Permalink
Browse files

looks like we don't actually need to configure the cert paths. OpenSS…

…L will do that for us correctly by default
  • Loading branch information...
1 parent 5d90dab commit ef5be277730e0f4985d2c26b0f7fb237ed81c0be @jamesgolick committed Dec 9, 2010
Showing with 2 additions and 21 deletions.
  1. +1 −8 README.rdoc
  2. +1 −13 lib/always_verify_ssl_certificates.rb
View
@@ -2,18 +2,11 @@
Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible.
-All you need to do is require this gem, and set a path to your certificate authority bundle or directory:
+All you need to do is require this gem and you'll get good security by default.
$ gem install always_verify_ssl_certificates
require "always_verify_ssl_certificates"
- AlwaysVerifySSLCertificates.ca_file = "/etc/pki/tls/certs/ca-bundle.crt" # the centos location
-
-You can find that bundle at the following locations on various operating systems
-
-* CentOS / RHEL (I assume): AlwaysVerifySSLCertificates.ca_file = /etc/pki/tls/certs/ca-bundle.crt
-* Debian: AlwaysVerifySSLCertificates.ca_path = /etc/ssl/certs
-* OS X: ????
== Copyright
@@ -1,12 +1,6 @@
require "net/http"
require "net/https"
-class AlwaysVerifySSLCertificates
- class << self
- attr_accessor :ca_file, :ca_path
- end
-end
-
module Net
class HTTP
private
@@ -15,13 +9,7 @@ def connect
s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
D "opened"
if use_ssl?
- if !AlwaysVerifySSLCertificates.ca_file && !AlwaysVerifySSLCertificates.ca_path
- raise "You must set AlwaysVerifySSLCertificates.ca_file or AlwaysVerifySSLCertificates.ca_path to use SSL."
- end
-
- @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
- @ssl_context.ca_file = AlwaysVerifySSLCertificates.ca_file if AlwaysVerifySSLCertificates.ca_file
- @ssl_context.ca_path = AlwaysVerifySSLCertificates.ca_path if AlwaysVerifySSLCertificates.ca_path
+ self.verify_mode = OpenSSL::SSL::VERIFY_PEER
s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
s.sync_close = true
end

1 comment on commit ef5be27

@samoli
samoli commented on ef5be27 Jan 17, 2011

This was still a useful option in some cases - for example I couldn't get this working on Heroku without supplying my own ca bundle.

Please sign in to comment.