File: C:/Ruby27-x64/share/doc/ruby/html/OpenSSL/SSL.html
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>module OpenSSL::SSL - RDoc Documentation</title>
<script type="text/javascript">
var rdoc_rel_prefix = "../";
var index_rel_prefix = "../";
</script>
<script src="../js/navigation.js" defer></script>
<script src="../js/search.js" defer></script>
<script src="../js/search_index.js" defer></script>
<script src="../js/searcher.js" defer></script>
<script src="../js/darkfish.js" defer></script>
<link href="../css/fonts.css" rel="stylesheet">
<link href="../css/rdoc.css" rel="stylesheet">
<body id="top" role="document" class="module">
<nav role="navigation">
<div id="project-navigation">
<div id="home-section" role="region" title="Quick navigation" class="nav-section">
<h2>
<a href="../index.html" rel="home">Home</a>
</h2>
<div id="table-of-contents-navigation">
<a href="../table_of_contents.html#pages">Pages</a>
<a href="../table_of_contents.html#classes">Classes</a>
<a href="../table_of_contents.html#methods">Methods</a>
</div>
</div>
<div id="search-section" role="search" class="project-section initially-hidden">
<form action="#" method="get" accept-charset="utf-8">
<div id="search-field-wrapper">
<input id="search-field" role="combobox" aria-label="Search"
aria-autocomplete="list" aria-controls="search-results"
type="text" name="search" placeholder="Search" spellcheck="false"
title="Type to search, Up and Down to navigate, Enter to load">
</div>
<ul id="search-results" aria-label="Search Results"
aria-busy="false" aria-expanded="false"
aria-atomic="false" class="initially-hidden"></ul>
</form>
</div>
</div>
<div id="class-metadata">
<!-- Method Quickref -->
<div id="method-list-section" class="nav-section">
<h3>Methods</h3>
<ul class="link-list" role="directory">
<li ><a href="#method-c-verify_certificate_identity">::verify_certificate_identity</a>
<li ><a href="#method-i-verify_certificate_identity">#verify_certificate_identity</a>
</ul>
</div>
</div>
</nav>
<main role="main" aria-labelledby="module-OpenSSL::SSL">
<h1 id="module-OpenSSL::SSL" class="module">
module OpenSSL::SSL
</h1>
<section class="description">
<p>Use <a href="SSL/SSLContext.html"><code>SSLContext</code></a> to set up the parameters for a TLS (former <a href="SSL.html"><code>SSL</code></a>) connection. Both client and server TLS connections are supported, <a href="SSL/SSLSocket.html"><code>SSLSocket</code></a> and <a href="SSL/SSLServer.html"><code>SSLServer</code></a> may be used in conjunction with an instance of <a href="SSL/SSLContext.html"><code>SSLContext</code></a> to set up connections.</p>
</section>
<section id="5Buntitled-5D" class="documentation-section">
<section class="constants-list">
<header>
<h3>Constants</h3>
</header>
<dl>
<dt id="OP_ALL">OP_ALL
<dd>
<dt id="OP_ALLOW_NO_DHE_KEX">OP_ALLOW_NO_DHE_KEX
<dd>
<dt id="OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION">OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
<dd>
<dt id="OP_CIPHER_SERVER_PREFERENCE">OP_CIPHER_SERVER_PREFERENCE
<dd>
<dt id="OP_CISCO_ANYCONNECT">OP_CISCO_ANYCONNECT
<dd>
<dt id="OP_COOKIE_EXCHANGE">OP_COOKIE_EXCHANGE
<dd>
<dt id="OP_CRYPTOPRO_TLSEXT_BUG">OP_CRYPTOPRO_TLSEXT_BUG
<dd>
<dt id="OP_DONT_INSERT_EMPTY_FRAGMENTS">OP_DONT_INSERT_EMPTY_FRAGMENTS
<dd>
<dt id="OP_EPHEMERAL_RSA">OP_EPHEMERAL_RSA
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1k and 1.0.2.</p>
<dt id="OP_LEGACY_SERVER_CONNECT">OP_LEGACY_SERVER_CONNECT
<dd>
<dt id="OP_MICROSOFT_BIG_SSLV3_BUFFER">OP_MICROSOFT_BIG_SSLV3_BUFFER
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_MICROSOFT_SESS_ID_BUG">OP_MICROSOFT_SESS_ID_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_MSIE_SSLV2_RSA_PADDING">OP_MSIE_SSLV2_RSA_PADDING
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 0.9.7h and 0.9.8b.</p>
