don't warn about TLS host verification when verify_peer is explicitly…

… false (#341) * Don't warn about TLS hostname verification if verify_peer was explicitly set to false * As long as I had one spec... figured a couple others couldn't hurt * Reuse the warning string.
igrigorik · Jun 15, 2020 · 157d5ff · 157d5ff
1 parent 4d69fac
commit 157d5ff
Show file tree

Hide file tree

Showing 2 changed files with 53 additions and 2 deletions.
diff --git a/lib/em-http/http_connection.rb b/lib/em-http/http_connection.rb
@@ -64,7 +64,7 @@ def ssl_verify_peer(cert_string)
     def ssl_handshake_completed
       unless verify_peer?
         warn "[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see" +
-             " CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details"
+             " CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details" unless parent.connopts.tls.has_key?(:verify_peer)
         return true
       end
 

diff --git a/spec/ssl_spec.rb b/spec/ssl_spec.rb
@@ -3,7 +3,6 @@
 requires_connection do
 
   describe EventMachine::HttpRequest do
-
     it "should initiate SSL/TLS on HTTPS connections" do
       EventMachine.run {
         http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail/').get
@@ -15,6 +14,58 @@
         }
       }
     end
+
+    describe "TLS hostname verification" do
+      before do
+        @cve_warning = "[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see" +
+                       " CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details"
+        @orig_stderr = $stderr
+        $stderr = StringIO.new
+      end
+
+      after do
+        $stderr = @orig_stderr
+      end
+
+      it "should not warn if verify_peer is specified" do
+        EventMachine.run {
+          http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail', {tls: {verify_peer: false}}).get
+
+          http.callback {
+            $stderr.rewind
+            $stderr.string.chomp.should_not eq(@cve_warning)
+
+            EventMachine.stop
+          }
+        }
+      end
+
+      it "should not warn if verify_peer is true" do
+        EventMachine.run {
+          http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail', {tls: {verify_peer: true}}).get
+
+          http.callback {
+            $stderr.rewind
+            $stderr.string.chomp.should_not eq(@cve_warning)
+
+            EventMachine.stop
+          }
+        }
+      end
+
+      it "should warn if verify_peer is unspecified" do
+        EventMachine.run {
+          http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail').get
+
+          http.callback {
+            $stderr.rewind
+            $stderr.string.chomp.should eq(@cve_warning)
+
+            EventMachine.stop
+          }
+        }
+      end
+    end
   end
 
 end