ruby-ldap · tarcieri · Jan 23, 2016 · tarcieri · Jan 26, 2016 · JPvRiel
diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
@@ -36,7 +36,7 @@ def prepare_socket(server)
     encryption = server[:encryption]
 
     @conn = socket
-    setup_encryption encryption if encryption
+    setup_encryption({ verify_host: server[:connected_host] }.merge(encryption)) if encryption
   end
 
   def open_connection(server)
@@ -50,7 +50,7 @@ def open_connection(server)
     errors = []
     hosts.each do |host, port|
       begin
-        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)))
+        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts), connected_host: host))
         return
       rescue Net::LDAP::Error, SocketError, SystemCallError,
              OpenSSL::SSL::SSLError => e
@@ -88,6 +88,13 @@ def self.wrap_with_ssl(io, tls_options = {})
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
     conn.connect
 
+    if tls_options[:verify_host]
+      # This raises OpenSSL::SSL::SSLError if hostname verification fails
+      conn.post_connection_check(tls_options[:verify_host])
+    else
+      warn "not verifying SSL hostname of LDAP server"
+    end
+
     # Doesn't work:
     # conn.sync_close = true