Class: Mongo::Socket::SSL Private
Relationships & Source Files | |
Super Chains via Extension / Inclusion / Inheritance | |
Class Chain:
self,
::Mongo::Socket
|
|
Instance Chain:
self,
OpenSSL,
::Mongo::Socket ,
Socket::Constants
|
|
Inherits: |
Mongo::Socket
|
Defined in: | lib/mongo/socket/ssl.rb |
Overview
Wrapper for TLS sockets.
Constant Summary
::Mongo::Socket
- Inherited
DEFAULT_TCP_KEEPCNT, DEFAULT_TCP_KEEPIDLE, DEFAULT_TCP_KEEPINTVL, DEFAULT_TCP_USER_TIMEOUT, SSL_ERROR, TIMEOUT_ERROR, TIMEOUT_PACK, WRITE_CHUNK_SIZE
Class Method Summary
-
.new(host, port, host_name, timeout, family, options = {}) ⇒ SSL
constructor
Internal use only
Internal use only
Initializes a new TLS socket.
::Mongo::Socket
- Inherited
.new | Initializes common socket attributes. |
Instance Attribute Summary
- #context ⇒ SSLContext readonly Internal use only
- #host ⇒ String readonly Internal use only
- #host_name ⇒ String readonly Internal use only
- #port ⇒ Integer readonly Internal use only
- #verify_certificate? ⇒ Boolean readonly private Internal use only
- #verify_hostname? ⇒ Boolean readonly private Internal use only
- #verify_ocsp_endpoint? ⇒ Boolean readonly private Internal use only
::Mongo::Socket
- Inherited
Instance Method Summary
-
#readbyte ⇒ Object
Internal use only
Read a single byte from the socket.
-
#connect! ⇒ SSL
private
Internal use only
Establishes a socket connection.
- #create_context(options) private Internal use only
- #human_address private Internal use only
- #load_private_key(text, passphrase) private Internal use only
- #read_buffer_size private Internal use only
- #run_tls_context_hooks private Internal use only
- #set_cert(context, options) private Internal use only
- #set_cert_verification(context, options) private Internal use only
- #set_key(context, options) private Internal use only
- #verify_certificate!(socket) private Internal use only
- #verify_ocsp_endpoint!(socket) private Internal use only
::Mongo::Socket
- Inherited
#close | Close the socket. |
#connection_address, #connection_generation, | |
#gets | Delegates gets to the underlying socket. |
#read | Will read all data from the socket for the provided number of bytes. |
#readbyte | Read a single byte from the socket. |
#summary, | |
#write | Writes data to the socket instance. |
#allocate_string, | |
#do_write | Writes data to the socket instance. |
#human_address, #map_exceptions, #read_buffer_size, #read_from_socket, #set_keepalive_opts, #set_option, #set_socket_options, #unix_socket? |
Instance Attribute Details
#context ⇒ SSLContext
(readonly)
# File 'lib/mongo/socket/ssl.rb', line 122
attr_reader :context
#host ⇒ String
(readonly)
# File 'lib/mongo/socket/ssl.rb', line 125
attr_reader :host
#host_name ⇒ String
(readonly)
# File 'lib/mongo/socket/ssl.rb', line 128
attr_reader :host_name
#port ⇒ Integer
(readonly)
# File 'lib/mongo/socket/ssl.rb', line 131
attr_reader :port
#verify_certificate? ⇒ Boolean
(readonly, private)
# File 'lib/mongo/socket/ssl.rb', line 185
def verify_certificate? # If ssl_verify_certificate is not present, disable only if # ssl_verify is explicitly set to false. if [:ssl_verify_certificate].nil? [:ssl_verify] != false # If ssl_verify_certificate is present, enable or disable based on its value. else !! [:ssl_verify_certificate] end end
#verify_hostname? ⇒ Boolean
(readonly, private)
# File 'lib/mongo/socket/ssl.rb', line 196
def verify_hostname? # If ssl_verify_hostname is not present, disable only if ssl_verify is # explicitly set to false. if [:ssl_verify_hostname].nil? [:ssl_verify] != false # If ssl_verify_hostname is present, enable or disable based on its value. else !! [:ssl_verify_hostname] end end
#verify_ocsp_endpoint? ⇒ Boolean
(readonly, private)
# File 'lib/mongo/socket/ssl.rb', line 207
def verify_ocsp_endpoint? if ! [:ssl_verify_ocsp_endpoint].nil? [:ssl_verify_ocsp_endpoint] != false elsif ! [:ssl_verify_certificate].nil? [:ssl_verify_certificate] != false else [:ssl_verify] != false end end
Instance Method Details
#connect! ⇒ SSL
(private)
Note:
This method mutates the object by setting the socket internally.
