Browse files

Add SslRequirement.sni option to only use SslRequirement.ssl_ports wh…

…en SNI isn't supported.
  • Loading branch information...
1 parent 05461d3 commit 936058d88894745e51097c8d4fe1f10b991b2548 @chewi committed Jul 8, 2010
Showing with 58 additions and 2 deletions.
  1. +1 −1 lib/ssl_requirement.rb
  2. +31 −1 lib/url_rewriter.rb
  3. +26 −0 test/url_rewriter_test.rb
View
2 lib/ssl_requirement.rb
@@ -21,7 +21,7 @@
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
module SslRequirement
- mattr_accessor :ssl_host, :non_ssl_host, :ssl_ports
+ mattr_accessor :ssl_host, :non_ssl_host, :ssl_ports, :sni
def self.included(controller)
controller.extend(ClassMethods)
View
32 lib/url_rewriter.rb
@@ -1,3 +1,4 @@
+require 'action_controller/request'
require 'action_controller/url_rewriter'
module ActionController
@@ -21,7 +22,7 @@ def rewrite_with_secure_option(options = {})
end
# check if a port has been set for this host
- if SslRequirement.ssl_ports
+ if SslRequirement.ssl_ports and not (SslRequirement.sni and @request.supports_sni?)
host = SslRequirement.ssl_host || @request.host
port = SslRequirement.ssl_ports[host]
options.merge! :port => port if port
@@ -53,4 +54,33 @@ def rewrite_with_non_ssl_host(options)
alias_method_chain :rewrite, :non_ssl_host
alias_method_chain :rewrite, :secure_option
end
+
+ class Request
+
+ def supports_sni?
+ return @supports_sni unless @supports_sni.nil?
+ ua = headers['HTTP_USER_AGENT']
+
+ # Konqueror doesn't support SNI at all.
+ return @supports_sni = false if ua =~ /Konqueror/
+
+ # Safari supports SNI from 3.2.1 (525.27.1).
+ return @supports_sni = false if ua =~ /Safari\/([\d.]+)/ and $1.to_f < 525.27
+
+ # Chrome supports SNI from 5.0.342.1.
+ return @supports_sni = false if ua =~ /Chrome\/([\d.]+)/ and Gem::Version.new($1) < Gem::Version.new('5.0.342.1')
+
+ # MSIE supports SNI from 7.
+ return @supports_sni = false if ua =~ /MSIE [1-6]/
+
+ # Other browsers supported SNI long ago or are too obscure.
+ # Assume we're okay if not running Windows or it is Vista or later.
+ return @supports_sni = true if ua !~ /Windows/ or ua =~ /Windows NT 6/
+
+ # This leaves earlier versions of Windows. MSIE, Safari and
+ # Chrome (and probably anything else WebKit-based) require
+ # Vista or later for SNI.
+ return @supports_sni = ua !~ /WebKit/ && ua !~ /MSIE/
+ end
+ end
end
View
26 test/url_rewriter_test.rb
@@ -157,4 +157,30 @@ def test_rewrite_secure_with_non_matching_ssl_port
SslRequirement.ssl_ports = nil
end
+ def test_sni_supported
+ [ 'Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.5 Safari/533.2',
+ 'Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_6; es-es) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1',
+ 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; WOW64; SLCC1; .NET CLR 3.0.04506)',
+ 'Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5'
+ ].each do |ua|
+ @request.headers['HTTP_USER_AGENT'] = ua
+ @request.instance_variable_set(:@supports_sni, nil)
+ assert @request.supports_sni?, "\"#{ua}\" should support SNI"
+ end
+ end
+
+ def test_sni_not_supported
+ [ 'Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/533.2 (KHTML, like Gecko) Chrome/5.0.342.2 Safari/533.2',
+ 'Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/532.9 (KHTML, like Gecko) Chrome/5.0.309.0 Safari/532.9',
+ 'Mozilla/5.0 (Windows; U; Windows NT 6.0; hu-HU) AppleWebKit/525.26.2 (KHTML, like Gecko) Version/3.2 Safari/525.26.13',
+ 'Mozilla/5.0 (Windows; U; Windows NT 5.1; ja-JP) AppleWebKit/525.27.1 (KHTML, like Gecko) Version/3.2.1 Safari/525.27.1',
+ 'Mozilla/4.0 (Windows; MSIE 6.0; Windows NT 6.0)',
+ 'Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.2; WOW64; .NET CLR 2.0.50727)'
+ ].each do |ua|
+ @request.headers['HTTP_USER_AGENT'] = ua
+ @request.instance_variable_set(:@supports_sni, nil)
+ assert !@request.supports_sni?, "\"#{ua}\" should not support SNI"
+ end
+ end
+
end

0 comments on commit 936058d

Please sign in to comment.