Skip to content
This repository

Verify SSL certificate of rubygems.org #2111

Closed
indirect opened this Issue · 3 comments

2 participants

André Arko Barry Allard
André Arko
Owner

It seems that Net::HTTP:Persistent forces VERIFY_NONE, which I did not realize. :(

We should verify the rubygems.org cert, even if that means shipping the CA chain that we need with Bundler.

Barry Allard

TL;DR - rubygems.org.crt = *.rubygems.org +-> RapidSSL +-> GeoTrust:

-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDCl4aMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwMTMwMjA1NjE0WhcNMTcwMjAxMTk0MzA4WjCBvTEpMCcGA1UEBRMgUlJB
WGxkZ3pEclJaV1FwR282RkhkVEhWM3F3dndYdEQxEzARBgNVBAsTCkdUMzU4OTUx
NzQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDDA4qLnJ1YnlnZW1zLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMY3fklqGjBfohzgejSBLc5e4LAI8FNLv/BMyG6BKtQK
rM4ZTbbMnrw2xfrRXr8aeZYoWN63uv0OO/BxK/RLYO4SQBiB0/JMB+wzn/hLJpJD
bhP9Pd4XIOtQTv/5CNrRpUGZLX3W1eZtnPZvJVDbeuTN49rWZBS3JOCjkFw2EWoS
StrxOSwJ0iaa7HATZKKgMbtV1qeBwTyARBgSIYEgJ+TI3cKVg5qDNdPr2dGaTlHg
LTs+nIqDUggduRI7xyLaUj+Mf2j3mv+26yy2yEr5zdXLuZzFYU1eqzETb7oI4x46
KXyBVv75WgoK881PULhVJqWGRgCyx2ZMK7AvpMdngDkCAwEAAaOCAbcwggGzMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIOKi5ydWJ5
Z2Vtcy5vcmeCDHJ1YnlnZW1zLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV
HQ4EFgQU2Czq+nFLhWXI839ux9DNgKsb3vYwDAYDVR0TAQH/BAIwADB4BggrBgEF
BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry
dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz
dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBMugSZ6+ISnmeDd66Q42kSyPXYkfxNTSzYWTIm
fdvI66/DFRJTYa/25vaP/gGidrN2UZa9wQm2/t2A5lZrNXneUNN4dVdr9868AjFp
pdXvu/w2Bl3BQv2Uo6FDbnM9g1OzBLMPvPjtksJ1ybkEAOihi0EijbzFNP5rNYJm
lYBwU3Z68ZOZk943JVq1sQsKol1QQAEo3KgGU2JWuSJTnglwZwidimikTkEA+FEe
EjeYVpQZ/PV6OdzfBCM2NTy7FIyg9k7z3j/MV73G/fsgTIvQWjcUAH2d7+35XJdt
VjXjeJH2lIMZXIVeAqxSSmeX4jHHdZePSEMgqa8DJ8kmmmOA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDCl4aMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwMTMwMjA1NjE0WhcNMTcwMjAxMTk0MzA4WjCBvTEpMCcGA1UEBRMgUlJB
WGxkZ3pEclJaV1FwR282RkhkVEhWM3F3dndYdEQxEzARBgNVBAsTCkdUMzU4OTUx
NzQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDDA4qLnJ1YnlnZW1zLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMY3fklqGjBfohzgejSBLc5e4LAI8FNLv/BMyG6BKtQK
rM4ZTbbMnrw2xfrRXr8aeZYoWN63uv0OO/BxK/RLYO4SQBiB0/JMB+wzn/hLJpJD
bhP9Pd4XIOtQTv/5CNrRpUGZLX3W1eZtnPZvJVDbeuTN49rWZBS3JOCjkFw2EWoS
StrxOSwJ0iaa7HATZKKgMbtV1qeBwTyARBgSIYEgJ+TI3cKVg5qDNdPr2dGaTlHg
LTs+nIqDUggduRI7xyLaUj+Mf2j3mv+26yy2yEr5zdXLuZzFYU1eqzETb7oI4x46
KXyBVv75WgoK881PULhVJqWGRgCyx2ZMK7AvpMdngDkCAwEAAaOCAbcwggGzMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIOKi5ydWJ5
Z2Vtcy5vcmeCDHJ1YnlnZW1zLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV
HQ4EFgQU2Czq+nFLhWXI839ux9DNgKsb3vYwDAYDVR0TAQH/BAIwADB4BggrBgEF
BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry
dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz
dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBMugSZ6+ISnmeDd66Q42kSyPXYkfxNTSzYWTIm
fdvI66/DFRJTYa/25vaP/gGidrN2UZa9wQm2/t2A5lZrNXneUNN4dVdr9868AjFp
pdXvu/w2Bl3BQv2Uo6FDbnM9g1OzBLMPvPjtksJ1ybkEAOihi0EijbzFNP5rNYJm
lYBwU3Z68ZOZk943JVq1sQsKol1QQAEo3KgGU2JWuSJTnglwZwidimikTkEA+FEe
EjeYVpQZ/PV6OdzfBCM2NTy7FIyg9k7z3j/MV73G/fsgTIvQWjcUAH2d7+35XJdt
VjXjeJH2lIMZXIVeAqxSSmeX4jHHdZePSEMgqa8DJ8kmmmOA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
$ openssl s_client -showcerts -verify 99 -connect rubygems.org:443 -CAfile <(cat << EOF
