Verify hostname by default

headius · headius · commit b1fc5d645c0d · 2025-05-07T11:04:43.000-05:00
This was disabled years ago while we were adding support for it, but it has been working for some time now. This patch re-enables hostname verification by default. This addresses CVE-2025-46551 and GHSA-72qj-48g4-5xgx. Users can work around this by applying this patch manually to their own jruby-openssl and jruby installs, or by re-enabling hostname verification with the following code early in application boot: ```ruby require 'openssl' OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:verify_hostname] = true ```
diff --git a/lib/openssl/ssl.rb b/lib/openssl/ssl.rb
@@ -20,7 +20,7 @@ class SSLContext
       DEFAULT_PARAMS = { # :nodoc:
         :min_version => OpenSSL::SSL::TLS1_VERSION,
         :verify_mode => OpenSSL::SSL::VERIFY_PEER,
-        :verify_hostname => nil, # TODO => true needs JRuby support to call verify_certificate_identity
+        :verify_hostname => true,
         :options => OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_COMPRESSION
       }
 

Original file line number	Diff line number	Diff line change
`@@ -20,7 +20,7 @@ class SSLContext`
`20`	`20`	`DEFAULT_PARAMS = { # :nodoc:`
`21`	`21`	`:min_version => OpenSSL::SSL::TLS1_VERSION,`
`22`	`22`	`:verify_mode => OpenSSL::SSL::VERIFY_PEER,`
`23`		`- :verify_hostname => nil, # TODO => true needs JRuby support to call verify_certificate_identity`
	`23`	`+ :verify_hostname => true,`
`24`	`24`	`:options => OpenSSL::SSL::OP_ALL \| OpenSSL::SSL::OP_NO_COMPRESSION`
`25`	`25`	`}`
`26`	`26`