tls hostname verification

see njh#125

Author: ccutrer

lib/mqtt/client.rb

@@ -26,6 +26,9 @@ class Client
     # @see OpenSSL::SSL::SSLContext::METHODS
     attr_accessor :ssl
 
+    # Set to false to skip tls hostname verification
+    attr_accessor :verify_host
+
     # Time (in seconds) between pings to remote server (default is 15 seconds)
     attr_accessor :keep_alive
 
@@ -91,7 +94,8 @@ class Client
       will_payload: nil,
       will_qos: 0,
       will_retain: false,
-      ssl: false
+      ssl: false,
+      verify_host: true
     }.freeze
 
     # Create and connect a new MQTT Client
@@ -505,6 +509,8 @@ def connect_internal
         @socket.hostname = @host if @socket.respond_to?(:hostname=)
 
         @socket.connect
+
+        @socket.post_connection_check(@host) if @verify_host
       else
         @socket = tcp_socket
       end

spec/mqtt/client_spec.rb

@@ -404,6 +404,7 @@
       it "uses ssl if it enabled using the ssl: true parameter" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:post_connection_check).with("mqtt.example.com")
 
         client = MQTT::Client.new("mqtt.example.com", ssl: true)
         allow(client).to receive(:receive_connack)
@@ -413,6 +414,7 @@
       it "uses ssl if it enabled using the mqtts:// scheme" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:post_connection_check).with("mqtt.example.com")
 
         client = MQTT::Client.new("mqtts://mqtt.example.com")
         allow(client).to receive(:receive_connack)
@@ -422,6 +424,7 @@
       it "uses set the SSL version, if the :ssl parameter is a symbol" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:connect)
+        expect(ssl_socket).to receive(:post_connection_check).with("mqtt.example.com")
 
         client = MQTT::Client.new("mqtt.example.com", ssl: :TLSv1)
         expect(client.ssl_context).to receive("ssl_version=").with(:TLSv1)
@@ -432,11 +435,21 @@
       it "uses set hostname on the SSL socket for SNI" do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
         expect(ssl_socket).to receive(:hostname=).with("mqtt.example.com")
+        expect(ssl_socket).to receive(:post_connection_check).with("mqtt.example.com")
 
         client = MQTT::Client.new("mqtts://mqtt.example.com")
         allow(client).to receive(:receive_connack)
         client.connect
       end
+
+      it "skips host verification" do
+        expect(OpenSSL::SSL::SSLSocket).to receive(:new).and_return(ssl_socket)
+        expect(ssl_socket).to receive(:connect)
+
+        client = MQTT::Client.new("mqtt.example.com", ssl: true, verify_host: false)
+        allow(client).to receive(:receive_connack)
+        client.connect
+      end
     end
 
     context "with a last will and testament set" do