Enable SSL verification by default

By requiring versions of em-http-request and faye-websocket that support SSL verification, we can now enable `:verify_peer` by default across both transports. We also need to give the user an escape hatch for turning this off, so Faye::Client now accepts a `:tls` option. The `:sni_hostname` code has been removed as both libraries set this themselves from the request URI.
faye · Jul 31, 2020 · 66ce1a1 · 66ce1a1
1 parent 6d20cb7
commit 66ce1a1
Show file tree

Hide file tree

Showing 6 changed files with 9 additions and 5 deletions.
diff --git a/faye.gemspec b/faye.gemspec
@@ -24,7 +24,7 @@ Gem::Specification.new do |s|
   s.add_dependency 'cookiejar', '>= 0.3.0'
   s.add_dependency 'em-http-request', '>= 1.1.6'
   s.add_dependency 'eventmachine', '>= 0.12.0'
-  s.add_dependency 'faye-websocket', '>= 0.9.1'
+  s.add_dependency 'faye-websocket', '>= 0.11.0'
   s.add_dependency 'multi_json', '>= 1.0.0'
   s.add_dependency 'rack', '>= 1.0.0'
   s.add_dependency 'websocket-driver', '>= 0.5.1'

diff --git a/lib/faye/protocol/client.rb b/lib/faye/protocol/client.rb
@@ -21,7 +21,7 @@ class Client
     def_delegators :@dispatcher, :add_websocket_extension, :disable, :set_header
 
     def initialize(endpoint = nil, options = {})
-      ::WebSocket::Driver.validate_options(options, [:interval, :timeout, :endpoints, :proxy, :retry, :scheduler, :websocket_extensions])
+      ::WebSocket::Driver.validate_options(options, [:interval, :timeout, :endpoints, :proxy, :retry, :scheduler, :websocket_extensions, :tls])
       super()
       info('New client created for ?', endpoint)
 

diff --git a/lib/faye/protocol/dispatcher.rb b/lib/faye/protocol/dispatcher.rb
@@ -16,7 +16,8 @@ class Envelope < Struct.new(:message, :scheduler, :request, :timer)
     def_delegators :@transport, :connection_type
 
     attr_accessor :client_id, :timeout
-    attr_reader   :cookies, :endpoint, :headers, :max_request_size, :proxy, :retry, :transports, :ws_extensions
+    attr_reader   :endpoint, :tls, :headers, :cookies, :proxy, :retry
+    attr_reader   :max_request_size, :transports, :ws_extensions
 
     def initialize(client, endpoint, options)
       super()
@@ -42,6 +43,8 @@ def initialize(client, endpoint, options)
         add_websocket_extension(extension)
       end
 
+      @tls = { :verify_peer => true }.merge(options[:tls] || {})
+
       @alternates.each do |type, url|
         @alternates[type] = URI(url)
       end

diff --git a/lib/faye/transport/http.rb b/lib/faye/transport/http.rb
@@ -49,7 +49,7 @@ def build_params(content)
     def create_request(params)
       options = {
         :inactivity_timeout => 0,
-        :tls => { :sni_hostname => @endpoint.hostname }
+        :tls => @dispatcher.tls
       }
 
       if @proxy[:origin]

diff --git a/lib/faye/transport/web_socket.rb b/lib/faye/transport/web_socket.rb
@@ -72,7 +72,7 @@ def connect
         :extensions => extensions,
         :headers    => headers,
         :proxy      => @proxy,
-        :tls        => { :sni_hostname => url.hostname }
+        :tls        => @dispatcher.tls
       }
 
       socket = Faye::WebSocket::Client.new(url.to_s, [], options)

diff --git a/spec/ruby/transport_spec.rb b/spec/ruby/transport_spec.rb
@@ -12,6 +12,7 @@
                         :cookies          => CookieJar::Jar.new,
                         :headers          => {},
                         :proxy            => {},
+                        :tls              => { :verify_peer => true },
                         :transports       => {},
                         :ws_extensions    => [])
   end