lib/net/ldap/connection.rb in net-ldap-0.9.0 vs lib/net/ldap/connection.rb in net-ldap-0.10.0
- old
+ new
@@ -15,10 +15,12 @@
raise Net::LDAP::LdapError, "No such address or other socket error."
rescue Errno::ECONNREFUSED
raise Net::LDAP::LdapError, "Server #{server[:host]} refused connection on port #{server[:port]}."
rescue Errno::EHOSTUNREACH => error
raise Net::LDAP::LdapError, "Host #{server[:host]} was unreachable (#{error.message})"
+ rescue Errno::ETIMEDOUT
+ raise Net::LDAP::LdapError, "Connection to #{server[:host]} timed out."
end
if server[:encryption]
setup_encryption server[:encryption]
end
@@ -37,13 +39,19 @@
super
io.close
end
end
- def self.wrap_with_ssl(io)
+ def self.wrap_with_ssl(io, tls_options = {})
raise Net::LDAP::LdapError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
+
ctx = OpenSSL::SSL::SSLContext.new
+
+ # By default, we do not verify certificates. For a 1.0 release, this should probably be changed at some point.
+ # See discussion in https://github.com/ruby-ldap/ruby-net-ldap/pull/161
+ ctx.set_params(tls_options) unless tls_options.empty?
+
conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
conn.connect
# Doesn't work:
# conn.sync_close = true
@@ -81,11 +89,11 @@
# generously contributing the :start_tls path.
#++
def setup_encryption(args)
case args[:method]
when :simple_tls
- @conn = self.class.wrap_with_ssl(@conn)
+ @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
# additional branches requiring server validation and peer certs, etc.
# go here.
when :start_tls
message_id = next_msgid
request = [
@@ -98,10 +106,10 @@
if pdu.nil? || pdu.app_tag != Net::LDAP::PDU::ExtendedResponse
raise Net::LDAP::LdapError, "no start_tls result"
end
if pdu.result_code.zero?
- @conn = self.class.wrap_with_ssl(@conn)
+ @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
else
raise Net::LDAP::LdapError, "start_tls failed: #{pdu.result_code}"
end
else
raise Net::LDAP::LdapError, "unsupported encryption method #{args[:method]}"