Project

General

Profile

Bug #3150

net/https peer verification doesn't do anything

Added by hongli (Hongli Lai) over 10 years ago. Updated about 9 years ago.

Status:
Third Party's Issue
Priority:
Normal
Target version:
ruby -v:
ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0]
Backport:
[ruby-core:29528]

Description

=begin
Setting verify_mode to VERIFY_PEER should make net/https raise an exception if peer certificate verification fails. For example:

require 'net/http'
require 'net/https'
require 'openssl'

url = URI.parse("https://bugzilla.redhat.com/")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

http.verify_callback = proc do |preverify_ok, ssl_context|
  puts "verification succeeded: #{preverify_ok}"
end

request = Net::HTTP::Get.new(url.path)
response = http.request(request)   # Should raise error

Expected output:

$ ruby ssltest.rb 
verification succeeded: false
.../lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)

Actual output:

$ ruby ssltest.rb
verification succeeded: false
(no exception raised)

Either net/https is broken, or OpenSSL is broken, or OpenSSL changed some default behavior.
I can reproduce the problem OS X Snow Leopard with OpenSSL 0.9.8k and the following Ruby versions:

  • ruby 1.8.6 (2010-02-05 patchlevel 399) [i686-darwin10.3.0]
  • ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0]
  • ruby 1.9.1p376 (2009-12-07 revision 26041) [i386-darwin10.2.0]
  • ruby 1.9.2dev (2010-04-09 trunk 27271) [x86_64-darwin10.3.0]

The problem does not occur on Debian Linux 5 with OpenSSL 0.9.8g and the following Ruby versions:

  • ruby 1.8.6 (2008-08-11 patchlevel 287) [i686-linux]

I don't know whether 1.8.6-p287 exhibits the problem on Snow Leopard, it fails to compile with the following errors:

gcc -I. -I../.. -I../../. -I../.././ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\" -fno-common -g -O2 -pipe -fno-common -c openssl_missing.c
In file included from openssl_missing.c:22:
openssl_missing.h:123: error: conflicting types for 'BN_rand_range'
/usr/include/openssl/bn.h:411: error: previous declaration of 'BN_rand_range' was here
openssl_missing.h:124: error: conflicting types for 'BN_pseudo_rand_range'
/usr/include/openssl/bn.h:412: error: previous declaration of 'BN_pseudo_rand_range' was here
=end

Also available in: Atom PDF