From 84f997bdb9b38feb0173eece399159291dee8f2b Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Sat, 23 Jan 2016 15:18:55 -0800
Subject: [PATCH] Initial SSL hostname verification support

No tests yet, just an initial implementation to discuss.
---
 lib/net/ldap/connection.rb | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/lib/net/ldap/connection.rb b/lib/net/ldap/connection.rb
index f8ba0b61..f8215d52 100644
--- a/lib/net/ldap/connection.rb
+++ b/lib/net/ldap/connection.rb
@@ -36,7 +36,7 @@ def prepare_socket(server)
     encryption = server[:encryption]
 
     @conn = socket
-    setup_encryption encryption if encryption
+    setup_encryption({ verify_host: server[:connected_host] }.merge(encryption)) if encryption
   end
 
   def open_connection(server)
@@ -50,7 +50,7 @@ def open_connection(server)
     errors = []
     hosts.each do |host, port|
       begin
-        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts)))
+        prepare_socket(server.merge(socket: @socket_class.new(host, port, socket_opts), connected_host: host))
         return
       rescue Net::LDAP::Error, SocketError, SystemCallError,
              OpenSSL::SSL::SSLError => e
@@ -88,6 +88,13 @@ def self.wrap_with_ssl(io, tls_options = {})
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
     conn.connect
 
+    if tls_options[:verify_host]
+      # This raises OpenSSL::SSL::SSLError if hostname verification fails
+      conn.post_connection_check(tls_options[:verify_host])
+    else
+      warn "not verifying SSL hostname of LDAP server"
+    end
+
     # Doesn't work:
     # conn.sync_close = true