Don't verify hostname when verify_hostname is false in tls_options

jurta · jurta · commit 69aa6f4c4d48 · 2020-02-14T15:06:44.000+02:00
diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
@@ -53,8 +53,10 @@ def open_connection(server)
         prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)), timeout)
         if encryption
           if encryption[:tls_options] &&
-             encryption[:tls_options][:verify_mode] &&
-             encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE
+             (encryption[:tls_options][:verify_mode] &&
+              encryption[:tls_options][:verify_mode] == OpenSSL::SSL::VERIFY_NONE ||
+              encryption[:tls_options].key?(:verify_hostname) &&
+              encryption[:tls_options][:verify_hostname] == false)
             warn "not verifying SSL hostname of LDAPS server '#{host}:#{port}'"
           else
             @conn.post_connection_check(host)
diff --git a/test/integration/test_bind.rb b/test/integration/test_bind.rb
@@ -47,6 +47,26 @@ def test_bind_tls_with_cafile
            @ldap.get_operation_result.inspect
   end
 
+  def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_passes
+    @ldap.host = INTEGRATION_HOSTNAME
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: { verify_hostname: false },
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
+  def test_bind_tls_with_bad_hostname_no_verify_hostname_no_ca_opt_merge_passes
+    @ldap.host = '127.0.0.1'
+    @ldap.encryption(
+      method:      :start_tls,
+      tls_options: TLS_OPTS.merge(verify_hostname: false),
+    )
+    assert @ldap.bind(BIND_CREDS),
+           @ldap.get_operation_result.inspect
+  end
+
   def test_bind_tls_with_bad_hostname_verify_none_no_ca_passes
     @ldap.host = INTEGRATION_HOSTNAME
     @ldap.encryption(
