Verify SSL certificates by default

[yol]

Currently, this Gem does not verify server certificates by default. It does check whether the common name or subjectAltName matches, but does not verify whether the certificate was issued by a trusted certificate authority, effectively making that check useless. The code does print a warning when making the request but I think that it does not communicate the full impact of the problem (a MITM attack would make it possible to fully impersonate an OpenID provider, see https://openid.net/specs/openid-authentication-2_0.html#anchor41 section 15.1.2) and is probably ignored by a lot of users.
It is possible to manually enable server certificate verification by specifying a CA bundle, but it is not clear why the verification could not enabled by default without requiring users to download a CA bundle from somewhere on the internet which might or might not contain the CAs the user really wants to trust. Net::HTTP is verifying server certificates by default since 2010 (see https://bugs.ruby-lang.org/issues/2579) and can use the operating system's default CAs just fine, but ruby-openid deliberately disables the verification.

So, please make server certificate verification the default as long as it is not very explicitly disabled even when not specifying a CA path.

[timcappalli]

This repo is being archived. Closing issue.