validate_ca_fingerprints

in lib/elastic/transport/client.rb [197:221]

• 21 lines of code
• 4 McCabe index (conditional complexity)

      def validate_ca_fingerprints
        transport.connections.connections.each do |connection|
          unless connection.host[:scheme] == 'https'
            raise Elastic::Transport::Transport::Error, 'CA fingerprinting can\'t be configured over http'
          end

          next if connection.verified

          ctx = OpenSSL::SSL::SSLContext.new
          socket = TCPSocket.new(connection.host[:host], connection.host[:port])
          ssl = OpenSSL::SSL::SSLSocket.new(socket, ctx)
          ssl.connect
          cert_store = ssl.peer_cert_chain
          matching_certs = cert_store.select do |cert|
            OpenSSL::Digest::SHA256.hexdigest(cert.to_der).upcase == @ca_fingerprint.gsub(':', '').upcase
          end
          if matching_certs.empty?
            raise Elastic::Transport::Transport::Error,
                  'Server certificate CA fingerprint does not match the value configured in ca_fingerprint'
          end

          connection.verified = true
        end
      end