Open HoneyryderChuck opened 10 months ago
there is verification going on by default in the Java engine (when @hostname
is set) and that is why it's not set by default but left as nil
. not sure if forcing it to true
has the desired effect, the callback to Ruby land might not be implemented at this point...
which callback do you mean? AFAIK verify_certificate_identity
(via SSLSocket#post_connection_check
) needs to be called by whoever owns the SSLSocket instance post-connection. And it seems that net-http is making this conditional on the verify_hostname variable, which in jruby will be nil
, meaning that, in net-http
with jruby, post connection check won't run.
In CRuby, the
verify_hostname
property of the ssl context is set to true on the first set_params call:latest jruby-openssl doesn't do this though:
I could narrow it down to
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
having:verify_hostname
set tonil
, which I couldn't pinpoint the why. Nevertheless, ,this means that jruby-openssl enabled code like net-http is by default foregoing SNI / hostname verification, as it seems to rely on it to fill in the SNI parameters (and not just the post connection verificationn, as this comment implies.jruby: jruby 9.4.2.0 (3.1.0) 2023-03-08 90d2913fda Java HotSpot(TM) 64-Bit Server VM 25.333-b02 on 1.8.0_333-b02 +jit [x86_64-darwin] jruby-openssl: 0.14.2