Permalink
Browse files

Verify hostnames in TLS connections

This is done in connect_ldaps() and start_tls(), and calls
IO::Socket::SSL's verify_hostname method.

The default (for backwards compatibility?) is to not check, but pass
check => 1 if you want checking.

Signed-off-by: chrisridd@mac.com
  • Loading branch information...
1 parent dfd757f commit 4dc845edb6edfb5dc8d9b949aba1e03f944beab4 @chrisridd chrisridd committed with gbarr Apr 5, 2010
Showing with 23 additions and 3 deletions.
  1. +14 −2 lib/Net/LDAP.pm
  2. +7 −1 lib/Net/LDAP.pod
  3. +2 −0 lib/Net/LDAPS.pm
View
16 lib/Net/LDAP.pm
@@ -184,6 +184,11 @@ sub connect_ldaps {
_SSL_context_init_args($arg)
) or return undef;
+ if ($arg->{'check'} &&
+ $ldap->{'net_ldap_socket'}->verify_hostname( $host, 'ldap' )) {
+ $ldap->disconnect();
+ return undef;
+ }
$ldap->{net_ldap_host} = $host;
$ldap->{net_ldap_port} = $port;
}
@@ -1034,8 +1039,15 @@ sub start_tls {
IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
my $sock_class = ref($sock);
- return $mesg
- if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)});
+ if (IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)})) {
+ my $host = $ldap->{'net_ldap_host'};
+ if ($arg->{'check'} &&
+ $sock->{'net_ldap_socket'}->verify_hostname( $host, 'ldap' )) {
+ $ldap->disconnect();
+ return undef;
+ }
+ return $mesg;
+ }
my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning
View
8 lib/Net/LDAP.pod
@@ -169,7 +169,7 @@ If it resolves to an IPv4 address, the connection is tried using IPv4,
the same way as if this option was not given.
Please note that IPv6 support is considered experimental in
-IO::Socket::SSL, which is used of SSL/TLS support, and there are a few
+IO::Socket::SSL, which is used for SSL/TLS support, and there are a few
issues to take care of. See L<IO::Socket::SSL/IPv6> for details.
=back
@@ -755,6 +755,12 @@ The server must provide a certificate, and it must be valid.
If you set verify to optional or require, you must also set either
cafile or capath. The most secure option is B<require>.
+=item check =E<gt> 1 | 0
+
+This controls whether the name in the server's certificate is checked
+against the hostname you tried to connect to. The default is to not
+check. The most secure option is B<1>.
+
=item sslversion =E<gt> 'sslv2' | 'sslv3' | 'sslv2/3' | 'tlsv1'
This defines the version of the SSL/TLS protocol to use. Defaults to
View
2 lib/Net/LDAPS.pm
@@ -29,13 +29,15 @@ Net::LDAPS - use LDAP over an SSL connection
$ldaps = Net::LDAPS->new('myhost.example.com',
port => '10000',
verify => 'require',
+ check => 1,
capath => '/usr/local/cacerts/');
# alternate way
use Net::LDAP;
$ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
verify => 'require',
+ check => 1,
capath => '/usr/local/cacerts/');
=head1 DESCRIPTION

0 comments on commit 4dc845e

Please sign in to comment.