verify_hostname not set, name potentially not verified in many situations

[HoneyryderChuck]

In CRuby, the verify_hostname property of the ssl context is set to true on the first set_params call:

# cruby 3.2
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_hostname #=> false
ctx.set_params {} #=> {:min_version=>769, :verify_mode=>1, :verify_hostname=>nil}
ctx.verify_hostname #=> true

latest jruby-openssl doesn't do this though:

ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_hostname #=> nil
ctx.set_params {} #=> {:min_version=>769, :verify_mode=>1, :verify_hostname=>true}
ctx.verify_hostname #=> nil

I could narrow it down to OpenSSL::SSL::SSLContext::DEFAULT_PARAMS having :verify_hostname set to nil, which I couldn't pinpoint the why. Nevertheless, ,this means that jruby-openssl enabled code like net-http is by default foregoing SNI / hostname verification, as it seems to rely on it to fill in the SNI parameters (and not just the post connection verificationn, as this comment implies.

jruby: jruby 9.4.2.0 (3.1.0) 2023-03-08 90d2913fda Java HotSpot(TM) 64-Bit Server VM 25.333-b02 on 1.8.0_333-b02 +jit [x86_64-darwin] jruby-openssl: 0.14.2

[kares]

there is verification going on by default in the Java engine (when @hostname is set) and that is why it's not set by default but left as nil. not sure if forcing it to true has the desired effect, the callback to Ruby land might not be implemented at this point...

[HoneyryderChuck]

which callback do you mean? AFAIK verify_certificate_identity (via SSLSocket#post_connection_check) needs to be called by whoever owns the SSLSocket instance post-connection. And it seems that net-http is making this conditional on the verify_hostname variable, which in jruby will be nil, meaning that, in net-http with jruby, post connection check won't run.