From: Hiroshi NAKAMURA <nakahiro@...>
Date: 2011-03-06T07:22:42+09:00
Subject: [ruby-core:35434] [Ruby - Bug #3150] net/https peer verification doesn't do anything


Issue #3150 has been updated by Hiroshi NAKAMURA.


http://www.afp548.com/article.php?story=20091007164413755

Apple looks to ship customized OpenSSL which integrates trusted root certificates from OS's system keychain. So we should test against not https://bugs.redhat.com/ but another SSL site which is using the certificate OS does not trust.

Hongli, can you confirm that the result of your program affected by OS's keychain setting?
----------------------------------------
Bug #3150: net/https peer verification doesn't do anything
http://redmine.ruby-lang.org/issues/3150

Author: Hongli Lai
Status: Assigned
Priority: High
Assignee: Hiroshi NAKAMURA
Category: 
Target version: 
ruby -v: ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0]


 Setting verify_mode to VERIFY_PEER should make net/https raise an exception if peer certificate verification fails. For example:
 
    require 'net/http'
    require 'net/https'
    require 'openssl'
 
    url = URI.parse("https://bugzilla.redhat.com/")
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 
    http.verify_callback = proc do |preverify_ok, ssl_context|
      puts "verification succeeded: #{preverify_ok}"
    end
 
    request = Net::HTTP::Get.new(url.path)
    response = http.request(request)   # Should raise error
 
 Expected output:
 
    $ ruby ssltest.rb 
    verification succeeded: false
    .../lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)
 
 Actual output:
 
    $ ruby ssltest.rb
    verification succeeded: false
    (no exception raised)
 
 Either net/https is broken, or OpenSSL is broken, or OpenSSL changed some default behavior.
 I can reproduce the problem OS X Snow Leopard with OpenSSL 0.9.8k and the following Ruby versions:
 - ruby 1.8.6 (2010-02-05 patchlevel 399) [i686-darwin10.3.0]
 - ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0]
 - ruby 1.9.1p376 (2009-12-07 revision 26041) [i386-darwin10.2.0]
 - ruby 1.9.2dev (2010-04-09 trunk 27271) [x86_64-darwin10.3.0]
 
 The problem does not occur on Debian Linux 5 with OpenSSL 0.9.8g and the following Ruby versions:
 - ruby 1.8.6 (2008-08-11 patchlevel 287) [i686-linux]
 
 I don't know whether 1.8.6-p287 exhibits the problem on Snow Leopard, it fails to compile with the following errors:
 
 gcc -I. -I../.. -I../../. -I../.././ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\"   -fno-common -g -O2 -pipe -fno-common  -c openssl_missing.c
 In file included from openssl_missing.c:22:
 openssl_missing.h:123: error: conflicting types for 'BN_rand_range'
 /usr/include/openssl/bn.h:411: error: previous declaration of 'BN_rand_range' was here
 openssl_missing.h:124: error: conflicting types for 'BN_pseudo_rand_range'
 /usr/include/openssl/bn.h:412: error: previous declaration of 'BN_pseudo_rand_range' was here


-- 
http://redmine.ruby-lang.org