jamesgolick/av.diff

## av.diff
commit ef5be277730e0f4985d2c26b0f7fb237ed81c0be
Author: James Golick <jamesgolick@gmail.com>
Date:   Thu Dec 9 00:15:42 2010 -0800

    looks like we don't actually need to configure the cert paths. OpenSSL will do that for us correctly by default

diff --git a/README.rdoc b/README.rdoc
index ebd9e40..2e0c004 100644
--- a/README.rdoc
+++ b/README.rdoc
@@ -2,18 +2,11 @@

 Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible.

-All you need to do is require this gem, and set a path to your certificate authority bundle or directory:
+All you need to do is require this gem and you'll get good security by default.

   $ gem install always_verify_ssl_certificates

   require "always_verify_ssl_certificates"
-  AlwaysVerifySSLCertificates.ca_file = "/etc/pki/tls/certs/ca-bundle.crt" # the centos location
-
-You can find that bundle at the following locations on various operating systems
-
-* CentOS / RHEL (I assume): AlwaysVerifySSLCertificates.ca_file = /etc/pki/tls/certs/ca-bundle.crt
-* Debian: AlwaysVerifySSLCertificates.ca_path = /etc/ssl/certs
-* OS X: ????

 == Copyright

diff --git a/lib/always_verify_ssl_certificates.rb b/lib/always_verify_ssl_certificates.rb
index 6c66009..e530b16 100644
--- a/lib/always_verify_ssl_certificates.rb
+++ b/lib/always_verify_ssl_certificates.rb
@@ -1,12 +1,6 @@
 require "net/http"
 require "net/https"

-class AlwaysVerifySSLCertificates
-  class << self
-    attr_accessor :ca_file, :ca_path
-  end
-end
-
 module Net
   class HTTP
     private
@@ -15,13 +9,7 @@ module Net
         s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
         D "opened"
         if use_ssl?
-          if !AlwaysVerifySSLCertificates.ca_file && !AlwaysVerifySSLCertificates.ca_path
-            raise "You must set AlwaysVerifySSLCertificates.ca_file or AlwaysVerifySSLCertificates.ca_path to use SSL."
-          end
-
-          @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
-          @ssl_context.ca_file     = AlwaysVerifySSLCertificates.ca_file if AlwaysVerifySSLCertificates.ca_file
-          @ssl_context.ca_path     = AlwaysVerifySSLCertificates.ca_path if AlwaysVerifySSLCertificates.ca_path
+          self.verify_mode = OpenSSL::SSL::VERIFY_PEER
           s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
           s.sync_close = true
         end
	commit ef5be277730e0f4985d2c26b0f7fb237ed81c0be
	Author: James Golick <jamesgolick@gmail.com>
	Date: Thu Dec 9 00:15:42 2010 -0800

	looks like we don't actually need to configure the cert paths. OpenSSL will do that for us correctly by default

	diff --git a/README.rdoc b/README.rdoc
	index ebd9e40..2e0c004 100644
	--- a/README.rdoc
	+++ b/README.rdoc
	@@ -2,18 +2,11 @@

	Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible.

	-All you need to do is require this gem, and set a path to your certificate authority bundle or directory:
	+All you need to do is require this gem and you'll get good security by default.

	$ gem install always_verify_ssl_certificates

	require "always_verify_ssl_certificates"
	- AlwaysVerifySSLCertificates.ca_file = "/etc/pki/tls/certs/ca-bundle.crt" # the centos location
	-
	-You can find that bundle at the following locations on various operating systems
	-
	-* CentOS / RHEL (I assume): AlwaysVerifySSLCertificates.ca_file = /etc/pki/tls/certs/ca-bundle.crt
	-* Debian: AlwaysVerifySSLCertificates.ca_path = /etc/ssl/certs
	-* OS X: ????

	== Copyright

	diff --git a/lib/always_verify_ssl_certificates.rb b/lib/always_verify_ssl_certificates.rb
	index 6c66009..e530b16 100644
	--- a/lib/always_verify_ssl_certificates.rb
	+++ b/lib/always_verify_ssl_certificates.rb
	@@ -1,12 +1,6 @@
	require "net/http"
	require "net/https"

	-class AlwaysVerifySSLCertificates
	- class << self
	- attr_accessor :ca_file, :ca_path
	- end
	-end
	-
	module Net
	class HTTP
	private
	@@ -15,13 +9,7 @@ module Net
	s = timeout(@open_timeout) { TCPSocket.open(conn_address(), conn_port()) }
	D "opened"
	if use_ssl?
	- if !AlwaysVerifySSLCertificates.ca_file && !AlwaysVerifySSLCertificates.ca_path
	- raise "You must set AlwaysVerifySSLCertificates.ca_file or AlwaysVerifySSLCertificates.ca_path to use SSL."
	- end
	-
	- @ssl_context.verify_mode = OpenSSL::SSL::VERIFY_PEER
	- @ssl_context.ca_file = AlwaysVerifySSLCertificates.ca_file if AlwaysVerifySSLCertificates.ca_file
	- @ssl_context.ca_path = AlwaysVerifySSLCertificates.ca_path if AlwaysVerifySSLCertificates.ca_path
	+ self.verify_mode = OpenSSL::SSL::VERIFY_PEER
	s = OpenSSL::SSL::SSLSocket.new(s, @ssl_context)
	s.sync_close = true
	end