From 1981ab5b0f3e5ed6a5a99f739c06f25e23154cbd Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Mon, 28 Dec 2020 06:29:28 -0800
Subject: [PATCH] Make SSL hostname verification default to on

Following up on this comment:

https://github.com/httprb/http/pull/634#pullrequestreview-559142562

The previous logic skipped hostname verification entirely if the
`verify_hostname` method is not defined for `OpenSSL::SSL::SSLContext`,
which is currently the case for JRuby.

This commit changes the logic so if that method is undefined, hostname
verification is still performed. Otherwise, hostname verification would
always be skipped on Rubies which don't define a `verify_hostname`
method.

Note that this was *just* introduced in #634 which was merged 10 hours
ago, so I think this was caught quickly enough simply correcting it
suffices and there isn't additional security-related followup here
(e.g. CVE)
---
 lib/http/timeout/null.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/http/timeout/null.rb b/lib/http/timeout/null.rb
index bea83839..4628c4c7 100644
--- a/lib/http/timeout/null.rb
+++ b/lib/http/timeout/null.rb
@@ -36,7 +36,7 @@ def start_tls(host, ssl_socket_class, ssl_context)
         connect_ssl
 
         return unless ssl_context.verify_mode == OpenSSL::SSL::VERIFY_PEER
-        return unless ssl_context.respond_to?(:verify_hostname) && ssl_context.verify_hostname
+        return if ssl_context.respond_to?(:verify_hostname) && !ssl_context.verify_hostname
 
         @socket.post_connection_check(host)
       end