r22141@crimson: knu | 2009-02-08 22:04:26 +0900

(:ssl_verify_mode): new option suggested by Will Glynn. (r9958) (:ssl_ca_cert): new option. (r9958, r13691) git-svn-id: http://svn.ruby-lang.org/repos/ruby/branches/ruby_1_8@22152 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
brentr · Feb 9, 2009 · c6560f7 · c6560f7
1 parent b0b63e6
commit c6560f7
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 2 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -6,6 +6,8 @@ Sun Feb  8 21:39:06 2009  Akinori MUSHA  <knu@iDaemons.org>
 	  (OpenURI.open_loop): prohibit multiple proxy options. (r9339)
 	  (OpenURI.open_loop): find_proxy should return nil when proxy
 	  does not exist. [ruby-dev:27630] (r9500)
+	  (:ssl_verify_mode): new option suggested by Will Glynn. (r9958)
+	  (:ssl_ca_cert): new option. (r9958, r13691)
 
 Mon Feb  9 01:21:16 2009  Tanaka Akira  <akr@fsij.org>
 

diff --git a/lib/open-uri.rb b/lib/open-uri.rb
@@ -96,6 +96,8 @@ module OpenURI
     :content_length_proc => true,
     :http_basic_authentication => true,
     :read_timeout => true,
+    :ssl_ca_cert => nil,
+    :ssl_verify_mode => nil,
   }
 
   def OpenURI.check_options(options) # :nodoc:
@@ -266,9 +268,17 @@ def OpenURI.open_http(buf, target, proxy, options) # :nodoc:
     if target.class == URI::HTTPS
       require 'net/https'
       http.use_ssl = true
-      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+      http.verify_mode = options[:ssl_verify_mode] || OpenSSL::SSL::VERIFY_PEER
       store = OpenSSL::X509::Store.new
-      store.set_default_paths
+      if options[:ssl_ca_cert]
+        if File.directory? options[:ssl_ca_cert]
+          store.add_path options[:ssl_ca_cert]
+        else
+          store.add_file options[:ssl_ca_cert]
+        end
+      else
+        store.set_default_paths
+      end
       http.cert_store = store
     end
     if options.include? :read_timeout
@@ -570,6 +580,19 @@ module OpenRead
     #
     #  :read_timeout option specifies a timeout of read for http connections.
     #
+    # [:ssl_ca_cert]
+    #  Synopsis:
+    #    :ssl_ca_cert=>filename
+    #
+    #  :ssl_ca_cert is used to specify CA certificate for SSL.
+    #  If it is given, default certificates are not used.
+    #
+    # [:ssl_verify_mode]
+    #  Synopsis:
+    #    :ssl_verify_mode=>mode
+    #
+    #  :ssl_verify_mode is used to specify openssl verify mode.
+    #
     # OpenURI::OpenRead#open returns an IO like object if block is not given.
     # Otherwise it yields the IO object and return the value of the block.
     # The IO object is extended with OpenURI::Meta.