ssl: initialize verify_mode and verify_hostname with default values

SSLContext's verify_mode expects an SSL_VERIFY_* constant (an integer) and verify_hostname expects either true or false. However, they are set to nil after calling OpenSSL::SSL::SSLContext.new, which is surprising. Set a proper value to them by default: verify_mode is set to OpenSSL::SSL::VERIFY_NONE and verify_hostname is set to false by default. Note that this does not change the default behavior. The certificate verification was never performed unless verify_mode is set to OpenSSL::SSL::VERIFY_PEER by a user. The same applies to verify_hostname.
ruby · Jul 18, 2020 · 87d8693 · 87d8693
1 parent 1ccdc05
commit 87d8693
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
@@ -122,6 +122,8 @@ class SSLContext
       def initialize(version = nil)
         self.options |= OpenSSL::SSL::OP_ALL
         self.ssl_version = version if version
+        self.verify_mode = OpenSSL::SSL::VERIFY_NONE
+        self.verify_hostname = false
       end
 
       ##

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
@@ -246,6 +246,11 @@ def test_copy_stream
     end
   end
 
+  def test_verify_mode_default
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_equal OpenSSL::SSL::VERIFY_NONE, ctx.verify_mode
+  end
+
   def test_verify_mode_server_cert
     start_server(ignore_listener_error: true) { |port|
       populated_store = OpenSSL::X509::Store.new
@@ -919,6 +924,7 @@ def test_verify_hostname_on_connect
 
     start_server(ctx_proc: ctx_proc, ignore_listener_error: true) do |port|
       ctx = OpenSSL::SSL::SSLContext.new
+      assert_equal false, ctx.verify_hostname
       ctx.verify_hostname = true
       ctx.cert_store = OpenSSL::X509::Store.new
       ctx.cert_store.add_cert(@ca_cert)