tls hostname verification (#125)

Co-authored-by: Uwe Kubosch <[email protected]>

Author: larsin

Diff for: lib/mqtt/client.rb

@@ -24,6 +24,9 @@ class Client
     # @see OpenSSL::SSL::SSLContext::METHODS
     attr_accessor :ssl
 
+    # Set to false to skip tls hostname verification
+    attr_accessor :verify_host
+
     # Time (in seconds) between pings to remote server (default is 15 seconds)
     attr_accessor :keep_alive
 
@@ -75,7 +78,8 @@ class Client
       :will_payload => nil,
       :will_qos => 0,
       :will_retain => false,
-      :ssl => false
+      :ssl => false,
+      :verify_host => true
     }
 
     # Create and connect a new MQTT Client
@@ -248,6 +252,8 @@ def connect(clientid = nil)
           @socket.hostname = @host if @socket.respond_to?(:hostname=)
 
           @socket.connect
+
+          @socket.post_connection_check(@host) if @verify_host
         else
           @socket = tcp_socket
         end

Diff for: mqtt.gemspec

@@ -29,8 +29,8 @@ Gem::Specification.new do |gem|
     gem.add_development_dependency 'rubocop',  '~> 1.45'
   elsif Gem.ruby_version > Gem::Version.new('2.0')
     gem.add_development_dependency 'bundler',  '>= 1.11.2'
-    gem.add_development_dependency 'rake',     '>= 10.2.2'
-    gem.add_development_dependency 'yard',     '>= 0.9.11'
+    gem.add_development_dependency 'rake',     '>= 12.3.3'
+    gem.add_development_dependency 'yard',     '>= 0.9.20'
     gem.add_development_dependency 'rspec',    '>= 3.5.0'
     gem.add_development_dependency 'simplecov','>= 0.9.2'
     gem.add_development_dependency 'rubocop',  '~> 0.48.0'

Diff for: spec/mqtt_client_spec.rb

@@ -442,6 +442,7 @@ def now
       it "should use ssl if it enabled using the :ssl => true parameter" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:post_connection_check).with('mqtt.example.com')
 
         client = MQTT::Client.new('mqtt.example.com', :ssl => true)
         allow(client).to receive(:receive_connack)
@@ -451,6 +452,7 @@ def now
       it "should use ssl if it enabled using the mqtts:// scheme" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:post_connection_check).with('mqtt.example.com')
 
         client = MQTT::Client.new('mqtts://mqtt.example.com')
         allow(client).to receive(:receive_connack)
@@ -460,6 +462,7 @@ def now
       it "should use set the SSL version, if the :ssl parameter is a symbol" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:post_connection_check).with('mqtt.example.com')
 
         client = MQTT::Client.new('mqtt.example.com', :ssl => :TLSv1)
         expect(client.ssl_context).to receive('ssl_version=').with(:TLSv1)
@@ -470,11 +473,21 @@ def now
       it "should use set hostname on the SSL socket for SNI" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:hostname=).with('mqtt.example.com')
+        expect(ssl_socket).to receive(:post_connection_check).with('mqtt.example.com')
 
         client = MQTT::Client.new('mqtts://mqtt.example.com')
         allow(client).to receive(:receive_connack)
         client.connect
       end
+
+      it "should skip host verification" do
+        expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
+        expect(ssl_socket).to receive(:connect)
+
+        client = MQTT::Client.new('mqtt.example.com', :ssl => true, :verify_host => false)
+        allow(client).to receive(:receive_connack)
+        client.connect
+      end
     end
 
     context "with a last will and testament set" do