Bug #14848
closed
Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE
Description
Hi,
In (at least) net/http, the TLS connection is OK even if verify_callback return false if verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
The callback is really called, but the TLS handshake is not stopped.
Use case: self-signed certificate (so imply VERIFY_NONE) but direct key pinning for trust (implying verify_callback).
Enclosed to this ticket, a example to reproduce the trouble.
For me, because of verify_callback returning false in all case, none of the connection must succeed.
Files
Updated by aeris (Nicolas Vinot) over 6 years ago
- Subject changed from Net/HTTP don't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE to Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE
Updated by jeremyevans0 (Jeremy Evans) over 5 years ago
- Status changed from Open to Rejected
I believe this is expected behavior and not a bug. From the man page for SSL_CTX_set_verify (https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify.html):
The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set.
Basically, if you are not using SSL_VERIFY_PEER, then the verify_callback result is not used to make a decision on whether to accept the certificate. The fact that the verify_callback is called even if SSL_VERIFY_PEER is not set appears to be also implied in the man page.
If you would like this changed, you would have to work with OpenSSL and the various forks to get them to change the behavior of the SSL_CTX_set_verify function, which seems unlikely.