From: Hiroshi Nakamura Date: 2011-06-29T19:54:00+09:00 Subject: [ruby-core:37662] [Ruby 1.9 - Bug #3150][Third Party's Issue] net/https peer verification doesn't do anything Issue #3150 has been updated by Hiroshi Nakamura. Category set to ext Status changed from Assigned to Third Party's Issue Priority changed from High to Normal Finally I found that Apple ships patched version of OpenSSL. http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.h /* * X509_verify_cert * * Originally located in x509_vfy.c. * * Verify certificate with OpenSSL created X509_verify_cert. If and only if * OpenSSL cannot get certificate issuer locally then OS X security API will * verify the certificate, using TrustEvaluationAgent. * * Return values: * -------------- * -1: Null was passed for either ctx or ctx->cert. * 0: Certificate is trusted. * 1: Certificate is not trusted. */ int X509_verify_cert(X509_STORE_CTX *ctx); So, with the OpenSSL on Show Leopard, a certificate is trusted if the certificate is trusted by system even if you don't set proper SSL_CERT_DIR. You can see the original report have a verify callback and it reports 'false'. Here's what x509_apply_vfy.c is doing: http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c /* Try OpenSSL, if we get a local certificate issue verify against trusted roots */ ret = X509_verify_cert_orig(ctx); if (ret != 1 && (ctx->error & X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) { ... So even though you return false from verify_callback, it could be trusted by system if the reason is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY. I close this as 'Third Party's Issue.' Yes, it's an *issue* of Snow Leopard. Please let me know if I am wrong. I'll reopen this. ---------------------------------------- Bug #3150: net/https peer verification doesn't do anything http://redmine.ruby-lang.org/issues/3150 Author: Hongli Lai Status: Third Party's Issue Priority: Normal Assignee: Hiroshi Nakamura Category: ext Target version: 1.9.3 ruby -v: ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0] =begin Setting verify_mode to VERIFY_PEER should make net/https raise an exception if peer certificate verification fails. For example: require 'net/http' require 'net/https' require 'openssl' url = URI.parse("https://bugzilla.redhat.com/") http = Net::HTTP.new(url.host, url.port) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER http.verify_callback = proc do |preverify_ok, ssl_context| puts "verification succeeded: #{preverify_ok}" end request = Net::HTTP::Get.new(url.path) response = http.request(request) # Should raise error Expected output: $ ruby ssltest.rb verification succeeded: false .../lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError) Actual output: $ ruby ssltest.rb verification succeeded: false (no exception raised) Either net/https is broken, or OpenSSL is broken, or OpenSSL changed some default behavior. I can reproduce the problem OS X Snow Leopard with OpenSSL 0.9.8k and the following Ruby versions: - ruby 1.8.6 (2010-02-05 patchlevel 399) [i686-darwin10.3.0] - ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0] - ruby 1.9.1p376 (2009-12-07 revision 26041) [i386-darwin10.2.0] - ruby 1.9.2dev (2010-04-09 trunk 27271) [x86_64-darwin10.3.0] The problem does not occur on Debian Linux 5 with OpenSSL 0.9.8g and the following Ruby versions: - ruby 1.8.6 (2008-08-11 patchlevel 287) [i686-linux] I don't know whether 1.8.6-p287 exhibits the problem on Snow Leopard, it fails to compile with the following errors: gcc -I. -I../.. -I../../. -I../.././ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -fno-common -g -O2 -pipe -fno-common -c openssl_missing.c In file included from openssl_missing.c:22: openssl_missing.h:123: error: conflicting types for 'BN_rand_range' /usr/include/openssl/bn.h:411: error: previous declaration of 'BN_rand_range' was here openssl_missing.h:124: error: conflicting types for 'BN_pseudo_rand_range' /usr/include/openssl/bn.h:412: error: previous declaration of 'BN_pseudo_rand_range' was here =end -- http://redmine.ruby-lang.org