In Files
- openssl/lib/openssl/ssl.rb
- openssl/ossl.c
Namespace
- MODULE OpenSSL::SSL::SocketForwarder
- CLASS OpenSSL::SSL::SSLContext
- CLASS OpenSSL::SSL::SSLError
- CLASS OpenSSL::SSL::SSLErrorWaitReadable
- CLASS OpenSSL::SSL::SSLErrorWaitWritable
- CLASS OpenSSL::SSL::SSLServer
- CLASS OpenSSL::SSL::SSLSocket
- CLASS OpenSSL::SSL::Session
Methods
Class/Module Index
![[+]](../images/find.png "show/hide quicksearch")
- IO
- IO::WaitReadable
- IO::WaitWritable
- Integer
- OpenSSL
- OpenSSL::ASN1
- OpenSSL::ASN1::ASN1Data
- OpenSSL::ASN1::ASN1Error
- OpenSSL::ASN1::Constructive
- OpenSSL::ASN1::ObjectId
- OpenSSL::ASN1::Primitive
- OpenSSL::BN
- OpenSSL::BNError
- OpenSSL::Buffering
- OpenSSL::Cipher
- OpenSSL::Cipher::Cipher
- OpenSSL::Cipher::CipherError
- OpenSSL::Config
- OpenSSL::ConfigError
- OpenSSL::Digest
- OpenSSL::Digest::DigestError
- OpenSSL::Engine
- OpenSSL::Engine::EngineError
- OpenSSL::ExtConfig
- OpenSSL::HMAC
- OpenSSL::HMACError
- OpenSSL::KDF
- OpenSSL::KDF::KDFError
- OpenSSL::Netscape
- OpenSSL::Netscape::SPKI
- OpenSSL::Netscape::SPKIError
- OpenSSL::OCSP
- OpenSSL::OCSP::BasicResponse
- OpenSSL::OCSP::CertificateId
- OpenSSL::OCSP::OCSPError
- OpenSSL::OCSP::Request
- OpenSSL::OCSP::Response
- OpenSSL::OCSP::SingleResponse
- OpenSSL::OpenSSLError
- OpenSSL::PKCS12
- OpenSSL::PKCS12::PKCS12Error
- OpenSSL::PKCS5
- OpenSSL::PKCS7
- OpenSSL::PKCS7::PKCS7Error
- OpenSSL::PKCS7::RecipientInfo
- OpenSSL::PKCS7::SignerInfo
- OpenSSL::PKey
- OpenSSL::PKey::DH
- OpenSSL::PKey::DHError
- OpenSSL::PKey::DSA
- OpenSSL::PKey::DSAError
- OpenSSL::PKey::EC
- OpenSSL::PKey::EC::Group
- OpenSSL::PKey::EC::Group::Error
- OpenSSL::PKey::EC::Point
- OpenSSL::PKey::EC::Point::Error
- OpenSSL::PKey::ECError
- OpenSSL::PKey::PKey
- OpenSSL::PKey::PKeyError
- OpenSSL::PKey::RSA
- OpenSSL::PKey::RSAError
- OpenSSL::Random
- OpenSSL::Random::RandomError
- OpenSSL::SSL
- OpenSSL::SSL::SSLContext
- OpenSSL::SSL::SSLError
- OpenSSL::SSL::SSLErrorWaitReadable
- OpenSSL::SSL::SSLErrorWaitWritable
- OpenSSL::SSL::SSLServer
- OpenSSL::SSL::SSLSocket
- OpenSSL::SSL::Session
- OpenSSL::SSL::Session::SessionError
- OpenSSL::SSL::SocketForwarder
- OpenSSL::X509
- OpenSSL::X509::Attribute
- OpenSSL::X509::AttributeError
- OpenSSL::X509::CRL
- OpenSSL::X509::CRLError
- OpenSSL::X509::Certificate
- OpenSSL::X509::CertificateError
- OpenSSL::X509::Extension
- OpenSSL::X509::ExtensionError
- OpenSSL::X509::ExtensionFactory
- OpenSSL::X509::Name
- OpenSSL::X509::Name::RFC2253DN
- OpenSSL::X509::NameError
- OpenSSL::X509::Request
- OpenSSL::X509::RequestError
- OpenSSL::X509::Revoked
- OpenSSL::X509::RevokedError
- OpenSSL::X509::Store
- OpenSSL::X509::StoreContext
- OpenSSL::X509::StoreError
OpenSSL::SSL
Use SSLContext to set up the parameters for a TLS (former SSL) connection. Both client and server TLS connections are supported, SSLSocket and SSLServer may be used in conjunction with an instance of SSLContext to set up connections.
