Project

General

Profile

Actions
Copy link

Bug #14848

closed

Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Bug #14848: Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Added by aeris (Nicolas Vinot) over 7 years ago. Updated over 6 years ago.

Status:
Rejected
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
Backport:
2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
[ruby-core:87499]

Description

Hi,

In (at least) net/http, the TLS connection is OK even if verify_callback return false if verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
The callback is really called, but the TLS handshake is not stopped.

Use case: self-signed certificate (so imply VERIFY_NONE) but direct key pinning for trust (implying verify_callback).

Enclosed to this ticket, a example to reproduce the trouble.
For me, because of verify_callback returning false in all case, none of the connection must succeed.

Files

verify_callback.rb (394 Bytes) verify_callback.rb aeris (Nicolas Vinot), 06/15/2018 10:00 AM
Actions
Copy link

Also available in: PDF Atom