CVE-2015-1828: HTTPS MitM vulnerability in http.rb

[Tony Arcieri]

Affected versions: all

Fixed versions: 0.7.3

http.rb failed to call the OpenSSL::SSL::SSLSocket#post_connection_check method to perform hostname verification. Because of this, an attacker with a valid certificate but with a mismatched subject can perform a MitM attack.

The problem was corrected by calling #post_connection_check.

Additionally I have filed this ticket upstream with Ruby OpenSSL to make this API less confusing and error-prone:

https://github.com/ruby/openssl/issues/8

--

Tony Arcieri