Certificate verify failed when OpenSSL:SSL::VERIFY_PEER #345

Closed
goosmurf opened this Issue Feb 7, 2012 · 2 comments

Projects

None yet

3 participants

@goosmurf

I'm trying to verify the server certificate using the CA certs in /etc/ssl/certs on my machine.

If I use openssl directly I would do that by setting the ca_path on the context instance for a socket, e.g.

context = OpenSSL::SSL::SSLContext.new
context.ca_path = '/etc/ssl/certs'
context.verify_mode = OpenSSL::SSL::VERIFY_PEER

I can't seem to find a way to pass the ca_path through the Mail::SMTP options and I note through much Googling that the majority of people using ActionMailer and Mail are simply setting openssl_verify_mode = none which is not ideal.

Is there a way to set the ca_path or even a ca_file without any code change?

If not, would it make sense to replace the openssl_verify_mode option with a more generic openssl_context option through which one can pass an instance of OpenSSL::SSL::SSLContext, thus allowing any/all of the context options to be set outside of Mail::SMTP?

I'd be happy to have a go at implementing this, just wanted to make sure it's the best approach first.

@ndbroadbent

One of our users is also having difficulties due to this issue (comment on google group).

OpenSSL::SSL::SSLError (hostname was not match with the server certificate):
  app/models/polymorphic/comment.rb:63:in `block in notify_subscribers'
  app/models/polymorphic/comment.rb:59:in `eacch'
  app/models/polymorphic/comment.rb:59:in `notify_subscribers'
  app/controllers/comments_controller.rb:88:in `create'

(excuse translation)

It would be great if the SSL context could be configured via settings.

Thanks

@jeremy
Collaborator

Closed by #399

@jeremy jeremy closed this Jan 23, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment