Release 0.18.0 prevents connection when verify_mode is set to OpenSSL::SSL::VERIFY_PEER

[jpwilksch]

net-ldap version 0.18.0
LDAP server version: Windows Active Directory (unsure of specific version)
OpenSSL version: OpenSSL 1.0.2k-fips 26 Jan 2017

I upgraded from net-ldap v0.17.1 to 0.18.0 to find our Rails app could no longer connect to our LDAP server:

[FATAL] Net::LDAP::ConnectionError (Unable to connect to any given server: 
17:45:24 web.1       |   OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.162.22:636 state=error: certificate verify failed (Hostname mismatch) (host1.ourdomain.com:636)
17:45:24 web.1       |   OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.163.22:636 state=error: certificate verify failed (Hostname mismatch) (host2.ourdomain.com:636)
17:45:24 web.1       |   OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 peeraddr=192.168.161.22:636 state=error: certificate verify failed (Hostname mismatch) (host3.ourdomain.com:636)):

Our (unchanged) LDAP configuration uses an array of hosts, like this:

  hosts: [['host1.ourdomain.com', 636], ['host2.ourdomain.com', 636], ['host3.ourdomain.com', 636]],
  connect_timeout: 2,
  encryption: {
    method: :simple_tls,
    tls_options: {
      ca_file: '/etc/pki/tls/certs/our-ca-chain.pem',
      verify_mode: OpenSSL::SSL::VERIFY_PEER
    }
  },

Investigation showed the certificate CN of each host did actually match its hostname. It also showed the application was able to connect to each of these hosts when configured directly as a single server:

  host: 'host1.ourdomain.com',
  port: 636,

Other workarounds I identified:

• Setting verify_mode=OpenSSL::SSL::VERIFY_NONE, though this is not recommended
• Reverting net-ldap to v0.17.1

[alexjfisher]

I think this should be fixed in #417