In my previous post I described how to securely acquire the Mozilla list of root certificates and convert them to a form usable by curl and various libraries which don't ship with them.
Next, I want to point
Net:HTTP at this file library-wide, so that it is used by all invocations of methods accessing https resources (in particular,
Kernel#open, which in ruby 1.8.7 does not have a ca_file option and is therefore unusable with https). I hunted around the ruby standard library for a couple hours and came up with this:
require 'open-uri' require 'net/https' module Net class HTTP alias_method :original_use_ssl=, :use_ssl= def use_ssl=(flag) self.ca_file = "/path/to/ca-bundle.crt" self.verify_mode = OpenSSL::SSL::VERIFY_PEER # ruby default is VERIFY_NONE! self.original_use_ssl = flag end end end
Now you can do things like