Certificate and chain not validated if certificate bundle cannot be found #137
Description
While analysing the source code of some third party libraries we use in our projects, I found an issue with the way certificate validation is handled in this library. If the certificate bundle cannot be found on the file system at three known/specified locations, then it silently falls back to a mode (i.e. OpenSSL::SSL::VERIFY_NONE) in which the certificate and the certificate chain aren't validated at all.
See the following code fragments copied from lib/oauth/consumer.rb.
If the environment variable SSL_CERT_FILE is not set, and no file can be found in the three specified locations, then CA_FILE is assigned nil. If you then look at the second code fragment, you can see that verify_mode will be set to VERIFY_NONE if CA_FILE equals nil and if the user hasn't explicitly set ca_file in the options object.
Lines 11-18:
# determine the certificate authority path to verify SSL certs
CA_FILES = %W(#{ENV['SSL_CERT_FILE']} /etc/ssl/certs/ca-certificates.crt /etc/pki/tls/certs/ca-bundle.crt /usr/share/curl/curl-ca-bundle.crt)
CA_FILES.each do |ca_file|
if File.exist?(ca_file)
CA_FILE = ca_file
break
end
end
CA_FILE = nil unless defined?(CA_FILE)Lines 333-339:
if @options[:ca_file] || CA_FILE
http_object.ca_file = @options[:ca_file] || CA_FILE
http_object.verify_mode = OpenSSL::SSL::VERIFY_PEER
http_object.verify_depth = 5
else
http_object.verify_mode = OpenSSL::SSL::VERIFY_NONE
endI would expect a library to fail hard (i.e. throw an exception) in this case, and not silently fall back to an insecure mode. Also, it might be a good idea to embed a certificate bundle (e.g. https://curl.haxx.se/ca/cacert.pem) in the library itself. If no system certificate bundle can be found, then you could always fall back to the embedded certificate bundle.
Let me know if you do have questions.