ruby-core

Issue #13401 has been updated by puchuu (Andrew Aladjev).


Ok, I will report it to github.

----------------------------------------
Bug #13401: OpenSSL::SSL::SSLSocket :hostname= accessor removed
https://bugs.ruby-lang.org/issues/13401#change-64152

* Author: puchuu (Andrew Aladjev)
* Status: Third Party's Issue
* Priority: Normal
* Assignee: rhenium (Kazuki Yamaguchi)
* Target version: 
* ruby -v: 2.4.*
* Backport: 2.2: UNKNOWN, 2.3: UNKNOWN, 2.4: UNKNOWN
----------------------------------------
Hello. I've found a small issue, but it is important for security.

Some websites will force you to use SNI. For example "httpbin.org".

~~~ text
openssl s_client -connect httpbin.org:443
~~~
> tlsv1 alert internal error

~~~ text
openssl s_client -connect httpbin.org:443 -servername httpbin.org
~~~
> ok

~~~ ruby
require "openssl"
require "socket"

HOST = "httpbin.org"

class SSL < OpenSSL::SSL::SSLSocket
  def initialize *args
    super
    @hostname = HOST
  end
end

socket = TCPSocket.open HOST, 443

begin
  ssl_socket = SSL.new socket, OpenSSL::SSL::SSLContext.new

  begin
    ssl_socket.connect
    puts "connected"
  ensure
    ssl_socket.close
  end

ensure
  socket.close
end
~~~

This code works fine with any ruby 2.0-2.3 and rubinius, but it failed with 2.4.0 and 2.4.1.

I can see that you've removed accessor from **lib/ruby/2.4.0/openssl/ssl.rb**:

~~~ ruby
if ExtConfig::HAVE_TLSEXT_HOST_NAME
  attr_reader :hostname
end
~~~

**ext/openssl/ossl_ssl.c**:

~~~ c
#ifdef HAVE_SSL_SET_TLSEXT_HOST_NAME
    /* #hostname is defined in lib/openssl/ssl.rb */
    rb_define_method(cSSLSocket, "hostname=", ossl_ssl_set_hostname, 1);
#endif
~~~

So we have to use **self.hostname = HOST** instead of **@hostname = HOST**.

Please document this new behaviour in documentation. Thank you.



-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>