Bug #14848: Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE - Ruby master - Ruby Issue Tracking System

Actions

Copy link

Bug #14848

closed

Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Added by aeris (Nicolas Vinot) over 6 years ago. Updated over 5 years ago.

Status:

Rejected

Assignee:

Target version:

ruby -v:

ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]

Backport:

2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN

[ruby-core:87499]

Description

Hi,

In (at least) net/http, the TLS connection is OK even if verify_callback return false if verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
The callback is really called, but the TLS handshake is not stopped.

Use case: self-signed certificate (so imply VERIFY_NONE) but direct key pinning for trust (implying verify_callback).

Enclosed to this ticket, a example to reproduce the trouble.
For me, because of verify_callback returning false in all case, none of the connection must succeed.

Files

verify_callback.rb (394 Bytes) verify_callback.rb

aeris (Nicolas Vinot), 06/15/2018 10:00 AM

Actions

Copy link

Also available in: Atom PDF

Like0

Like0Like0

Project

General

Profile

Ruby » Ruby master

Custom queries

Bug #14848

Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Updated by aeris (Nicolas Vinot) over 6 years ago

Updated by jeremyevans0 (Jeremy Evans) over 5 years ago