Skip to content

Commit

Permalink
don't warn about TLS host verification when verify_peer is explicitly…
Browse files Browse the repository at this point in the history
… false (#341)

* Don't warn about TLS hostname verification if verify_peer was explicitly set to false
* As long as I had one spec... figured a couple others couldn't hurt
* Reuse the warning string.
  • Loading branch information
aharbick authored Jun 15, 2020
1 parent 4d69fac commit 157d5ff
Show file tree
Hide file tree
Showing 2 changed files with 53 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/em-http/http_connection.rb
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ def ssl_verify_peer(cert_string)
def ssl_handshake_completed
unless verify_peer?
warn "[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see" +
" CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details"
" CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details" unless parent.connopts.tls.has_key?(:verify_peer)
return true
end

Expand Down
53 changes: 52 additions & 1 deletion spec/ssl_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,6 @@
requires_connection do

describe EventMachine::HttpRequest do

it "should initiate SSL/TLS on HTTPS connections" do
EventMachine.run {
http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail/').get
Expand All @@ -15,6 +14,58 @@
}
}
end

describe "TLS hostname verification" do
before do
@cve_warning = "[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see" +
" CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details"
@orig_stderr = $stderr
$stderr = StringIO.new
end

after do
$stderr = @orig_stderr
end

it "should not warn if verify_peer is specified" do
EventMachine.run {
http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail', {tls: {verify_peer: false}}).get

http.callback {
$stderr.rewind
$stderr.string.chomp.should_not eq(@cve_warning)

EventMachine.stop
}
}
end

it "should not warn if verify_peer is true" do
EventMachine.run {
http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail', {tls: {verify_peer: true}}).get

http.callback {
$stderr.rewind
$stderr.string.chomp.should_not eq(@cve_warning)

EventMachine.stop
}
}
end

it "should warn if verify_peer is unspecified" do
EventMachine.run {
http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail').get

http.callback {
$stderr.rewind
$stderr.string.chomp.should eq(@cve_warning)

EventMachine.stop
}
}
end
end
end

end

0 comments on commit 157d5ff

Please sign in to comment.