Verify hostnames in TLS connections

This is done in connect_ldaps() and start_tls(), and calls IO::Socket::SSL's verify_hostname method. The default (for backwards compatibility?) is to not check, but pass check => 1 if you want checking. Signed-off-by: chrisridd@mac.com
perl-ldap · Sep 5, 2011 · 4dc845e · 4dc845e
1 parent dfd757f
commit 4dc845e
Show file tree

Hide file tree

Showing 3 changed files with 23 additions and 3 deletions.
diff --git a/lib/Net/LDAP.pm b/lib/Net/LDAP.pm
@@ -184,6 +184,11 @@ sub connect_ldaps {
     _SSL_context_init_args($arg)
   ) or return undef;
 
+  if ($arg->{'check'} &&
+      $ldap->{'net_ldap_socket'}->verify_hostname( $host, 'ldap' )) {
+      $ldap->disconnect();
+      return undef;
+  }
   $ldap->{net_ldap_host} = $host;
   $ldap->{net_ldap_port} = $port;
 }
@@ -1034,8 +1039,15 @@ sub start_tls {
   IO::Socket::SSL::context_init( { _SSL_context_init_args($arg) } );
   my $sock_class = ref($sock);
 
-  return $mesg
+  if (IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)})) {
-    if IO::Socket::SSL->start_SSL($sock, {_SSL_context_init_args($arg)});
+    my $host = $ldap->{'net_ldap_host'};
+    if ($arg->{'check'} &&
+        $sock->{'net_ldap_socket'}->verify_hostname( $host, 'ldap' )) {
+      $ldap->disconnect();
+      return undef;
+    }
+    return $mesg;
+  }
 
   my $err = $@ || $IO::Socket::SSL::SSL_ERROR || $IO::Socket::SSL::SSL_ERROR || ''; # avoid use on once warning
 

diff --git a/lib/Net/LDAP.pod b/lib/Net/LDAP.pod
@@ -169,7 +169,7 @@ If it resolves to an IPv4 address, the connection is tried using IPv4,
 the same way as if this option was not given.
 
 Please note that IPv6 support is considered experimental in
-IO::Socket::SSL, which is used of SSL/TLS support, and there are a few
+IO::Socket::SSL, which is used for SSL/TLS support, and there are a few
 issues to take care of. See L<IO::Socket::SSL/IPv6> for details.
 
 =back
@@ -755,6 +755,12 @@ The server must provide a certificate, and it must be valid.
 If you set verify to optional or require, you must also set either
 cafile or capath. The most secure option is B<require>.
 
+=item check =E<gt> 1 | 0
+
+This controls whether the name in the server's certificate is checked
+against the hostname you tried to connect to. The default is to not
+check. The most secure option is B<1>.
+
 =item sslversion =E<gt> 'sslv2' | 'sslv3' | 'sslv2/3' | 'tlsv1'
 
 This defines the version of the SSL/TLS protocol to use. Defaults to

diff --git a/lib/Net/LDAPS.pm b/lib/Net/LDAPS.pm
@@ -29,13 +29,15 @@ Net::LDAPS - use LDAP over an SSL connection
  $ldaps = Net::LDAPS->new('myhost.example.com',
 			  port => '10000',
 			  verify => 'require',
+			  check => 1,
 			  capath => '/usr/local/cacerts/');
 
  # alternate way
  use Net::LDAP;
 
  $ldaps = Net::LDAP->new('ldaps://myhost.example.com:10000',
 			 verify => 'require',
+			 check => 1,
 			 capath => '/usr/local/cacerts/');
 
 =head1 DESCRIPTION