Feature #14377

Improve documentation for `OpenSSL::X509::Store#verify_callback=` and `OpenSSL::SSL::SSLContext#verify_callback=`

Added by graywolf (Gray Wolf) over 2 years ago. Updated almost 2 years ago.

Target version:


I'm trying to use OpenSSL::X509::Store#verify_callback= to ignore all error during certificate validation, which according to man SSL_CTX_set_verify should be possible:

If verify_callback always returns 1, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection will
be established.

However, when I try to use simplest possible callback satifying the condition

cert_store.verify_callback = lambda do |preverify_ok, store_ctx|

ruby still throws exception about certificate being invalid:

$ ~/ruby_debug/bin/ruby server.rb 
Traceback (most recent call last):
    1: from server.rb:24:in `<main>'
server.rb:24:in `accept': SSL_accept returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)

and client

$ ~/ruby_debug/bin/ruby client.rb 
Traceback (most recent call last):
    1: from client.rb:20:in `<main>'
client.rb:20:in `connect': SSL_connect returned=1 errno=0 state=SSLv3/TLS write finished: tlsv1 alert unknown ca (OpenSSL::SSL::SSLError)

Both server.rb and client.rb are attached.


client.rb (533 Bytes) client.rb graywolf (Gray Wolf), 01/19/2018 10:55 PM
server.rb (709 Bytes) server.rb graywolf (Gray Wolf), 01/19/2018 10:55 PM

Updated by graywolf (Gray Wolf) over 2 years ago

In case it's relevant, certs were generated using

openssl req -x509 -newkey rsa:4096 -sha512 -nodes -keyout server.key -out server.crt -subj "/CN=server"
openssl req -x509 -newkey rsa:4096 -sha512 -nodes -keyout client.key -out client.crt -subj "/CN=client"

Updated by graywolf (Gray Wolf) over 2 years ago

  • Backport deleted (2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN)
  • ruby -v deleted (ruby 2.6.0dev (2018-01-20 trunk 61969) [x86_64-linux])
  • Subject changed from OpenSSL::X509::Store#verify_callback= doesn't seem to work as expected to Improve documentation for `OpenSSL::X509::Store#verify_callback=` and `OpenSSL::SSL::SSLContext#verify_callback=`
  • Tracker changed from Bug to Feature

Please close.

I need to learn to read docs. The fact that Store#verify_callback= is method (so listed in left pane) while SSLContext#verify_callback= is attribute (so NOT listed in left pane) completely got me.


Updated by hsbt (Hiroshi SHIBATA) almost 2 years ago

  • Status changed from Open to Rejected

Also available in: Atom PDF