Refactor ssl_ca setup

Don't set verify_mode to NONE by default, net/http will do this for us when connecting
jnunemaker · Jul 19, 2010 · ca8c13b · ca8c13b
1 parent f9c7478
commit ca8c13b
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 27 deletions.
diff --git a/lib/httparty/request.rb b/lib/httparty/request.rb
@@ -59,6 +59,27 @@ def perform
 
     private
 
+    def attach_ssl_certificates(http)
+      if http.use_ssl?
+        # Client certificate authentication
+        if options[:pem]
+          http.cert = OpenSSL::X509::Certificate.new(options[:pem])
+          http.key = OpenSSL::PKey::RSA.new(options[:pem])
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+
+        # SSL certificate authority file and/or directory
+        if options[:ssl_ca_file]
+          http.ca_file = options[:ssl_ca_file]
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+        if options[:ssl_ca_path]
+          http.ca_path = options[:ssl_ca_path]
+          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+        end
+      end
+    end
+
     def http
       http = Net::HTTP.new(uri.host, uri.port, options[:http_proxyaddr], options[:http_proxyport])
       http.use_ssl = ssl_implied?
@@ -68,23 +89,7 @@ def http
         http.read_timeout = options[:timeout]
       end
 
-      # By default, don't do any SSL verification (!), but this can be overridden.
-      http.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      # Client certificate authentication
-      if options[:pem] && http.use_ssl?
-        http.cert = OpenSSL::X509::Certificate.new(options[:pem])
-        http.key = OpenSSL::PKey::RSA.new(options[:pem])
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      end
-      # SSL certificate authority file and/or directory
-      if options[:ssl_ca_file] && http.use_ssl?
-        http.ca_file = options[:ssl_ca_file]
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      end
-      if options[:ssl_ca_path] && http.use_ssl?
-        http.ca_path = options[:ssl_ca_path]
-        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-      end
+      attach_ssl_certificates(http)
 
       if options[:debug_output]
         http.set_debug_output(options[:debug_output])

diff --git a/spec/httparty/request_spec.rb b/spec/httparty/request_spec.rb
@@ -139,16 +139,6 @@
           request.options[:pem] = :pem_contents
           request.send(:http)
         end
-
-        it "should not verify a certificate if scheme is not https" do
-          http = Net::HTTP.new('google.com')
-          Net::HTTP.stub(:new => http)
-
-          request = HTTParty::Request.new(Net::HTTP::Get, 'http://google.com')
-          request.options[:pem] = :pem_contents
-          http = request.send(:http)
-          http.verify_mode.should == OpenSSL::SSL::VERIFY_NONE
-        end
       end
 
       context "debugging" do