Establishes a socket connection.
# File 'lib/mongo/socket/ssl.rb', line 144
def connect! Timeout.timeout( [:connect_timeout], Error::SocketTimeoutError, "The socket took over #{ [:connect_timeout]} seconds to connect") do map_exceptions do @tcp_socket.connect(::Socket.pack_sockaddr_in(port, host)) end @socket = OpenSSL::SSL::SSLSocket.new(@tcp_socket, context) begin @socket.hostname = @host_name @socket.sync_close = true map_exceptions do @socket.connect end verify_certificate!(@socket) verify_ocsp_endpoint!(@socket) rescue @socket.close @socket = nil raise end self end end
#create_context(options) (private)
# File 'lib/mongo/socket/ssl.rb', line 217
def create_context( ) OpenSSL::SSL::SSLContext.new.tap do |context| if OpenSSL::SSL.const_defined?(:OP_NO_RENEGOTIATION) context. = context. | OpenSSL::SSL::OP_NO_RENEGOTIATION end if context.respond_to?(:renegotiation_cb=) # Disable renegotiation for older Ruby versions per the sample code at # https://rubydocs.org/d/ruby-2-6-0/classes/OpenSSL/SSL/SSLContext.html # In JRuby we must allow one call as this callback is invoked for # the initial connection also, not just for renegotiations - # https://github.com/jruby/jruby-openssl/issues/180 if BSON::Environment.jruby? allowed_calls = 1 else allowed_calls = 0 end context.renegotiation_cb = lambda do |ssl| if allowed_calls <= 0 raise RuntimeError, 'Client renegotiation disabled' end allowed_calls -= 1 end end set_cert(context, ) set_key(context, ) if verify_certificate? context.verify_mode = OpenSSL::SSL::VERIFY_PEER set_cert_verification(context, ) else context.verify_mode = OpenSSL::SSL::VERIFY_NONE end if context.respond_to?(:verify_hostname=) # We manually check the hostname after the connection is established if necessary, so # we disable it here in order to give consistent errors across Ruby versions which # don't support hostname verification at the time of the handshake. context.verify_hostname = OpenSSL::SSL::VERIFY_NONE end end end
#human_address (private)
#load_private_key(text, passphrase) (private)
# File 'lib/mongo/socket/ssl.rb', line 320
def load_private_key(text, passphrase) args = if passphrase [text, passphrase] else [text] end # On JRuby, PKey.read does not grok cert+key bundles. # https://github.com/jruby/jruby-openssl/issues/176 if BSON::Environment.jruby? [OpenSSL::PKey::RSA, OpenSSL::PKey::DSA].each do |cls| begin return cls.send(:new, *args) rescue OpenSSL::PKey::PKeyError # ignore end end # Neither RSA nor DSA worked, fall through to trying PKey end OpenSSL::PKey.send(:read, *args) end
#read_buffer_size (private)
# File 'lib/mongo/socket/ssl.rb', line 378
def read_buffer_size # Buffer size for TLS reads. # Capped at 16k due to https://linux.die.net/man/3/ssl_read 16384 end
#readbyte ⇒ Object
Read a single byte from the socket.
