GithubHelp home page GithubHelp logo

ssl_allow_cname's Introduction

ssl_allow_cname

ssl_allow_cname adds a parameter to Ruby's OpenSSL library: allow_cname.

This is for cases when you don't care about the host matching the CommonName or a SubjectAlternateName of a certificate (e.g., you've got other security measures), but surely don't want to turn off all peer verification.

Here's an example:

# This actually works, using the Ruby redis client's SSL support:

redis = Redis.new(
  # Say the other side of this connection has a certificate you've signed, but
  # you don't care what VPS instance it ends on with an arbitrary IP.
  url: 'rediss://198.199.120.202/',  
  ssl_params: {
    # And you only trust yourself as a CA.
    ca_file: '/etc/ssl/metermd/metermd-ca.crt',

    # And the following cert has been signed by your CA, and the key's valid...
    cert: OpenSSL::X509::Certificate.new(File.read('/etc/ssl/metermd/redis-client.crt')),
    key: OpenSSL::PKey::RSA.new(File.read('/etc/ssl/metermd/redis-client.keydh')),

    # You just care that you've authorized this certificate for this purpose,
    # and rely on the security of your CA being legit.
    allow_cname: 'redis-server'
  }
)

Using the allow_cname option disables host verification, but specifying allow_cname: :match will give you the same behavior as peer verification. When you don't specify allow_cname, everything works the same as out-of-the- box.

The value passed to allow_cname can take a few forms:

  • A String, which means the CommonName presented must exactly match what you've specified.
  • A Regexp, which will pass if it matches the CommonName of the peer certificate.
  • A Proc, which can accept either (common_name) or (common_name, host) argument lists. Return true if you like it, false otherwise.
  • The symbol :match, which accepts anything OpenSSL would've considered valid.
  • An Array of any of the above, which operates in an OR, not AND, fashion.

For simplicity, and to make it easier to not get wrong, ssl_allow_cname does not consider SubjectAlternateNames, just the first CommonName. If you're running your own CA, you'll be able to arrange this.

ssl_allow_cname's People

Contributors

mieko avatar

Watchers

 avatar James Cloos avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.