Ruby NATS client doesn't verify hostname when connecting over TLS

[pivotal-jamil-shamy]

Scenario:
1- Create a Custom CA certificate
2- Create the NATS server certificate (signed by the above CA). Make sure to set the CommonName and SAN of the NATS server certificate to something random, for example nats-is-amazing.com
3- Start the NATS server (TLS enabled) with the generated cert, and bind it to 127.0.0.1
4- Using Ruby NATS client connect to the server over 127.0.0.1

Actual:
The Ruby NATS client successfully connects to the server

Expectation:
We expect the TLS handshake to fail since the server certificate was signed for nats-is-amazing.com

Is there a way of forcing host name checking during the TLS handshake?

Thanks in advance.

[wallyqs]

Still limited to what Eventmachine supports here (eventmachine/eventmachine#814 | faye/faye-websocket-ruby#101 (comment)) so not possible yet. The Pure Ruby NATS client that does not depend on EM does support passing a SSL context directly already so host verification is feasible since ruby/openssl supports it (ruby/openssl#60).

Example: https://github.com/wallyqs/pure-ruby-nats/blob/d01960d909559978e56d9d242870301fc77c8930/examples/basic-tls.rb#L11-L34

[pivotal-jamil-shamy]

@wallyqs thanks for the info.