Project

General

Profile

Actions

Bug #14848

closed

Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Added by aeris (Nicolas Vinot) over 6 years ago. Updated over 5 years ago.

Status:
Rejected
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
[ruby-core:87499]

Description

Hi,

In (at least) net/http, the TLS connection is OK even if verify_callback return false if verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
The callback is really called, but the TLS handshake is not stopped.

Use case: self-signed certificate (so imply VERIFY_NONE) but direct key pinning for trust (implying verify_callback).

Enclosed to this ticket, a example to reproduce the trouble.
For me, because of verify_callback returning false in all case, none of the connection must succeed.


Files

verify_callback.rb (394 Bytes) verify_callback.rb aeris (Nicolas Vinot), 06/15/2018 10:00 AM
Actions #1

Updated by aeris (Nicolas Vinot) over 6 years ago

  • Subject changed from Net/HTTP don't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE to Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Updated by jeremyevans0 (Jeremy Evans) over 5 years ago

  • Status changed from Open to Rejected

I believe this is expected behavior and not a bug. From the man page for SSL_CTX_set_verify (https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify.html):

The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set.

Basically, if you are not using SSL_VERIFY_PEER, then the verify_callback result is not used to make a decision on whether to accept the certificate. The fact that the verify_callback is called even if SSL_VERIFY_PEER is not set appears to be also implied in the man page.

If you would like this changed, you would have to work with OpenSSL and the various forks to get them to change the behavior of the SSL_CTX_set_verify function, which seems unlikely.

Actions

Also available in: Atom PDF

Like0
Like0Like0