# File 'lib/mongo/socket/ssl.rb', line 176
def readbyte map_exceptions do byte = socket.read(1).bytes.to_a[0] byte.nil? ? raise(EOFError) : byte end end
#run_tls_context_hooks (private)
# File 'lib/mongo/socket/ssl.rb', line 388
def run_tls_context_hooks Mongo.tls_context_hooks.each do |hook| hook.call(@context) end end
#set_cert(context, options) (private)
# File 'lib/mongo/socket/ssl.rb', line 261
def set_cert(context, ) # Since we clear cert_text during processing, we need to examine # ssl_cert_object here to avoid considering it if we have also # processed the text. if [:ssl_cert] cert_text = File.read( [:ssl_cert]) cert_object = nil elsif cert_text = [:ssl_cert_string] cert_object = nil else cert_object = [:ssl_cert_object] end # The client certificate may be a single certificate or a bundle # (client certificate followed by intermediate certificates). # The text may also include private keys for the certificates. # OpenSSL supports passing the entire bundle as a certificate chain # to the context via SSL_CTX_use_certificate_chain_file, but the # Ruby openssl extension does not currently expose this functionality # per https://github.com/ruby/openssl/issues/254. # Therefore, extract the individual certificates from the certificate # text, and if there is more than one certificate provided, use # extra_chain_cert option to add the intermediate ones. This # implementation is modeled after # https://github.com/venuenext/ruby-kafka/commit/9495f5daf254b43bc88062acad9359c5f32cb8b5. # Note that the parsing here is not identical to what OpenSSL employs - # for instance, if there is no newline between two certificates # this code will extract them both but OpenSSL fails in this situation. if cert_text certs = cert_text.scan(/-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/) if certs.length > 1 context.cert = OpenSSL::X509::Certificate.new(certs.shift) context.extra_chain_cert = certs.map do |cert| OpenSSL::X509::Certificate.new(cert) end # All certificates are already added to the context, skip adding # them again below. cert_text = nil end end if cert_text context.cert = OpenSSL::X509::Certificate.new(cert_text) elsif cert_object context.cert = cert_object end end
#set_cert_verification(context, options) (private)
# File 'lib/mongo/socket/ssl.rb', line 341
def set_cert_verification(context, ) context.verify_mode = OpenSSL::SSL::VERIFY_PEER cert_store = OpenSSL::X509::Store.new if [:ssl_ca_cert] cert_store.add_file( [:ssl_ca_cert]) elsif [:ssl_ca_cert_string] cert_store.add_cert(OpenSSL::X509::Certificate.new( [:ssl_ca_cert_string])) elsif [:ssl_ca_cert_object] raise TypeError("Option :ssl_ca_cert_object should be an array of OpenSSL::X509:Certificate objects") unless [:ssl_ca_cert_object].is_a? Array [:ssl_ca_cert_object].each {|cert| cert_store.add_cert(cert)} else cert_store.set_default_paths end context.cert_store = cert_store end
#set_key(context, options) (private)
# File 'lib/mongo/socket/ssl.rb', line 309
def set_key(context, ) passphrase = [:ssl_key_pass_phrase] if [:ssl_key] context.key = load_private_key(File.read( [:ssl_key]), passphrase) elsif [:ssl_key_string] context.key = load_private_key( [:ssl_key_string], passphrase) elsif [:ssl_key_object] context.key = [:ssl_key_object] end end
#verify_certificate!(socket) (private)
# File 'lib/mongo/socket/ssl.rb', line 357
def verify_certificate!(socket) if verify_hostname? unless OpenSSL::SSL.verify_certificate_identity(socket.peer_cert, host_name) raise Error::SocketError, 'TLS handshake failed due to a hostname mismatch.' end end end
#verify_ocsp_endpoint!(socket) (private)
# File 'lib/mongo/socket/ssl.rb', line 365
def verify_ocsp_endpoint!(socket) unless verify_ocsp_endpoint? return end cert = socket.peer_cert ca_cert = socket.peer_cert_chain.last verifier = OcspVerifier.new(@host_name, cert, ca_cert, context.cert_store, **Utils.shallow_symbolize_keys( )) verifier.verify_with_cache end