Modify parameters to reflect set_params hash

By default, we don't set any parameters (empty or no :tls_options). If
the hash is non-empty, we pass it directly to set_params and use the
resulting context for creating the TLS socket.

Author: sonOfRa

lib/net/ldap.rb

@@ -560,20 +560,29 @@ def authenticate(username, password)
   # communcations with the LDAP server. With the exception that it operates
   # over the standard TCP port.
   #
-  # In order to allow verification of server certificates and other TLS-related
-  # options, the keys :cafile and :ssl_context can be used.
-  #
-  # The :cafile option  is a single filename that points to one or more
-  # PEM-encoded certificates. These certificates are used as a certificate auhority
-  # to verify the server certificates.
-  #
-  # For fine-grained control of the TLS settings, it is also possible to use the
-  # :ssl_context option to pass a custom OpenSSL::SSL::SSLContext. Consult the
-  # OpenSSL documentation for more information on the available options.
+  # In order to verify certificates and enable other TLS options, the
+  # :tls_options hash can be passed alongside :simple_tls or :start_tls.
+  # This hash contains any options that can be passed to
+  # OpenSSL::SSL::SSLContext#set_params(). The most common options passed
+  # should be OpenSSL::SSL::SSLContext::DEFAULT_PARAMS, or the :ca_file option,
+  # which contains a path to a Certificate Authority file (PEM-encoded).
+  #
+  # Example for a default setup without custom settings:
+  #   {
+  #     :method => :simple_tls,
+  #     :tls_options => OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
+  #   }
+  #
+  # Example for specifying a CA-File and only allowing TLSv1.1 connections:
+  #
+  #   {
+  #     :method => :start_tls,
+  #     :tls_options => { :ca_file => "/etc/cafile.pem", :ssl_version => "TLSv1_1" }
+  #   }
   def encryption(args)
     case args
     when :simple_tls, :start_tls
-      args = { :method => args }
+      args = { :method => args, :tls_options => {} }
     end
     @encryption = args
   end

lib/net/ldap/connection.rb

@@ -41,19 +41,11 @@ def close
     end
   end
 
-  def self.wrap_with_ssl(io, ssl_context = nil, cafile = nil)
+  def self.wrap_with_ssl(io, tls_options = {})
     raise Net::LDAP::LdapError, "OpenSSL is unavailable" unless Net::LDAP::HasOpenSSL
-    if (ssl_context && cafile)
-      raise Net::LDAP::LdapError, "Please specify only one of ssl_context or cafile"
-    end
-
-    ctx = ssl_context ? ssl_context : OpenSSL::SSL::SSLContext.new
 
-    # OpenSSL automatically merges the given parameters with the default parameters
-    # These include verification and some common workarounds
-    if cafile
-      ctx.set_params({:ca_file => cafile})
-    end
+    ctx = OpenSSL::SSL::SSLContext.new
+    ctx.set_params(tls_options) unless tls_options.empty?
 
     conn = OpenSSL::SSL::SSLSocket.new(io, ctx)
     conn.connect
@@ -96,7 +88,7 @@ def self.wrap_with_ssl(io, ssl_context = nil, cafile = nil)
   def setup_encryption(args)
     case args[:method]
     when :simple_tls
-      @conn = self.class.wrap_with_ssl(@conn, args[:ssl_context], args[:cafile])
+      @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
       # additional branches requiring server validation and peer certs, etc.
       # go here.
     when :start_tls
@@ -113,7 +105,7 @@ def setup_encryption(args)
       end
 
       if pdu.result_code.zero?
-        @conn = self.class.wrap_with_ssl(@conn, args[:ssl_context], args[:cafile])
+        @conn = self.class.wrap_with_ssl(@conn, args[:tls_options])
       else
         raise Net::LDAP::LdapError, "start_tls failed: #{pdu.result_code}"
       end

test/test_ldap_connection.rb

@@ -202,7 +202,7 @@ def test_queued_read_setup_encryption_with_start_tls
       and_return(result2)
     mock.should_receive(:write)
     conn = Net::LDAP::Connection.new(:socket => mock)
-    flexmock(Net::LDAP::Connection).should_receive(:wrap_with_ssl).with(mock, nil, nil).
+    flexmock(Net::LDAP::Connection).should_receive(:wrap_with_ssl).with(mock, nil).
       and_return(mock)
 
     conn.next_msgid # simulates ongoing query