<dt id="OP_NETSCAPE_CA_DN_BUG">OP_NETSCAPE_CA_DN_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_NETSCAPE_CHALLENGE_BUG">OP_NETSCAPE_CHALLENGE_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG">OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG">OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 0.9.8q and 1.0.0c.</p>
<dt id="OP_NO_COMPRESSION">OP_NO_COMPRESSION
<dd>
<dt id="OP_NO_ENCRYPT_THEN_MAC">OP_NO_ENCRYPT_THEN_MAC
<dd>
<dt id="OP_NO_QUERY_MTU">OP_NO_QUERY_MTU
<dd>
<dt id="OP_NO_RENEGOTIATION">OP_NO_RENEGOTIATION
<dd>
<dt id="OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION">OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
<dd>
<dt id="OP_NO_SSLv2">OP_NO_SSLv2
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_NO_SSLv3">OP_NO_SSLv3
<dd>
<dt id="OP_NO_TICKET">OP_NO_TICKET
<dd>
<dt id="OP_NO_TLSv1">OP_NO_TLSv1
<dd>
<dt id="OP_NO_TLSv1_1">OP_NO_TLSv1_1
<dd>
<dt id="OP_NO_TLSv1_2">OP_NO_TLSv1_2
<dd>
<dt id="OP_NO_TLSv1_3">OP_NO_TLSv1_3
<dd>
<dt id="OP_PKCS1_CHECK_1">OP_PKCS1_CHECK_1
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1.</p>
<dt id="OP_PKCS1_CHECK_2">OP_PKCS1_CHECK_2
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1.</p>
<dt id="OP_SAFARI_ECDHE_ECDSA_BUG">OP_SAFARI_ECDHE_ECDSA_BUG
<dd>
<dt id="OP_SINGLE_DH_USE">OP_SINGLE_DH_USE
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_SINGLE_ECDH_USE">OP_SINGLE_ECDH_USE
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_SSLEAY_080_CLIENT_DH_BUG">OP_SSLEAY_080_CLIENT_DH_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_SSLREF2_REUSE_CERT_TYPE_BUG">OP_SSLREF2_REUSE_CERT_TYPE_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.0.1h and 1.0.2.</p>
<dt id="OP_TLSEXT_PADDING">OP_TLSEXT_PADDING
<dd>
<dt id="OP_TLS_BLOCK_PADDING_BUG">OP_TLS_BLOCK_PADDING_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_TLS_D5_BUG">OP_TLS_D5_BUG
<dd><p>Deprecated in <a href="../OpenSSL.html"><code>OpenSSL</code></a> 1.1.0.</p>
<dt id="OP_TLS_ROLLBACK_BUG">OP_TLS_ROLLBACK_BUG
<dd>
<dt id="SSL2_VERSION">SSL2_VERSION
<dd><p><a href="SSL.html"><code>SSL</code></a> 2.0</p>
<dt id="SSL3_VERSION">SSL3_VERSION
<dd><p><a href="SSL.html"><code>SSL</code></a> 3.0</p>
<dt id="TLS1_1_VERSION">TLS1_1_VERSION
<dd><p>TLS 1.1</p>
<dt id="TLS1_2_VERSION">TLS1_2_VERSION
<dd><p>TLS 1.2</p>
<dt id="TLS1_3_VERSION">TLS1_3_VERSION
<dd><p>TLS 1.3</p>
<dt id="TLS1_VERSION">TLS1_VERSION
<dd><p>TLS 1.0</p>
<dt id="VERIFY_CLIENT_ONCE">VERIFY_CLIENT_ONCE
<dd>
<dt id="VERIFY_FAIL_IF_NO_PEER_CERT">VERIFY_FAIL_IF_NO_PEER_CERT
<dd>
<dt id="VERIFY_NONE">VERIFY_NONE
<dd>
<dt id="VERIFY_PEER">VERIFY_PEER
<dd>
</dl>
</section>
<section id="public-class-5Buntitled-5D-method-details" class="method-section">
<header>
<h3>Public Class Methods</h3>
</header>
<div id="method-c-verify_certificate_identity" class="method-detail ">
<div class="method-heading">
<span class="method-name">verify_certificate_identity</span><span
class="method-args">(cert, hostname)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<div class="method-source-code" id="verify_certificate_identity-source">
<pre><span class="ruby-comment"># File ext/openssl/lib/openssl/ssl.rb, line 263</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">verify_certificate_identity</span>(<span class="ruby-identifier">cert</span>, <span class="ruby-identifier">hostname</span>)
<span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">true</span>
<span class="ruby-identifier">cert</span>.<span class="ruby-identifier">extensions</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">ext</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">next</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">ext</span>.<span class="ruby-identifier">oid</span> <span class="ruby-operator">!=</span> <span class="ruby-string">"subjectAltName"</span>
<span class="ruby-identifier">ostr</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-identifier">decode</span>(<span class="ruby-identifier">ext</span>.<span class="ruby-identifier">to_der</span>).<span class="ruby-identifier">value</span>.<span class="ruby-identifier">last</span>
