enable TLS hostname validation

README.rdoc

@@ -52,12 +52,10 @@ This task will run the test suite and the
 
   rake rubotest
 
-To run the integration tests against an LDAP server:
-
-  cd test/support/vm/openldap
-  vagrant up
-  cd ../../../..
-  INTEGRATION=openldap bundle exec rake rubotest
+CI takes too long? If your local box supports
+{Vagrant}[https://www.vagrantup.com/], you can run most of the tests
+in a VM on your local box. For more details and setup instructions, see
+{test/support/vm/openldap/README.md}[https://github.com/ruby-ldap/ruby-net-ldap/tree/master/test/support/vm/openldap/README.md]
 
 == Release
 

lib/net/ldap/connection.rb

@@ -52,6 +52,15 @@ def open_connection(server)
     hosts.each do |host, port|
       begin
         prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout)
+        if encryption
+          if encryption[:tls_options] &&
+             encryption[:tls_options][:verify_mode] &&
+             encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE
+            warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'"
+          else
+            @conn.post_connection_check(host)
+          end
+        end
         return
       rescue Net::LDAP::Error, SocketError, SystemCallError,
              OpenSSL::SSL::SSLError => e
@@ -392,12 +401,11 @@ def search(args = nil)
         # should collect this into a private helper to clarify the structure
         query_limit = 0
         if size > 0
-          if paged
-            query_limit = (((size - n_results) < 126) ? (size -
-                                                              n_results) : 0)
-          else
-            query_limit = size
-          end
+          query_limit = if paged
+                          (((size - n_results) < 126) ? (size - n_results) : 0)
+                        else
+                          size
+                        end
         end
 
         request = [

script/install-openldap

@@ -48,20 +48,20 @@ chown -R openldap.openldap /var/lib/ldap
 rm -rf $TMPDIR
 
 # SSL
+export CA_CERT="/etc/ssl/certs/cacert.pem"
+export CA_KEY="/etc/ssl/private/cakey.pem"
+export CA_INFO="/etc/ssl/ca.info"
 
-sh -c "certtool --generate-privkey > /etc/ssl/private/cakey.pem"
+# If you ever need to regenerate these...
+# certtool --generate-privkey > /path/to/cakey.pem
+# certtool --generate-self-signed \
+#  --load-privkey /path/to/cakey.pem
+#  --template /path/to/ca.info
+#  --outfile /path/to/cacert.pem
 
-sh -c "cat > /etc/ssl/ca.info <<EOF
-cn = rubyldap
-ca
-cert_signing_key
-EOF"
-
-# Create the self-signed CA certificate:
-certtool --generate-self-signed \
---load-privkey /etc/ssl/private/cakey.pem \
---template /etc/ssl/ca.info \
---outfile /etc/ssl/certs/cacert.pem
+cp "${SEED_PATH}/ca/cacert.pem" "${CA_CERT}"
+cp "${SEED_PATH}/ca/cakey.pem"  "${CA_KEY}"
+cp "${SEED_PATH}/ca/ca.info"    "${CA_INFO}"
 
 # Make a private key for the server:
 certtool --generate-privkey \
@@ -71,24 +71,36 @@ certtool --generate-privkey \
 sh -c "cat > /etc/ssl/ldap01.info <<EOF
 organization = Example Company
 cn = ldap01.example.com
+dns_name = ldap01.example.com
+dns_name = ldap02.example.com
+dns_name = localhost
 tls_www_server
 encryption_key
 signing_key
 expiration_days = 3650
 EOF"
 
+# The integration server may be accessed by IP address, in which case
+# we want some of the IPs included in the cert. We skip loopback (127.0.0.1)
+# because that's the IP we use in the integration test for cert name mismatches.
+ADDRS=$(ifconfig -a | grep 'inet addr:' | cut -f 2 -d : | cut -f 1 -d ' ')
+for ip in $ADDRS; do
+  if [ "x$ip" = 'x127.0.0.1' ]; then continue; fi
+  echo "ip_address = $ip" >> /etc/ssl/ldap01.info
+done
+
 # Create the server certificate
 certtool --generate-certificate \
   --load-privkey /etc/ssl/private/ldap01_slapd_key.pem \
-  --load-ca-certificate /etc/ssl/certs/cacert.pem \
-  --load-ca-privkey /etc/ssl/private/cakey.pem \
+  --load-ca-certificate "${CA_CERT}" \
+  --load-ca-privkey "${CA_KEY}" \
   --template /etc/ssl/ldap01.info \
   --outfile /etc/ssl/certs/ldap01_slapd_cert.pem
 
 ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF | true
 dn: cn=config
 add: olcTLSCACertificateFile
-olcTLSCACertificateFile: /etc/ssl/certs/cacert.pem
+olcTLSCACertificateFile: ${CA_CERT}
 -
 add: olcTLSCertificateFile
 olcTLSCertificateFile: /etc/ssl/certs/ldap01_slapd_cert.pem
@@ -110,6 +122,14 @@ chmod g+r /etc/ssl/private/ldap01_slapd_key.pem
 chmod o-r /etc/ssl/private/ldap01_slapd_key.pem
 
 # Drop packets on a secondary port used to specific timeout tests
-iptables -A OUTPUT -p tcp -j DROP --dport 8389
+iptables -A INPUT -p tcp -j DROP --dport 8389
+
+# Forward a port for Vagrant
+iptables -t nat -A PREROUTING -p tcp --dport 9389 -j REDIRECT --to-port 389
+
+# fix up /etc/hosts for cert validation
+grep ldap01 /etc/hosts || echo "127.0.0.1 ldap01.example.com" >> /etc/hosts
+grep ldap02 /etc/hosts || echo "127.0.0.1 ldap02.example.com" >> /etc/hosts
+grep bogus /etc/hosts  || echo "127.0.0.1 bogus.example.com" >> /etc/hosts
 
 service slapd restart

test/fixtures/ca/ca.info

@@ -0,0 +1,4 @@
+cn = rubyldap
+ca
+cert_signing_key
+expiration_days = 7200

test/fixtures/ca/cacert.pem

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC7zCCAdegAwIBAgIMV7ur2wQbbBBUX/gBMA0GCSqGSIb3DQEBCwUAMBMxETAP
+BgNVBAMTCHJ1YnlsZGFwMB4XDTE2MDgyMzAxNTAxOVoXDTM2MDUxMDAxNTAxOVow
+EzERMA8GA1UEAxMIcnVieWxkYXAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+AoIBAQDIXIIUk/PJ8UnmthzX1ZC5pej7qwQDILA/o4/EkU1rBfGkHNhJihzOoW+1
+QjixcxjVM8pZXM0+bkOr/UY4ymqQnnW7a8U6Rc1+4Mhz7jKtjChfjWkAX857alL7
+2F5M1pUBvQ1WdXXFOwO0vyDT54UzkFMr/lvKXrd4/kNJYQE87+B0igICEDocFLO3
+SchtH0YpSzE80b0Fn1O1noS3LU9Eo+XsMoBMHVVrKOb/Yzs5Z1hfPrHOpB+z3VTe
+4/LcbbcMoc20Ypjq+kamuYo6uGoy0lzgmgwQgJtmxl8EhsIrZuUw80yJZqi3bLht
+8UZbVM1dV1/Hh7danmlWqZnI579FAgMBAAGjQzBBMA8GA1UdEwEB/wQFMAMBAf8w
+DwYDVR0PAQH/BAUDAwcEADAdBgNVHQ4EFgQUZ4HlXJgf2tIxLhDOB07SC200XG8w
+DQYJKoZIhvcNAQELBQADggEBAIee6oT01p6e300scQTo/VPELf14ebrZXDqtJ7HR
+egHZRrSzyQgxnnyFfoazG9bmgX/xgDvH8CxW4Q7OHH2ybGA5z2FfK+uSAjKHPR2y
+8EjAKfQUDo0CBlcU0otvk8KhyNmu3sbCO6QGlnDDnWo78UDOdfeflvCp4HH+wdnU
+ZSKTxaJe7BbBPMm6VZGhqa4O7MOOiupcGUt0emsyA1mVixkhr+6/aO2FLdiXwclX
+GhYBZg5xxbM5Hn8LbjfRsaqCjBpOXLKnuUGDQSQj1TtRFzRuiGU4tHpoBnQGCYNa
+bhFP7hjfwcjKUSizHM89KugrVgpnDh6oKn+xrhSdcKTmlag=
+-----END CERTIFICATE-----

