From: aeris+ruby@...
Date: 2018-06-15T10:02:56+00:00
Subject: [ruby-core:87499] [Ruby trunk Bug#14848] Net/HTTP don't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Issue #14848 has been reported by aeris (Nicolas Vinot).

----------------------------------------
Bug #14848: Net/HTTP don't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE
https://bugs.ruby-lang.org/issues/14848

* Author: aeris (Nicolas Vinot)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Hi,

In (at least) net/http, the TLS connection is OK even if `verify_callback` return `false` if `verify_mode` is set to `OpenSSL::SSL::VERIFY_NONE`.
The callback is really called, but the TLS handshake is not stopped.

Use case: self-signed certificate (so imply `VERIFY_NONE`) but direct key pinning for trust (implying `verify_callback`).

Enclosed to this ticket, a example to reproduce the trouble.
For me, because of `verify_callback` returning `false` in all case, none of the connection must succeed.

---Files--------------------------------
verify_callback.rb (394 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request@ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>