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
EOF) 2>/dev/null </dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/serialNumber=RRAXldgzDrRZWQpGo6FHdTHV3qwvwXtD/OU=GT35895174/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.rubygems.org
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDCl4aMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwMTMwMjA1NjE0WhcNMTcwMjAxMTk0MzA4WjCBvTEpMCcGA1UEBRMgUlJB
WGxkZ3pEclJaV1FwR282RkhkVEhWM3F3dndYdEQxEzARBgNVBAsTCkdUMzU4OTUx
NzQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDDA4qLnJ1YnlnZW1zLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMY3fklqGjBfohzgejSBLc5e4LAI8FNLv/BMyG6BKtQK
rM4ZTbbMnrw2xfrRXr8aeZYoWN63uv0OO/BxK/RLYO4SQBiB0/JMB+wzn/hLJpJD
bhP9Pd4XIOtQTv/5CNrRpUGZLX3W1eZtnPZvJVDbeuTN49rWZBS3JOCjkFw2EWoS
StrxOSwJ0iaa7HATZKKgMbtV1qeBwTyARBgSIYEgJ+TI3cKVg5qDNdPr2dGaTlHg
LTs+nIqDUggduRI7xyLaUj+Mf2j3mv+26yy2yEr5zdXLuZzFYU1eqzETb7oI4x46
KXyBVv75WgoK881PULhVJqWGRgCyx2ZMK7AvpMdngDkCAwEAAaOCAbcwggGzMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIOKi5ydWJ5
Z2Vtcy5vcmeCDHJ1YnlnZW1zLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV
HQ4EFgQU2Czq+nFLhWXI839ux9DNgKsb3vYwDAYDVR0TAQH/BAIwADB4BggrBgEF
BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry
dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz
dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBMugSZ6+ISnmeDd66Q42kSyPXYkfxNTSzYWTIm
fdvI66/DFRJTYa/25vaP/gGidrN2UZa9wQm2/t2A5lZrNXneUNN4dVdr9868AjFp
pdXvu/w2Bl3BQv2Uo6FDbnM9g1OzBLMPvPjtksJ1ybkEAOihi0EijbzFNP5rNYJm
lYBwU3Z68ZOZk943JVq1sQsKol1QQAEo3KgGU2JWuSJTnglwZwidimikTkEA+FEe
EjeYVpQZ/PV6OdzfBCM2NTy7FIyg9k7z3j/MV73G/fsgTIvQWjcUAH2d7+35XJdt
VjXjeJH2lIMZXIVeAqxSSmeX4jHHdZePSEMgqa8DJ8kmmmOA
-----END CERTIFICATE-----
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=RRAXldgzDrRZWQpGo6FHdTHV3qwvwXtD/OU=GT35895174/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.rubygems.org
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3019 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 68BAEFFEA1399875AA482A5513E53349B384F7B74722DD70005930A9ECE6F81A
    Session-ID-ctx: 
    Master-Key: 63376A1D8846EDEA65A3698411DBA21DA2D757600527922BF8C3766D038F7D2FC882083B83544D0271422631A2B7114A
    Key-Arg   : None
    Start Time: 1362311455
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Other security considerations even when using VERIFY_PEER:

  • ExceptionOpenSSL::SSL::SSLError' at lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block` is thrown and caught internally, possibly leading to incomplete validation of a given certificate
  • verify_certificate_identity in lib/ruby/1.9.1/openssl/ssl-internal.rb may or may not consider certificate verification depth
  • No mention of CRL
  • Nasty patches, i.e., VERIFY_PEER == VERIFY_NONE
  • Shouldn't a missing root ca cert nearly always be an error (plz plz deprecate VERIFY_NONE)... WTF is proper secure by default SSL nearly impossible?
Barry Allard

Also, this won't scale for other https:// sources (gemfury)... net/http || net/https || openssl needs to be fixed to just work securely by default across platforms.

Massive :sadface: .... and I'm leaving ruby because I'm tired of lazy, novice mistakes from this and other past/current gross, shameful security gaffes.

André Arko
Owner

Happily this is fixed in Bundler 1.3.x, because NHP no longer does bad things.

André Arko indirect closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.