test/fixtures/ca/cakey.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAyFyCFJPzyfFJ5rYc19WQuaXo+6sEAyCwP6OPxJFNawXxpBzY
+SYoczqFvtUI4sXMY1TPKWVzNPm5Dq/1GOMpqkJ51u2vFOkXNfuDIc+4yrYwoX41p
+AF/Oe2pS+9heTNaVAb0NVnV1xTsDtL8g0+eFM5BTK/5byl63eP5DSWEBPO/gdIoC
+AhA6HBSzt0nIbR9GKUsxPNG9BZ9TtZ6Ety1PRKPl7DKATB1Vayjm/2M7OWdYXz6x
+zqQfs91U3uPy3G23DKHNtGKY6vpGprmKOrhqMtJc4JoMEICbZsZfBIbCK2blMPNM
+iWaot2y4bfFGW1TNXVdfx4e3Wp5pVqmZyOe/RQIDAQABAoIBAALhQYVmMwTeEP/d
+8kAv86qXdefYJ3CcEax4f2KF7CTzqut+9qTn9U4LB/4E+6ehTeQSoH/0U4boMtTQ
+CShb0HhPrsWI4QbbZf7C4F66N8RC1Xm6IJ4+wksH1jWEgKZ+Fxo1S3HIsm6pUH5S
+mPgyxbleA7QILe2UuvJkRTdSy5/ClGROTXAZfA7NE/yL+cUjAOyQfxs/SxcMwnxK
+phGZaAfYRpvExtRO9CAdlmkC9RgYWOdC/r7wHehpY7fi/FqBd46w+AV3ougKGt9r
+yOEcXVrJRQtDR5UWivUOs34MCPQa2T+XHn/WLgeWE6bNaw5SyLr4oolb10Iue+Hw
+v23W5oECgYEA7rEE7/6rTkHodVI9wrYg007WDQmeR6Y0gwiX6oGQpftXExfHjHio
+yr0qwbL/UOFkWfJ8ORNXa6hHIDfxI2Kkg7vgt8SaLK8c0zhszJpcYmAx63Kk+BUO
+/S863Ptz28rGmXJxjo5GYUHR7rjvRefauV6SSUo9rbocFcyeV/UlXpUCgYEA1uPx
+TSXt2MBRiGp+E4tNPj+16QaF+4ety3+a4vlsY2ALejkjC3I5Lf1s4b0SW6eEn/U2
+PYFzm3FqsDqYhSas64b2s3Cw8x2yQ7rCD3SKGoiJqUSPwLkZjgUXC1gDaMkJXzEX
+L9yBEBVfNRYCCk4EY/Wz1C5gJ4PFtLb8NbXGofECgYEAr506PsEmlItVVoxNuGZ7
+vDxyrGD5PUoBtK6r5vOw0w4bQIbsYGOd/Jw1SxJBWuaaCLupveyHE0RaIFBIcHpx
+BCNE8LALpvinwpfvJJIlipOv5sUQrx3/SzRmoJO46GtGtztGZVY0XfYpWPRjxxER
+EfWMt7ORsbIOW9OSZLCO8AkCgYA1c/HcDOlDF2OwmTzPQ8FtEJABbPv6+18B1bYD
+a6PIfGWee4P6HumWRQnGhS+B2QOmfmqFliPZsLanK4ww4tP0qlfHfuqlLufe7R/E
+lGqd+wSzNDjF6cUvjJiU28nNUOSh5yYrY6A/DfHm1JihU5LIAqA+0WJdseuF7laC
+TbshIQKBgGhwjXS/A0twYMTZwc/H/JGik8yBXK/GZ4BAlIv5hryRmKMbik8sLtEF
+Lq/Jt9qsQ6Zob2XZFAi+vZJykvX0ySxngHEOkiHxwyQNQTEfBPifFPkOIKhVKt9t
+D4w2FfF4Bai36Wdaa97VXiBBgafIe7z5VDJXRS2HK9SHuYH3kmJu
+-----END RSA PRIVATE KEY-----