diff options
author | Michael Kozono <mkozono@gmail.com> | 2017-06-08 16:57:13 -0700 |
---|---|---|
committer | Michael Kozono <mkozono@gmail.com> | 2017-07-26 02:43:34 -0700 |
commit | dcc12505aa121f809f6cf64fa7a68cc5457aca31 (patch) | |
tree | 6c56ebf243fb57e62788f97df7ea542bd43267d3 /lib | |
parent | b67c007842ba42d2ed1cf1d8879a220a1b9906f9 (diff) | |
download | gitlab-ce-dcc12505aa121f809f6cf64fa7a68cc5457aca31.tar.gz |
Set `Net::LDAP` `ca_file` option
Diffstat (limited to 'lib')
-rw-r--r-- | lib/gitlab/ldap/config.rb | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/lib/gitlab/ldap/config.rb b/lib/gitlab/ldap/config.rb index 383e0a09e42..983c79a6364 100644 --- a/lib/gitlab/ldap/config.rb +++ b/lib/gitlab/ldap/config.rb @@ -179,11 +179,21 @@ module Gitlab end def tls_options(method) - if method && options['verify_certificates'] - OpenSSL::SSL::SSLContext::DEFAULT_PARAMS - else - { verify_mode: OpenSSL::SSL::VERIFY_NONE } - end + return { verify_mode: OpenSSL::SSL::VERIFY_NONE } unless method + + opts = if options['verify_certificates'] + OpenSSL::SSL::SSLContext::DEFAULT_PARAMS + else + # It is important to explicitly set verify_mode for two reasons: + # 1. The behavior of OpenSSL is undefined when verify_mode is not set. + # 2. The net-ldap gem implementation verifies the certificate hostname + # unless verify_mode is set to VERIFY_NONE. + { verify_mode: OpenSSL::SSL::VERIFY_NONE } + end + + opts[:ca_file] = options['ca_file'] if options['ca_file'].present? + + opts end def auth_options |