Resolve peer verification issues when using TLS over a proxy (#351)

dariushoule-stripe · igrigorik · web-flow · commit ce363a745edb · 2024-11-09T21:42:53.000-08:00
Co-authored-by: Ilya Grigorik &lt;ilya@igvita.com&gt;
diff --git a/lib/em-http/http_connection.rb b/lib/em-http/http_connection.rb
@@ -55,6 +55,8 @@ def ssl_verify_peer(cert_string)
         rescue OpenSSL::X509::StoreError => e
           raise e unless e.message == 'cert already in hash table'
         end
+      else
+        raise OpenSSL::SSL::SSLError.new(%(unable to verify the server certificate for "#{sni_hostname}"))
       end
 
       true
@@ -68,8 +70,8 @@ def ssl_handshake_completed
       end
 
       unless certificate_store.verify(@last_seen_cert) &&
-             OpenSSL::SSL.verify_certificate_identity(@last_seen_cert, host)
-        raise OpenSSL::SSL::SSLError.new(%(host "#{host}" does not match the server certificate))
+             OpenSSL::SSL.verify_certificate_identity(@last_seen_cert, sni_hostname)
+        raise OpenSSL::SSL::SSLError.new(%(host "#{sni_hostname}" does not match the server certificate))
       else
         true
       end
@@ -83,6 +85,10 @@ def host
       parent.connopts.host
     end
 
+    def sni_hostname
+      parent.connopts.tls[:sni_hostname]
+    end
+
     def certificate_store
       @certificate_store ||= begin
         store = OpenSSL::X509::Store.new
