diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index f1a70b18..746a21d9 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -53,8 +53,10 @@ def open_connection(server) prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout, host) if encryption if encryption[:tls_options] && - encryption[:tls_options][:verify_mode] && - encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE + (encryption[:tls_options][:verify_mode] && + encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE || + encryption[:tls_options].key?(:verify_hostname) && + encryption[:tls_options][:verify_hostname] == false) warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'" else @conn.post_connection_check(host) diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb index 4a1a0194..6942bcfa 100644 --- a/test/integration/test_bind.rb +++ b/test/integration/test_bind.rb @@ -47,6 +47,34 @@ def test_bind_tls_with_cafile @ldap.get_operation_result.inspect end + def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_passes + omit_unless TLS_OPTS.key?(:verify_hostname) + + @ldap.host = '127.0.0.1' + @ldap.encryption( + method: :start_tls, + tls_options: { verify_mode: OpenSSL::SSL::VERIFY_PEER, + verify_hostname: false, + ca_file: CA_FILE }, + ) + assert @ldap.bind(BIND_CREDS), + @ldap.get_operation_result.inspect + end + + def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_opt_merge_passes + omit_unless TLS_OPTS.key?(:verify_hostname) + + @ldap.host = '127.0.0.1' + @ldap.encryption( + method: :start_tls, + tls_options: TLS_OPTS.merge(verify_mode: OpenSSL::SSL::VERIFY_PEER, + verify_hostname: false, + ca_file: CA_FILE), + ) + assert @ldap.bind(BIND_CREDS), + @ldap.get_operation_result.inspect + end + def test_bind_tls_with_bad_hostname_verify_none_no_ca_passes @ldap.host = INTEGRATION_HOSTNAME @ldap.encryption(