-
Notifications
You must be signed in to change notification settings - Fork 134
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ruby NATS client doesn't verify hostname when connecting over TLS #142
Comments
Still limited to what Eventmachine supports here (eventmachine/eventmachine#814 | faye/faye-websocket-ruby#101 (comment)) so not possible yet. The Pure Ruby NATS client that does not depend on EM does support passing a SSL context directly already so host verification is feasible since ruby/openssl supports it (ruby/openssl#60). |
@wallyqs thanks for the info. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Scenario:
1- Create a Custom CA certificate
2- Create the NATS server certificate (signed by the above CA). Make sure to set the CommonName and SAN of the NATS server certificate to something random, for example
nats-is-amazing.com
3- Start the NATS server (TLS enabled) with the generated cert, and bind it to 127.0.0.1
4- Using Ruby NATS client connect to the server over
127.0.0.1
Actual:
The Ruby NATS client successfully connects to the server
Expectation:
We expect the TLS handshake to fail since the server certificate was signed for
nats-is-amazing.com
Is there a way of forcing host name checking during the TLS handshake?
Thanks in advance.
The text was updated successfully, but these errors were encountered: