Skip to content


Subversion checkout URL

You can clone with
Download ZIP


allow SSL certs to be verified #179

wants to merge 1 commit into from

7 participants


Currently if the option :verify_peer is set to true, all requests will fail. This is because ssl_verify_peer is not implemented. According to the EM docs, "It is up to user defined code to perform a check on the certificates."

Since the method isn't defined by em-http-request, it returns nil, and all https requests fail.

I have attach a first stab at implementing this method. It is lacking tests, and this is almost certainly not a completely correct way of verifying the SSL certs; however, it is far better than not verifying SSL certs at all.

Are you interested in including this feature in em-http-request? Can anyone make some suggestion for improving the cert checking?

@thoughtless thoughtless allow SSL certs to be verified
* This is almost certainly not a completely correct way of verifying the
  SSL certs; however, it is far better than not verifying SSL certs at

Are you interested in including this feature in em-http-request? - Yes.

Having said that, I don't have any good experience with this stuff either.. and it's a tricky subject. @nahi, perhaps you have some tips or suggestions?


I recently added ssl cert verification to an EM client and used @alloy's ssalleyware as a model for my code.

Fairly similar to what @thoughtless has added. Might also be worth a look.


Yes, it's not em-http-request's issue. EM must implement SSL certificate verification with help of OpenSSL API... Because it's extra hard to implement it properly. Ad-hoc patching would cause severe security flaw... (e.g. JRuby-OpenSSL skipped all verification to get test green when I came to it.)

EM should allow SSLContext to be configured and ssl_verify_peer of SslBox should handle preverify_ok properly. Hope someone can enough time to try it. Rewriting SslBox with ext/openssl would be far better, though.


it's not em-http-request's issue

The current EM docs say that the user (em-http-request in this case) should implement ssl_verify_peer. Are you saying that that is not a good idea?

That certainly makes sense. I would expect that the EM code is in a much better position to work with OpenSSL as it controls the connection itself. I couldn't figure out how to use SSLContext within an ssl_verify_peer method.


@tmm1 any experience with SSL + EM?


A relevant discussion from EM side: eventmachine/eventmachine#84

  • From discussion above, EM itself needs some good work to get proper SSL verification support
  • The logic for verification should live in EM, not em-http

Given the two points above, I'm not sure there is much we can do from here.. Unless someone is willing to invest the time to make SSL work in EM properly first.


OK. It sounds like this ticket should be closed and future discussion should happen in EM tickets.

Thanks for your time looking into this.


I've opened a new pull request to address this (I think) more completely than EM's pull request 84:


I've also made a branch that should take advantage of those improvements to EM, which I'll pullrequest here once I can get my work merged into EM:

Hopefully I can get both merged and working fairly shortly.


@burke that's awesome, thanks for your work on this!


could anyone please post an update on the status of ssl authentication?
i'm currently adding some integration specs to httpi and can't get em-http to verify peer.


Not much. As you can see from the links above, the pull is still open on the EM repo. :(

@rubiii rubiii referenced this pull request in savonrb/httpi

Make SSL work with httpclient adapter #65


thanks @igrigorik. so i guess i'll better raise an error if someone tries to use ssl authentication
with httpi's em_http adapter then.


I've added a patch to Faraday that adds SSL peer verification support (enabled by default) with em-http adapter.

Not battle-tested, but passes our test suite. Patch is not Faraday-dependend and you can drop it in your projects.

@mrichar1 mrichar1 referenced this pull request in seegno/sensu-influxdb-extension

Add support for https/ssl #18

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 15, 2012
  1. @thoughtless

    allow SSL certs to be verified

    thoughtless authored
    * This is almost certainly not a completely correct way of verifying the
      SSL certs; however, it is far better than not verifying SSL certs at
This page is out of date. Refresh to see the latest.
Showing with 30 additions and 0 deletions.
  1. +30 −0 lib/em-http/http_connection.rb
30 lib/em-http/http_connection.rb
@@ -28,6 +28,36 @@ def connection_completed
def unbind(reason=nil)
+ def ssl_verify_peer(cert_str)
+ cert =
+ is_signing_auth = cert_is_signing_auth(cert)
+ result = (is_signing_auth || OpenSSL::SSL.verify_certificate_identity(cert, &&
+ cert_chain.any? {|c| cert.verify(c.public_key) } &&
+ cert.not_after >= &&
+ cert.not_before <=
+ cert_chain << cert if result && is_signing_auth
+ result
+ end
+ private
+ def cert_chain_str
+ @cert_chain_str ||=[:cert_chain_file])
+ end
+ def cert_chain
+ @cert_chain ||= begin
+ strings = cert_chain_str.lines("-----END CERTIFICATE-----").map{|x| x.strip}.compact.reject{|x| x==''}
+{|s| }
+ end
+ end
+ def cert_is_signing_auth(cert)
+ ext = cert.extensions.detect { |ext| ext.oid == "basicConstraints" }
+ ext && ext.value.split(/,\s+/).any? { |val| val == "CA:TRUE" }
+ end
class HttpConnection
Something went wrong with that request. Please try again.