implement proper hostname verification

with ruby < 2.4 support

see ruby/openssl#60

Author: glaszig

README.md

@@ -182,12 +182,13 @@ You can also enable SSL without a certificate:
 LogStashLogger.new(type: :tcp, port: 5228, ssl_enable: true)
 ```
 
-You can also specify an SSL context. This can be used to disable host verification.
+Specify an SSL context to have more control over the behavior. For example,
+set the verify mode:
 
 ```ruby
 ctx = OpenSSL::SSL::SSLContext.new
 ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)
-LogStashLogger.new(type: :tcp, port: 5228, ssl_enable: true, ssl_context: ctx)
+LogStashLogger.new(type: :tcp, port: 5228, ssl_context: ctx)
 ```
 
 The following Logstash configuration is required for SSL:
@@ -205,6 +206,45 @@ input {
 }
 ```
 
+### Hostname Validation
+
+Ruby 2.4.0 will validate the hostname upon connection when configuring the SSL
+context with `:verify_mode`, `:verify_hostname` and
+`OpenSSL::SSL::SSLSocket#hostname=`.
+
+LogStashLogger will set `OpenSSL::SSL::SSLSocket#hostname` to the value of
+`:verify_hostname`.
+
+
+
+```ruby
+ctx_params = {
+  cert:            '/path/to/cert.pem',
+  verify_mode:     OpenSSL::SSL::VERIFY_PEER,
+  verify_hostname: true
+}
+ctx = OpenSSL::SSL::SSLContext.new
+ctx.set_params(ctx_params)
+
+LogStashLogger.new(type: :tcp, port: 5228, ssl_context: ctx, verify_hostname: 'www.example.com')
+```
+
+To have LogStashLogger perform hostname validation with older Ruby versions:
+
+```ruby
+ctx_params = {
+  cert:        '/path/to/cert.pem',
+  verify_mode: OpenSSL::SSL::VERIFY_PEER
+}
+ctx = OpenSSL::SSL::SSLContext.new
+ctx.set_params(ctx_params)
+
+LogStashLogger.new(type: :tcp, port: 5228, ssl_context: ctx, verify_hostname: 'www.example.com')
+```
+
+If you supply a falsey value to `:verify_hostname`, hostname validation will be
+skipped.
+
 ## Custom Log Fields
 
 `LogStashLogger` by default will log a JSON object with the format below.

lib/logstash-logger/device/tcp.rb

@@ -12,6 +12,7 @@ def initialize(opts)
         @ssl_context = opts.fetch(:ssl_context, nil)
         @use_ssl = !!(@ssl_certificate || opts[:ssl_context])
         @use_ssl = opts[:ssl_enable] if opts.has_key? :ssl_enable
+        @verify_hostname = opts.fetch(:verify_hostname, true)
       end
 
       def ssl_context
@@ -44,10 +45,10 @@ def non_ssl_connect
       def ssl_connect
         non_ssl_connect
         @io = OpenSSL::SSL::SSLSocket.new(@io, ssl_context)
+        # support ruby 2.4.0+ hostname validation
+        @io.hostname = hostname if @io.respond_to?(:hostname=)
         @io.connect
-        if ssl_context && ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
-          @io.post_connection_check(@host)
-        end
+        verify_hostname!
       end
 
       def certificate_context
@@ -56,6 +57,23 @@ def certificate_context
           ctx.set_params(cert: @ssl_certificate)
         end
       end
+
+      def verify_hostname?
+        return false unless ssl_context
+        !! @verify_hostname
+      end
+
+      def verify_hostname!
+        @io.post_connection_check(hostname) if verify_hostname?
+      end
+
+      def hostname
+        if String === @verify_hostname
+          @verify_hostname
+        else
+          @host
+        end
+      end
     end
   end
 end

spec/device/tcp_spec.rb

@@ -37,21 +37,45 @@
       expect(ssl_tcp_device.use_ssl?).to be_truthy
     end
 
-    context 'with a provided SSL context' do
+    context 'hostname validation' do
       let(:ssl_context) { double('test_ssl_context', verify_mode: OpenSSL::SSL::VERIFY_PEER) }
-      let(:ssl_tcp_device) { LogStashLogger::Device.new(type: :tcp, port: port, sync: true, ssl_context: ssl_context) }
+      let(:ssl_tcp_options) { { type: :tcp, port: port, sync: true, ssl_context: ssl_context } }
 
-      it "checks ssl certificate validity" do
-        expect(ssl_socket).to receive(:post_connection_check).with(HOST)
-        ssl_tcp_device.connect
+      context 'is enabled by default' do
+        let(:ssl_tcp_device) { LogStashLogger::Device.new(ssl_tcp_options) }
+
+        it 'validates' do
+          expect(ssl_tcp_device.send(:verify_hostname?)).to be_truthy
+          expect(ssl_socket).to receive(:post_connection_check).with HOST
+          ssl_tcp_device.connect
+        end
       end
 
-      it "does not check host validity of certificate" do
-        expect(ssl_context).to receive(:verify_mode) { OpenSSL::SSL::VERIFY_NONE }
-        expect(ssl_socket).not_to receive(:post_connection_check).with(HOST)
-        ssl_tcp_device.connect
+      context 'is disabled explicitly' do
+        let(:ssl_tcp_device) { LogStashLogger::Device.new(ssl_tcp_options.merge(verify_hostname: false)) }
+
+        it 'does not validate' do
+          expect(ssl_tcp_device.send(:verify_hostname?)).to be_falsey
+          expect(ssl_socket).not_to receive(:post_connection_check)
+          ssl_tcp_device.connect
+        end
       end
 
+      context 'is implicitly enabled by providing a hostname' do
+        let(:hostname) { 'www.example.com' }
+        let(:ssl_tcp_device) { LogStashLogger::Device.new(ssl_tcp_options.merge(verify_hostname: hostname)) }
+
+        it 'validates with supplied hostname' do
+          expect(ssl_socket).to receive(:post_connection_check).with hostname
+          ssl_tcp_device.connect
+        end
+      end
+    end
+
+    context 'with a provided SSL context' do
+      let(:ssl_context) { double('test_ssl_context', verify_mode: OpenSSL::SSL::VERIFY_PEER) }
+      let(:ssl_tcp_device) { LogStashLogger::Device.new(type: :tcp, port: port, sync: true, ssl_context: ssl_context) }
+
       it 'creates the socket using that context' do
         expect(OpenSSL::SSL::SSLSocket).to receive(:new).with(tcp_socket, ssl_context)
         ssl_tcp_device.connect