Created
June 1, 2011 01:03
-
-
Save jamesgolick/1001581 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
commit ef5be277730e0f4985d2c26b0f7fb237ed81c0be | |
Author: James Golick <jamesgolick@gmail.com> | |
Date: Thu Dec 9 00:15:42 2010 -0800 | |
looks like we don't actually need to configure the cert paths. OpenSSL will do that for us correctly by default | |
diff --git a/README.rdoc b/README.rdoc | |
index ebd9e40..2e0c004 100644 | |
--- a/README.rdoc | |
+++ b/README.rdoc | |
@@ -2,18 +2,11 @@ | |
Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible. | |
-All you need to do is require this gem, and set a path to your certificate authority bundle or directory: | |
+All you need to do is require this gem and you'll get good security by default. | |
$ gem install always_verify_ssl_certificates | |
require "always_verify_ssl_certificates" | |
- AlwaysVerifySSLCertificates.ca_file = "/etc/pki/tls/certs/ca-bundle.crt" # the centos location | |
- | |
-You can find that bundle at the following locations on various operating systems | |
- | |
-* CentOS / RHEL (I assume): AlwaysVerifySSLCertificates.ca_file = /etc/pki/tls/certs/ca-bundle.crt | |
-* Debian: AlwaysVerifySSLCertificates.ca_path = /etc/ssl/certs | |
-* OS X: ???? | |
== Copyright | |
diff --git a/lib/always_verify_ssl_certificates.rb b/lib/always_verify_ssl_certificates.rb | |
index 6c66009..e530b16 100644 | |
--- a/lib/always_verify_ssl_certificates.rb | |
+++ b/lib/always_verify_ssl_certificates.rb | |
@@ -1,12 +1,6 @@ | |
require "net/http" | |
require "net/https" | |
-class AlwaysVerifySSLCertificates | |
- class << self | |
- attr_accessor :ca_file, :ca_path | |
- end | |
-end | |
- | |
module Net | |
class HTTP | |
private | |
@@ -15,13 +9,7 @@ module Net | |
s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) } | |
D "opened" | |
if use_ssl? | |
- if !AlwaysVerifySSLCertificates.ca_file && !AlwaysVerifySSLCertificates.ca_path | |
- raise "You must set AlwaysVerifySSLCertificates.ca_file or AlwaysVerifySSLCertificates.ca_path to use SSL." | |
- end | |
- | |
- @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER | |
- @ssl_context.ca_file = AlwaysVerifySSLCertificates.ca_file if AlwaysVerifySSLCertificates.ca_file | |
- @ssl_context.ca_path = AlwaysVerifySSLCertificates.ca_path if AlwaysVerifySSLCertificates.ca_path | |
+ self.verify_mode = OpenSSL::SSL::VERIFY_PEER | |
s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context) | |
s.sync_close = true | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment