From cc3f27d012bcb3a49985707e1243267d813e638a Mon Sep 17 00:00:00 2001 From: "jean-pierre.vanriel" Date: Fri, 15 Jan 2016 01:26:10 +0200 Subject: [PATCH 1/3] Addresses the LDAPS vulnerability to MITM attacks by checking hostname against the CN or SAN in X509 Cert if OpenSSL::SSL::VERIFY_NONE is *not* set. Effectively, it bundles the proper host authentication step people mistakenly assume happens when OpenSSL::SSL::VERIFY_PEER is set. --- lib/net/ldap/connection.rb | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index f8ba0b61..7921d73d 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -51,6 +51,9 @@ def open_connection(server) hosts.each do |host, port| begin prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts))) + if encryption[:tls_options][:verify_mode] != OpenSSL::SSL::VERIFY_NONE + @conn.post_connection_check(host) + end return rescue Net::LDAP::Error, SocketError, SystemCallError, OpenSSL::SSL::SSLError => e From 51f12c5f9f6ed600fea929ee210117045020d322 Mon Sep 17 00:00:00 2001 From: JPvRiel Date: Wed, 20 Jan 2016 20:30:47 +0200 Subject: [PATCH 2/3] fix a regression in a prior commit and check if :verify_mode key exists otherwise a nil error results for connections without encryption --- lib/net/ldap/connection.rb | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index 7921d73d..6209ea3f 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -51,8 +51,10 @@ def open_connection(server) hosts.each do |host, port| begin prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts))) - if encryption[:tls_options][:verify_mode] != OpenSSL::SSL::VERIFY_NONE + if encryption && ! encryption[:tls_options] && encryption[:tls_options][:verify_mode] + if encryption[:tls_options][:verify_mode] != OpenSSL::SSL::VERIFY_NONE @conn.post_connection_check(host) + end end return rescue Net::LDAP::Error, SocketError, SystemCallError, From da59fd534d9409cabcc7cf26291f8faba8d4c2c1 Mon Sep 17 00:00:00 2001 From: JPvRiel Date: Wed, 27 Jan 2016 18:41:20 +0200 Subject: [PATCH 3/3] second fix to conditonal logic after more extensive positive and negative manual test cases --- lib/net/ldap/connection.rb | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb index 6209ea3f..d3ed6ec7 100644 --- a/lib/net/ldap/connection.rb +++ b/lib/net/ldap/connection.rb @@ -51,8 +51,12 @@ def open_connection(server) hosts.each do |host, port| begin prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts))) - if encryption && ! encryption[:tls_options] && encryption[:tls_options][:verify_mode] - if encryption[:tls_options][:verify_mode] != OpenSSL::SSL::VERIFY_NONE + if encryption + if encryption[:tls_options] && + encryption[:tls_options][:verify_mode] && + encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE + warn "not verifying SSL hostname of LDAPS server" + else @conn.post_connection_check(host) end end