<span class="ruby-identifier">sequence</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-identifier">decode</span>(<span class="ruby-identifier">ostr</span>.<span class="ruby-identifier">value</span>)
<span class="ruby-identifier">sequence</span>.<span class="ruby-identifier">value</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">san</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">case</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">tag</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">2</span> <span class="ruby-comment"># dNSName in GeneralName (RFC5280)</span>
<span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">false</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">verify_hostname</span>(<span class="ruby-identifier">hostname</span>, <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span>)
<span class="ruby-keyword">when</span> <span class="ruby-value">7</span> <span class="ruby-comment"># iPAddress in GeneralName (RFC5280)</span>
<span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">false</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span>.<span class="ruby-identifier">size</span> <span class="ruby-operator">==</span> <span class="ruby-value">4</span> <span class="ruby-operator">||</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span>.<span class="ruby-identifier">size</span> <span class="ruby-operator">==</span> <span class="ruby-value">16</span>
<span class="ruby-keyword">begin</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span> <span class="ruby-operator">==</span> <span class="ruby-constant">IPAddr</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">hostname</span>).<span class="ruby-identifier">hton</span>
<span class="ruby-keyword">rescue</span> <span class="ruby-constant">IPAddr</span><span class="ruby-operator">::</span><span class="ruby-constant">InvalidAddressError</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
}
}
<span class="ruby-keyword">if</span> <span class="ruby-identifier">should_verify_common_name</span>
<span class="ruby-identifier">cert</span>.<span class="ruby-identifier">subject</span>.<span class="ruby-identifier">to_a</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">oid</span>, <span class="ruby-identifier">value</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">oid</span> <span class="ruby-operator">==</span> <span class="ruby-string">"CN"</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">verify_hostname</span>(<span class="ruby-identifier">hostname</span>, <span class="ruby-identifier">value</span>)
<span class="ruby-keyword">end</span>
}
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">false</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
</section>
<section id="private-instance-5Buntitled-5D-method-details" class="method-section">
<header>
<h3>Private Instance Methods</h3>
</header>
<div id="method-i-verify_certificate_identity" class="method-detail ">
<div class="method-heading">
<span class="method-name">verify_certificate_identity</span><span
class="method-args">(cert, hostname)</span>
<span class="method-click-advice">click to toggle source</span>
</div>
<div class="method-description">
<div class="method-source-code" id="verify_certificate_identity-source">
<pre><span class="ruby-comment"># File ext/openssl/lib/openssl/ssl.rb, line 263</span>
<span class="ruby-keyword">def</span> <span class="ruby-identifier ruby-title">verify_certificate_identity</span>(<span class="ruby-identifier">cert</span>, <span class="ruby-identifier">hostname</span>)
<span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">true</span>
<span class="ruby-identifier">cert</span>.<span class="ruby-identifier">extensions</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">ext</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">next</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">ext</span>.<span class="ruby-identifier">oid</span> <span class="ruby-operator">!=</span> <span class="ruby-string">"subjectAltName"</span>
<span class="ruby-identifier">ostr</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-identifier">decode</span>(<span class="ruby-identifier">ext</span>.<span class="ruby-identifier">to_der</span>).<span class="ruby-identifier">value</span>.<span class="ruby-identifier">last</span>
<span class="ruby-identifier">sequence</span> = <span class="ruby-constant">OpenSSL</span><span class="ruby-operator">::</span><span class="ruby-constant">ASN1</span>.<span class="ruby-identifier">decode</span>(<span class="ruby-identifier">ostr</span>.<span class="ruby-identifier">value</span>)
<span class="ruby-identifier">sequence</span>.<span class="ruby-identifier">value</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">san</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">case</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">tag</span>
<span class="ruby-keyword">when</span> <span class="ruby-value">2</span> <span class="ruby-comment"># dNSName in GeneralName (RFC5280)</span>
<span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">false</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">verify_hostname</span>(<span class="ruby-identifier">hostname</span>, <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span>)
<span class="ruby-keyword">when</span> <span class="ruby-value">7</span> <span class="ruby-comment"># iPAddress in GeneralName (RFC5280)</span>
<span class="ruby-identifier">should_verify_common_name</span> = <span class="ruby-keyword">false</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span>.<span class="ruby-identifier">size</span> <span class="ruby-operator">==</span> <span class="ruby-value">4</span> <span class="ruby-operator">||</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span>.<span class="ruby-identifier">size</span> <span class="ruby-operator">==</span> <span class="ruby-value">16</span>
<span class="ruby-keyword">begin</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">san</span>.<span class="ruby-identifier">value</span> <span class="ruby-operator">==</span> <span class="ruby-constant">IPAddr</span>.<span class="ruby-identifier">new</span>(<span class="ruby-identifier">hostname</span>).<span class="ruby-identifier">hton</span>
<span class="ruby-keyword">rescue</span> <span class="ruby-constant">IPAddr</span><span class="ruby-operator">::</span><span class="ruby-constant">InvalidAddressError</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">end</span>
}
}
<span class="ruby-keyword">if</span> <span class="ruby-identifier">should_verify_common_name</span>
<span class="ruby-identifier">cert</span>.<span class="ruby-identifier">subject</span>.<span class="ruby-identifier">to_a</span>.<span class="ruby-identifier">each</span>{<span class="ruby-operator">|</span><span class="ruby-identifier">oid</span>, <span class="ruby-identifier">value</span><span class="ruby-operator">|</span>
<span class="ruby-keyword">if</span> <span class="ruby-identifier">oid</span> <span class="ruby-operator">==</span> <span class="ruby-string">"CN"</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">true</span> <span class="ruby-keyword">if</span> <span class="ruby-identifier">verify_hostname</span>(<span class="ruby-identifier">hostname</span>, <span class="ruby-identifier">value</span>)
<span class="ruby-keyword">end</span>
}
<span class="ruby-keyword">end</span>
<span class="ruby-keyword">return</span> <span class="ruby-keyword">false</span>
<span class="ruby-keyword">end</span></pre>
</div>
</div>
</div>
</section>
</section>
</main>
<footer id="validator-badges" role="contentinfo">
<p><a href="https://validator.w3.org/check/referer">Validate</a>
<p>Generated by <a href="https://ruby.github.io/rdoc/">RDoc</a> 6.2.1.1.
<p>Based on <a href="http://deveiate.org/projects/Darkfish-RDoc/">Darkfish</a> by <a href="http://deveiate.org">Michael Granger</a>.
</footer>