Skip to content
This repository

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse code

Verify hostnames in TLS connections

This is done in connect_ldaps() and start_tls(), and calls
IO::Socket::SSL's verify_hostname method.

The default (for backwards compatibility?) is to not check, but pass
check => 1 if you want checking.

Signed-off-by: chrisridd@mac.com
  • Loading branch information...
commit 4dc845edb6edfb5dc8d9b949aba1e03f944beab4 1 parent dfd757f
Chris Ridd chrisridd authored gbarr committed

Showing 3 changed files with 23 additions and 3 deletions. Show diff stats Hide diff stats

  1. +14 2 lib/Net/LDAP.pm
  2. +7 1 lib/Net/LDAP.pod
  3. +2 0  lib/Net/LDAPS.pm
16 lib/Net/LDAP.pm
@@ -184,6 +184,11 @@ sub connect_ldaps {
184 184 _SSL_context_init_args($arg)
185 185 ) or return undef;
186 186
  187 + if ($arg->{'check'} &&
  188 + $ldap->{'net_ldap_socket'}->verify_hostname( $host, 'ldap' )) {
  189 + $ldap->disconnect();
  190 + return undef;
  191 + }
187 192 $ldap->{net_ldap_host} = $host;
188 193 $ldap->{net_ldap_port} = $port;
189 194 }
@@ -1034,8 +1039,15 @@ sub start_tls {
1034 1039 IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
1035 1040 my $sock_class = ref($sock);
1036 1041
1037   - return $mesg
1038   - if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)});
  1042 + if (IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)})) {
  1043 + my $host = $ldap->{'net_ldap_host'};
  1044 + if ($arg->{'check'} &&
  1045 + $sock->{'net_ldap_socket'}->verify_hostname( $host, 'ldap' )) {
  1046 + $ldap->disconnect();
  1047 + return undef;
  1048 + }
  1049 + return $mesg;
  1050 + }
1039 1051
1040 1052 my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning
1041 1053
8 lib/Net/LDAP.pod
Source Rendered
@@ -169,7 +169,7 @@ If it resolves to an IPv4 address, the connection is tried using IPv4,
169 169 the same way as if this option was not given.
170 170
171 171 Please note that IPv6 support is considered experimental in
172   -IO::Socket::SSL, which is used of SSL/TLS support, and there are a few
  172 +IO::Socket::SSL, which is used for SSL/TLS support, and there are a few
173 173 issues to take care of. See L<IO::Socket::SSL/IPv6> for details.
174 174
175 175 =back
@@ -755,6 +755,12 @@ The server must provide a certificate, and it must be valid.
755 755 If you set verify to optional or require, you must also set either
756 756 cafile or capath. The most secure option is B<require>.
757 757
  758 +=item check =E<gt> 1 | 0
  759 +
  760 +This controls whether the name in the server's certificate is checked
  761 +against the hostname you tried to connect to. The default is to not
  762 +check. The most secure option is B<1>.
  763 +
758 764 =item sslversion =E<gt> 'sslv2' | 'sslv3' | 'sslv2/3' | 'tlsv1'
759 765
760 766 This defines the version of the SSL/TLS protocol to use. Defaults to
2  lib/Net/LDAPS.pm
@@ -29,6 +29,7 @@ Net::LDAPS - use LDAP over an SSL connection
29 29 $ldaps = Net::LDAPS->new('myhost.example.com',
30 30 port => '10000',
31 31 verify => 'require',
  32 + check => 1,
32 33 capath => '/usr/local/cacerts/');
33 34
34 35 # alternate way
@@ -36,6 +37,7 @@ Net::LDAPS - use LDAP over an SSL connection
36 37
37 38 $ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
38 39 verify => 'require',
  40 + check => 1,
39 41 capath => '/usr/local/cacerts/');
40 42
41 43 =head1 DESCRIPTION

0 comments on commit 4dc845e

Please sign in to comment.
Something went wrong with that request. Please try again.