From ef2fc2862abdf06876e924cf0afd761bd35c40b5 Mon Sep 17 00:00:00 2001
From: James Golick <jamesgolick@gmail.com>
Date: Tue, 7 Dec 2010 17:51:37 -0800
Subject: [PATCH] make it possible to use ca_path instead of ca_file

---
 README.rdoc                           | 6 +++---
 lib/always_verify_ssl_certificates.rb | 9 +++++----
 2 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/README.rdoc b/README.rdoc
index 0100f63..e661100 100644
--- a/README.rdoc
+++ b/README.rdoc
@@ -2,15 +2,15 @@
 
 Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible.
 
-All you need to do is require this gem, and set a path to your certificate authority bundle:
+All you need to do is require this gem, and set a path to your certificate authority bundle or directory:
 
   require "always_verify_ssl_certificates"
   AlwaysVerifySSLCertificates.ca_file = "/etc/pki/tls/certs/ca-bundle.crt" # the centos location
 
 You can find that bundle at the following locations on various operating systems
   
-* CentOS / RHEL (I assume): /etc/pki/tls/certs/ca-bundle.crt
-* Debian: /etc/ssl/certs
+* CentOS / RHEL (I assume): AlwaysVerifySSLCertificates.ca_file = /etc/pki/tls/certs/ca-bundle.crt
+* Debian: AlwaysVerifySSLCertificates.ca_path = /etc/ssl/certs
 * OS X: ????
 
 == Copyright
diff --git a/lib/always_verify_ssl_certificates.rb b/lib/always_verify_ssl_certificates.rb
index 9895150..6c66009 100644
--- a/lib/always_verify_ssl_certificates.rb
+++ b/lib/always_verify_ssl_certificates.rb
@@ -3,7 +3,7 @@
 
 class AlwaysVerifySSLCertificates
   class << self
-    attr_accessor :ca_file
+    attr_accessor :ca_file, :ca_path
   end
 end
 
@@ -15,12 +15,13 @@ def connect
         s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
         D "opened"
         if use_ssl?
-          if !AlwaysVerifySSLCertificates.ca_file
-            raise "You must set AlwaysVerifySSLCertificates.ca_file to use SSL."
+          if !AlwaysVerifySSLCertificates.ca_file && !AlwaysVerifySSLCertificates.ca_path
+            raise "You must set AlwaysVerifySSLCertificates.ca_file or AlwaysVerifySSLCertificates.ca_path to use SSL."
           end
 
           @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
-          @ssl_context.ca_file     = AlwaysVerifySSLCertificates.ca_file
+          @ssl_context.ca_file     = AlwaysVerifySSLCertificates.ca_file if AlwaysVerifySSLCertificates.ca_file
+          @ssl_context.ca_path     = AlwaysVerifySSLCertificates.ca_path if AlwaysVerifySSLCertificates.ca_path
           s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
           s.sync_close = true
         end