From 8e1bd116d6e8e20cc3dfb1409247e52d5b8243ec Mon Sep 17 00:00:00 2001
From: Hiroshi Hatake <cosmo0920.oucc@gmail.com>
Date: Wed, 29 Jul 2020 15:47:39 +0900
Subject: [PATCH 1/3] Handle Net::HTTP#verify_hostname in SSL Context

Signed-off-by: Hiroshi Hatake <cosmo0920.oucc@gmail.com>
---
 lib/net/http/persistent.rb       | 29 +++++++++++++++++++++++++++++
 test/test_net_http_persistent.rb | 16 ++++++++++++++++
 2 files changed, 45 insertions(+)

diff --git a/lib/net/http/persistent.rb b/lib/net/http/persistent.rb
index 4a54118..0576cb8 100644
--- a/lib/net/http/persistent.rb
+++ b/lib/net/http/persistent.rb
@@ -73,6 +73,8 @@
 # #verify_callback    :: For server certificate verification
 # #verify_depth       :: Depth of certificate verification
 # #verify_mode        :: How connections should be verified
+# #verify_hostname    :: Use hostname verification for server certificate
+#                        during the handshake
 #
 # == Proxies
 #
@@ -447,6 +449,21 @@ def self.detect_idle_timeout uri, max = 10
 
   attr_reader :verify_mode
 
+  ##
+  # HTTPS verify_hostname.
+  #
+  # If a client sets this to true and enables SNI with SSLSocket#hostname=,
+  # the hostname verification on the server certificate is performed
+  # automatically during the handshake using
+  # OpenSSL::SSL.verify_certificate_identity().
+  #
+  # You can set +verify_hostname+ as true to use hostname verification
+  # during the handshake.
+  #
+  # NOTE: This may work with Ruby > 2.8.
+
+  attr_reader :verify_hostname
+
   ##
   # Creates a new Net::HTTP::Persistent.
   #
@@ -506,6 +523,7 @@ def initialize name: nil, proxy: nil, pool_size: DEFAULT_POOL_SIZE
     @verify_callback    = nil
     @verify_depth       = nil
     @verify_mode        = nil
+    @verify_hostname    = nil
     @cert_store         = nil
 
     @generation         = 0 # incremented when proxy URI changes
@@ -965,6 +983,8 @@ def ssl connection
 
     connection.verify_depth = @verify_depth
     connection.verify_mode  = @verify_mode
+    connection.verify_hostname = @verify_hostname if
+      @verify_hostname && connection.respond_to?(:verify_hostname=)
 
     if OpenSSL::SSL::VERIFY_PEER == OpenSSL::SSL::VERIFY_NONE and
        not Object.const_defined?(:I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG) then
@@ -1073,6 +1093,15 @@ def verify_mode= verify_mode
     reconnect_ssl
   end
 
+  ##
+  # Sets the HTTPS verify_hostname.  Defaults to false.
+
+  def verify_hostname= verify_hostname
+    @verify_hostname = verify_hostname
+
+    reconnect_ssl
+  end
+
   ##
   # SSL verification callback.
 
diff --git a/test/test_net_http_persistent.rb b/test/test_net_http_persistent.rb
index f393950..83cb1bf 100644
--- a/test/test_net_http_persistent.rb
+++ b/test/test_net_http_persistent.rb
@@ -1249,6 +1249,7 @@ def test_ssl
     assert_equal OpenSSL::SSL::VERIFY_PEER, c.verify_mode
     assert_kind_of OpenSSL::X509::Store,    c.cert_store
     assert_nil c.verify_callback
+    assert_nil c.verify_hostname if c.respond_to?(:verify_hostname)
   end
 
   def test_ssl_ca_file
@@ -1332,6 +1333,21 @@ def test_ssl_verify_mode
     assert_equal OpenSSL::SSL::VERIFY_NONE, c.verify_mode
   end
 
+  def test_ssl_verify_hostname
+    skip 'OpenSSL is missing' unless HAVE_OPENSSL
+
+    @http.verify_hostname = true
+    c = Net::HTTP.new 'localhost', 80
+
+    skip 'net/http doesn\'t provide verify_hostname= method' unless
+      c.respond_to?(:verify_hostname=)
+
+    @http.ssl c
+
+    assert c.use_ssl?
+    assert c.verify_hostname
+  end
+
   def test_ssl_warning
     skip 'OpenSSL is missing' unless HAVE_OPENSSL
 

From f786454f8ba4a274f8e56e50c7bc9fc17badd309 Mon Sep 17 00:00:00 2001
From: Hiroshi Hatake <cosmo0920.oucc@gmail.com>
Date: Thu, 30 Jul 2020 11:27:32 +0900
Subject: [PATCH 2/3] Fix alignment

Signed-off-by: Hiroshi Hatake <cosmo0920.oucc@gmail.com>
---
 lib/net/http/persistent.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/net/http/persistent.rb b/lib/net/http/persistent.rb
index 0576cb8..f2d9313 100644
--- a/lib/net/http/persistent.rb
+++ b/lib/net/http/persistent.rb
@@ -981,8 +981,8 @@ def ssl connection
     connection.min_version = @min_version if @min_version
     connection.max_version = @max_version if @max_version
 
-    connection.verify_depth = @verify_depth
-    connection.verify_mode  = @verify_mode
+    connection.verify_depth    = @verify_depth
+    connection.verify_mode     = @verify_mode
     connection.verify_hostname = @verify_hostname if
       @verify_hostname && connection.respond_to?(:verify_hostname=)
 

From 123f97da47f46fbae95d0439a4305f2ea9dc487e Mon Sep 17 00:00:00 2001
From: Hiroshi Hatake <hatake@calyptia.com>
Date: Fri, 4 Feb 2022 09:51:35 +0900
Subject: [PATCH 3/3] Fix a comment for Ruby version note

Signed-off-by: Hiroshi Hatake <hatake@calyptia.com>
---
 lib/net/http/persistent.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/net/http/persistent.rb b/lib/net/http/persistent.rb
index f2d9313..7c9b8a8 100644
--- a/lib/net/http/persistent.rb
+++ b/lib/net/http/persistent.rb
@@ -460,7 +460,7 @@ def self.detect_idle_timeout uri, max = 10
   # You can set +verify_hostname+ as true to use hostname verification
   # during the handshake.
   #
-  # NOTE: This may work with Ruby > 2.8.
+  # NOTE: This works with Ruby > 3.0.
 
   attr_reader :verify_hostname