Constants
- OP_ALL
- OP_ALLOW_NO_DHE_KEX
- OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
- OP_CIPHER_SERVER_PREFERENCE
- OP_CISCO_ANYCONNECT
- OP_COOKIE_EXCHANGE
- OP_CRYPTOPRO_TLSEXT_BUG
- OP_DONT_INSERT_EMPTY_FRAGMENTS
- OP_EPHEMERAL_RSA
Deprecated in
OpenSSL1.0.1k and 1.0.2.- OP_LEGACY_SERVER_CONNECT
- OP_MICROSOFT_BIG_SSLV3_BUFFER
Deprecated in
OpenSSL1.1.0.- OP_MICROSOFT_SESS_ID_BUG
Deprecated in
OpenSSL1.1.0.- OP_MSIE_SSLV2_RSA_PADDING
Deprecated in
OpenSSL0.9.7h and 0.9.8b.- OP_NETSCAPE_CA_DN_BUG
Deprecated in
OpenSSL1.1.0.- OP_NETSCAPE_CHALLENGE_BUG
Deprecated in
OpenSSL1.1.0.- OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
Deprecated in
OpenSSL1.1.0.- OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
Deprecated in
OpenSSL0.9.8q and 1.0.0c.- OP_NO_COMPRESSION
- OP_NO_ENCRYPT_THEN_MAC
- OP_NO_QUERY_MTU
- OP_NO_RENEGOTIATION
- OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
- OP_NO_SSLv2
Deprecated in
OpenSSL1.1.0.- OP_NO_SSLv3
- OP_NO_TICKET
- OP_NO_TLSv1
- OP_NO_TLSv1_1
- OP_NO_TLSv1_2
- OP_NO_TLSv1_3
- OP_PKCS1_CHECK_1
Deprecated in
OpenSSL1.0.1.- OP_PKCS1_CHECK_2
Deprecated in
OpenSSL1.0.1.- OP_SAFARI_ECDHE_ECDSA_BUG
- OP_SINGLE_DH_USE
Deprecated in
OpenSSL1.1.0.- OP_SINGLE_ECDH_USE
Deprecated in
OpenSSL1.1.0.- OP_SSLEAY_080_CLIENT_DH_BUG
Deprecated in
OpenSSL1.1.0.- OP_SSLREF2_REUSE_CERT_TYPE_BUG
Deprecated in
OpenSSL1.0.1h and 1.0.2.- OP_TLSEXT_PADDING
- OP_TLS_BLOCK_PADDING_BUG
Deprecated in
OpenSSL1.1.0.- OP_TLS_D5_BUG
Deprecated in
OpenSSL1.1.0.- OP_TLS_ROLLBACK_BUG
- SSL2_VERSION
SSL2.0- SSL3_VERSION
SSL3.0- TLS1_1_VERSION
TLS 1.1
- TLS1_2_VERSION
TLS 1.2
- TLS1_3_VERSION
TLS 1.3
- TLS1_VERSION
TLS 1.0
- VERIFY_CLIENT_ONCE
- VERIFY_FAIL_IF_NO_PEER_CERT
- VERIFY_NONE
- VERIFY_PEER
Public Class Methods
verify_certificate_identity(cert, hostname)
click to toggle source
# File openssl/lib/openssl/ssl.rb, line 263
def verify_certificate_identity(cert, hostname)
should_verify_common_name = true
cert.extensions.each{|ext|
next if ext.oid != "subjectAltName"
ostr = OpenSSL::ASN1.decode(ext.to_der).value.last
sequence = OpenSSL::ASN1.decode(ostr.value)
sequence.value.each{|san|
case san.tag
when 2 # dNSName in GeneralName (RFC5280)
should_verify_common_name = false
return true if verify_hostname(hostname, san.value)
when 7 # iPAddress in GeneralName (RFC5280)
should_verify_common_name = false
if san.value.size == 4 || san.value.size == 16
begin
return true if san.value == IPAddr.new(hostname).hton
rescue IPAddr::InvalidAddressError
end
end
end
}
}
if should_verify_common_name
cert.subject.to_a.each{|oid, value|
if oid == "CN"
return true if verify_hostname(hostname, value)
end
}
end
return false
end