Verify SSL certificate of rubygems.org #2111

Closed
indirect opened this Issue Sep 26, 2012 · 3 comments

Projects

None yet

2 participants

@indirect
Member

It seems that Net::HTTP:Persistent forces VERIFY_NONE, which I did not realize. :(

We should verify the rubygems.org cert, even if that means shipping the CA chain that we need with Bundler.

@indirect indirect was assigned Sep 26, 2012
@steakknife

TL;DR - rubygems.org.crt = *.rubygems.org +-> RapidSSL +-> GeoTrust:

-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDCl4aMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwMTMwMjA1NjE0WhcNMTcwMjAxMTk0MzA4WjCBvTEpMCcGA1UEBRMgUlJB
WGxkZ3pEclJaV1FwR282RkhkVEhWM3F3dndYdEQxEzARBgNVBAsTCkdUMzU4OTUx
NzQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDDA4qLnJ1YnlnZW1zLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMY3fklqGjBfohzgejSBLc5e4LAI8FNLv/BMyG6BKtQK
rM4ZTbbMnrw2xfrRXr8aeZYoWN63uv0OO/BxK/RLYO4SQBiB0/JMB+wzn/hLJpJD
bhP9Pd4XIOtQTv/5CNrRpUGZLX3W1eZtnPZvJVDbeuTN49rWZBS3JOCjkFw2EWoS
StrxOSwJ0iaa7HATZKKgMbtV1qeBwTyARBgSIYEgJ+TI3cKVg5qDNdPr2dGaTlHg
LTs+nIqDUggduRI7xyLaUj+Mf2j3mv+26yy2yEr5zdXLuZzFYU1eqzETb7oI4x46
KXyBVv75WgoK881PULhVJqWGRgCyx2ZMK7AvpMdngDkCAwEAAaOCAbcwggGzMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIOKi5ydWJ5
Z2Vtcy5vcmeCDHJ1YnlnZW1zLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV
HQ4EFgQU2Czq+nFLhWXI839ux9DNgKsb3vYwDAYDVR0TAQH/BAIwADB4BggrBgEF
BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry
dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz
dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBMugSZ6+ISnmeDd66Q42kSyPXYkfxNTSzYWTIm
fdvI66/DFRJTYa/25vaP/gGidrN2UZa9wQm2/t2A5lZrNXneUNN4dVdr9868AjFp
pdXvu/w2Bl3BQv2Uo6FDbnM9g1OzBLMPvPjtksJ1ybkEAOihi0EijbzFNP5rNYJm
lYBwU3Z68ZOZk943JVq1sQsKol1QQAEo3KgGU2JWuSJTnglwZwidimikTkEA+FEe
EjeYVpQZ/PV6OdzfBCM2NTy7FIyg9k7z3j/MV73G/fsgTIvQWjcUAH2d7+35XJdt
VjXjeJH2lIMZXIVeAqxSSmeX4jHHdZePSEMgqa8DJ8kmmmOA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDCl4aMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwMTMwMjA1NjE0WhcNMTcwMjAxMTk0MzA4WjCBvTEpMCcGA1UEBRMgUlJB
WGxkZ3pEclJaV1FwR282RkhkVEhWM3F3dndYdEQxEzARBgNVBAsTCkdUMzU4OTUx
NzQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDDA4qLnJ1YnlnZW1zLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMY3fklqGjBfohzgejSBLc5e4LAI8FNLv/BMyG6BKtQK
rM4ZTbbMnrw2xfrRXr8aeZYoWN63uv0OO/BxK/RLYO4SQBiB0/JMB+wzn/hLJpJD
bhP9Pd4XIOtQTv/5CNrRpUGZLX3W1eZtnPZvJVDbeuTN49rWZBS3JOCjkFw2EWoS
StrxOSwJ0iaa7HATZKKgMbtV1qeBwTyARBgSIYEgJ+TI3cKVg5qDNdPr2dGaTlHg
LTs+nIqDUggduRI7xyLaUj+Mf2j3mv+26yy2yEr5zdXLuZzFYU1eqzETb7oI4x46
KXyBVv75WgoK881PULhVJqWGRgCyx2ZMK7AvpMdngDkCAwEAAaOCAbcwggGzMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIOKi5ydWJ5
Z2Vtcy5vcmeCDHJ1YnlnZW1zLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV
HQ4EFgQU2Czq+nFLhWXI839ux9DNgKsb3vYwDAYDVR0TAQH/BAIwADB4BggrBgEF
BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry
dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz
dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBMugSZ6+ISnmeDd66Q42kSyPXYkfxNTSzYWTIm
fdvI66/DFRJTYa/25vaP/gGidrN2UZa9wQm2/t2A5lZrNXneUNN4dVdr9868AjFp
pdXvu/w2Bl3BQv2Uo6FDbnM9g1OzBLMPvPjtksJ1ybkEAOihi0EijbzFNP5rNYJm
lYBwU3Z68ZOZk943JVq1sQsKol1QQAEo3KgGU2JWuSJTnglwZwidimikTkEA+FEe
EjeYVpQZ/PV6OdzfBCM2NTy7FIyg9k7z3j/MV73G/fsgTIvQWjcUAH2d7+35XJdt
VjXjeJH2lIMZXIVeAqxSSmeX4jHHdZePSEMgqa8DJ8kmmmOA
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
$ openssl s_client -showcerts -verify 99 -connect rubygems.org:443 -CAfile <(cat << EOF
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----
EOF) 2>/dev/null </dev/null
CONNECTED(00000003)
---
Certificate chain
 0 s:/serialNumber=RRAXldgzDrRZWQpGo6FHdTHV3qwvwXtD/OU=GT35895174/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.rubygems.org
   i:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
-----BEGIN CERTIFICATE-----
MIIFMDCCBBigAwIBAgIDCl4aMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew
HhcNMTMwMTMwMjA1NjE0WhcNMTcwMjAxMTk0MzA4WjCBvTEpMCcGA1UEBRMgUlJB
WGxkZ3pEclJaV1FwR282RkhkVEhWM3F3dndYdEQxEzARBgNVBAsTCkdUMzU4OTUx
NzQxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg
KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk
U1NMKFIpMRcwFQYDVQQDDA4qLnJ1YnlnZW1zLm9yZzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAMY3fklqGjBfohzgejSBLc5e4LAI8FNLv/BMyG6BKtQK
rM4ZTbbMnrw2xfrRXr8aeZYoWN63uv0OO/BxK/RLYO4SQBiB0/JMB+wzn/hLJpJD
bhP9Pd4XIOtQTv/5CNrRpUGZLX3W1eZtnPZvJVDbeuTN49rWZBS3JOCjkFw2EWoS
StrxOSwJ0iaa7HATZKKgMbtV1qeBwTyARBgSIYEgJ+TI3cKVg5qDNdPr2dGaTlHg
LTs+nIqDUggduRI7xyLaUj+Mf2j3mv+26yy2yEr5zdXLuZzFYU1eqzETb7oI4x46
KXyBVv75WgoK881PULhVJqWGRgCyx2ZMK7AvpMdngDkCAwEAAaOCAbcwggGzMB8G
A1UdIwQYMBaAFGtpPWoYQkrdjwJlOf01JIZ4kRYwMA4GA1UdDwEB/wQEAwIFoDAd
BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwJwYDVR0RBCAwHoIOKi5ydWJ5
Z2Vtcy5vcmeCDHJ1YnlnZW1zLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJodHRwOi8v
cmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNybDAdBgNV
HQ4EFgQU2Czq+nFLhWXI839ux9DNgKsb3vYwDAYDVR0TAQH/BAIwADB4BggrBgEF
BQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3NwLmdlb3Ry
dXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5nZW90cnVz
dC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEHNjAzMDEG
CCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz
MA0GCSqGSIb3DQEBBQUAA4IBAQBMugSZ6+ISnmeDd66Q42kSyPXYkfxNTSzYWTIm
fdvI66/DFRJTYa/25vaP/gGidrN2UZa9wQm2/t2A5lZrNXneUNN4dVdr9868AjFp
pdXvu/w2Bl3BQv2Uo6FDbnM9g1OzBLMPvPjtksJ1ybkEAOihi0EijbzFNP5rNYJm
lYBwU3Z68ZOZk943JVq1sQsKol1QQAEo3KgGU2JWuSJTnglwZwidimikTkEA+FEe
EjeYVpQZ/PV6OdzfBCM2NTy7FIyg9k7z3j/MV73G/fsgTIvQWjcUAH2d7+35XJdt
VjXjeJH2lIMZXIVeAqxSSmeX4jHHdZePSEMgqa8DJ8kmmmOA
-----END CERTIFICATE-----
 1 s:/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
   i:/C=US/O=GeoTrust Inc./CN=GeoTrust Global CA
-----BEGIN CERTIFICATE-----
MIID1TCCAr2gAwIBAgIDAjbRMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMTAwMjE5MjI0NTA1WhcNMjAwMjE4MjI0NTA1WjA8MQswCQYDVQQG
