From 157d5ff281c503656192825c388b28e7f35e04ce Mon Sep 17 00:00:00 2001
From: Andrew Harbick <aharbick@aharbick.com>
Date: Mon, 15 Jun 2020 01:29:31 -0400
Subject: [PATCH] don't warn about TLS host verification when verify_peer is
 explicitly false (#341)

* Don't warn about TLS hostname verification if verify_peer was explicitly set to false
* As long as I had one spec... figured a couple others couldn't hurt
* Reuse the warning string.
---
 lib/em-http/http_connection.rb |  2 +-
 spec/ssl_spec.rb               | 53 +++++++++++++++++++++++++++++++++-
 2 files changed, 53 insertions(+), 2 deletions(-)

diff --git a/lib/em-http/http_connection.rb b/lib/em-http/http_connection.rb
index a80a3796..755a0427 100644
--- a/lib/em-http/http_connection.rb
+++ b/lib/em-http/http_connection.rb
@@ -64,7 +64,7 @@ def ssl_verify_peer(cert_string)
     def ssl_handshake_completed
       unless verify_peer?
         warn "[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see" +
-             " CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details"
+             " CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details" unless parent.connopts.tls.has_key?(:verify_peer)
         return true
       end
 
diff --git a/spec/ssl_spec.rb b/spec/ssl_spec.rb
index 6a1f449b..9465a0c0 100644
--- a/spec/ssl_spec.rb
+++ b/spec/ssl_spec.rb
@@ -3,7 +3,6 @@
 requires_connection do
 
   describe EventMachine::HttpRequest do
-
     it "should initiate SSL/TLS on HTTPS connections" do
       EventMachine.run {
         http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail/').get
@@ -15,6 +14,58 @@
         }
       }
     end
+
+    describe "TLS hostname verification" do
+      before do
+        @cve_warning = "[WARNING; em-http-request] TLS hostname validation is disabled (use 'tls: {verify_peer: true}'), see" +
+                       " CVE-2020-13482 and https://github.com/igrigorik/em-http-request/issues/339 for details"
+        @orig_stderr = $stderr
+        $stderr = StringIO.new
+      end
+
+      after do
+        $stderr = @orig_stderr
+      end
+
+      it "should not warn if verify_peer is specified" do
+        EventMachine.run {
+          http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail', {tls: {verify_peer: false}}).get
+
+          http.callback {
+            $stderr.rewind
+            $stderr.string.chomp.should_not eq(@cve_warning)
+
+            EventMachine.stop
+          }
+        }
+      end
+
+      it "should not warn if verify_peer is true" do
+        EventMachine.run {
+          http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail', {tls: {verify_peer: true}}).get
+
+          http.callback {
+            $stderr.rewind
+            $stderr.string.chomp.should_not eq(@cve_warning)
+
+            EventMachine.stop
+          }
+        }
+      end
+
+      it "should warn if verify_peer is unspecified" do
+        EventMachine.run {
+          http = EventMachine::HttpRequest.new('https://mail.google.com:443/mail').get
+
+          http.callback {
+            $stderr.rewind
+            $stderr.string.chomp.should eq(@cve_warning)
+
+            EventMachine.stop
+          }
+        }
+      end
+    end
   end
 
 end