:verify_hostname, false)).to be_truthy
+  end
+
  it 'retains custom members' do
    env[:foo] = 'custom 1'
    env[:bar] = :custom2
--- a/spec/faraday/request_spec.rb
+++ b/spec/faraday/request_spec.rb
@ -14,6 +14,7 @@ RSpec.describe Faraday::Request do
  context 'when nothing particular is configured' do
    it { expect(subject.http_method).to eq(:get) }
    it { expect(subject.to_env(conn).ssl.verify).to be_falsey }
+    it { expect(subject.to_env(conn).ssl.verify_hostname).to be_falsey }
  end

  context 'when HTTP method is post' do
--- a/spec/faraday/utils_spec.rb
+++ b/spec/faraday/utils_spec.rb
@ -102,7 +102,8 @@ RSpec.describe Faraday::Utils do
          verify_depth: nil,
          version: '2',
          min_version: nil,
-          max_version: nil
+          max_version: nil,
+          verify_hostname: nil
        }
      end

--- a/spec/support/shared_examples/adapter.rb
+++ b/spec/support/shared_examples/adapter.rb
@ -38,6 +38,7 @@ shared_examples 'adapter examples' do |**options|
  let(:conn) do
    conn_options[:ssl] ||= {}
    conn_options[:ssl][:ca_file] ||= ENV['SSL_FILE']
+    conn_options[:ssl][:verify_hostname] ||= ENV['SSL_VERIFY_HOSTNAME'] == 'yes'

    Faraday.new(remote, conn_options) do |conn|
      conn.request :url_encoded