EwJVUzEXMBUGA1UEChMOR2VvVHJ1c3QsIEluYy4xFDASBgNVBAMTC1JhcGlkU1NM
IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx3H4Vsce2cy1rfa0
l6P7oeYLUF9QqjraD/w9KSRDxhApwfxVQHLuverfn7ZB9EhLyG7+T1cSi1v6kt1e
6K3z8Buxe037z/3R5fjj3Of1c3/fAUnPjFbBvTfjW761T4uL8NpPx+PdVUdp3/Jb
ewdPPeWsIcHIHXro5/YPoar1b96oZU8QiZwD84l6pV4BcjPtqelaHnnzh8jfyMX8
N8iamte4dsywPuf95lTq319SQXhZV63xEtZ/vNWfcNMFbPqjfWdY3SZiHTGSDHl5
HI7PynvBZq+odEj7joLCniyZXHstXZu8W1eefDp6E63yoxhbK1kPzVw662gzxigd
gtFQiwIDAQABo4HZMIHWMA4GA1UdDwEB/wQEAwIBBjAdBgNVHQ4EFgQUa2k9ahhC
St2PAmU5/TUkhniRFjAwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwRfap9ZbjKzE4w
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
AQUFAAOCAQEAq7y8Cl0YlOPBscOoTFXWvrSY8e48HM3P8yQkXJYDJ1j8Nq6iL4/x
/torAsMzvcjdSCIrYA+lAxD9d/jQ7ZZnT/3qRyBwVNypDFV+4ZYlitm12ldKvo2O
SUNjpWxOJ4cl61tt/qJ/OCjgNqutOaWlYsS3XFgsql0BYKZiZ6PAx2Ij9OdsRu61
04BqIhPSLT90T+qvjF+0OJzbrs6vhB6m9jRRWXnT43XcvNfzc9+S7NIgWW+c+5X4
knYYCnwPLKbK3opie9jzzl9ovY8+wXS7FXI6FoOpC+ZNmZzYV+yoAVHHb1c0XqtK
LEL2TxyJeN4mTvVvk0wVaydWTQBUbHq3tw==
-----END CERTIFICATE-----
---
Server certificate
subject=/serialNumber=RRAXldgzDrRZWQpGo6FHdTHV3qwvwXtD/OU=GT35895174/OU=See www.rapidssl.com/resources/cps (c)13/OU=Domain Control Validated - RapidSSL(R)/CN=*.rubygems.org
issuer=/C=US/O=GeoTrust, Inc./CN=RapidSSL CA
---
No client certificate CA names sent
---
SSL handshake has read 3019 bytes and written 328 bytes
---
New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA
    Session-ID: 68BAEFFEA1399875AA482A5513E53349B384F7B74722DD70005930A9ECE6F81A
    Session-ID-ctx: 
    Master-Key: 63376A1D8846EDEA65A3698411DBA21DA2D757600527922BF8C3766D038F7D2FC882083B83544D0271422631A2B7114A
    Key-Arg   : None
    Start Time: 1362311455
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---

Other security considerations even when using VERIFY_PEER:

  • ExceptionOpenSSL::SSL::SSLError' at lib/ruby/1.9.1/openssl/buffering.rb:174 - read would block` is thrown and caught internally, possibly leading to incomplete validation of a given certificate
  • verify_certificate_identity in lib/ruby/1.9.1/openssl/ssl-internal.rb may or may not consider certificate verification depth
  • No mention of CRL
  • Nasty patches, i.e., VERIFY_PEER == VERIFY_NONE
  • Shouldn't a missing root ca cert nearly always be an error (plz plz deprecate VERIFY_NONE)... WTF is proper secure by default SSL nearly impossible?
@steakknife

Also, this won't scale for other https:// sources (gemfury)... net/http || net/https || openssl needs to be fixed to just work securely by default across platforms.

Massive :sadface: .... and I'm leaving ruby because I'm tired of lazy, novice mistakes from this and other past/current gross, shameful security gaffes.

@indirect
Member

Happily this is fixed in Bundler 1.3.x, because NHP no longer does bad things.

@indirect indirect closed this Jul 21, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment