make it possible to use ca_path instead of ca_file

jamesgolick · Dec 8, 2010 · ef2fc28 · ef2fc28
1 parent 4eb3040
commit ef2fc28
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 7 deletions.
diff --git a/README.rdoc b/README.rdoc
@@ -2,15 +2,15 @@
 
 Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible.
 
-All you need to do is require this gem, and set a path to your certificate authority bundle:
+All you need to do is require this gem, and set a path to your certificate authority bundle or directory:
 
   require "always_verify_ssl_certificates"
   AlwaysVerifySSLCertificates.ca_file = "/etc/pki/tls/certs/ca-bundle.crt" # the centos location
 
 You can find that bundle at the following locations on various operating systems
 
-* CentOS / RHEL (I assume): /etc/pki/tls/certs/ca-bundle.crt
-* Debian: /etc/ssl/certs
+* CentOS / RHEL (I assume): AlwaysVerifySSLCertificates.ca_file = /etc/pki/tls/certs/ca-bundle.crt
+* Debian: AlwaysVerifySSLCertificates.ca_path = /etc/ssl/certs
 * OS X: ????
 
 == Copyright

diff --git a/lib/always_verify_ssl_certificates.rb b/lib/always_verify_ssl_certificates.rb
@@ -3,7 +3,7 @@
 
 class AlwaysVerifySSLCertificates
   class << self
-    attr_accessor :ca_file
+    attr_accessor :ca_file, :ca_path
   end
 end
 
@@ -15,12 +15,13 @@ def connect
         s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
         D "opened"
         if use_ssl?
-          if !AlwaysVerifySSLCertificates.ca_file
-            raise "You must set AlwaysVerifySSLCertificates.ca_file to use SSL."
+          if !AlwaysVerifySSLCertificates.ca_file && !AlwaysVerifySSLCertificates.ca_path
+            raise "You must set AlwaysVerifySSLCertificates.ca_file or AlwaysVerifySSLCertificates.ca_path to use SSL."
           end
 
           @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
-          @ssl_context.ca_file     = AlwaysVerifySSLCertificates.ca_file
+          @ssl_context.ca_file     = AlwaysVerifySSLCertificates.ca_file if AlwaysVerifySSLCertificates.ca_file
+          @ssl_context.ca_path     = AlwaysVerifySSLCertificates.ca_path if AlwaysVerifySSLCertificates.ca_path
           s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
           s.sync_close = true
         end