Feature #14377
closedImprove documentation for `OpenSSL::X509::Store#verify_callback=` and `OpenSSL::SSL::SSLContext#verify_callback=`
Description
I'm trying to use OpenSSL::X509::Store#verify_callback=
to ignore all error during certificate validation, which according to man SSL_CTX_set_verify
should be possible:
If verify_callback always returns 1, the TLS/SSL handshake will not be
terminated with respect to verification failures and the connection will
be established.
However, when I try to use simplest possible callback satifying the condition
above
cert_store.verify_callback = lambda do |preverify_ok, store_ctx|
true
end
ruby still throws exception about certificate being invalid:
$ ~/ruby_debug/bin/ruby server.rb
Traceback (most recent call last):
1: from server.rb:24:in `<main>'
server.rb:24:in `accept': SSL_accept returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)
and client
$ ~/ruby_debug/bin/ruby client.rb
Traceback (most recent call last):
1: from client.rb:20:in `<main>'
client.rb:20:in `connect': SSL_connect returned=1 errno=0 state=SSLv3/TLS write finished: tlsv1 alert unknown ca (OpenSSL::SSL::SSLError)
Both server.rb
and client.rb
are attached.
Files
Updated by graywolf (Gray Wolf) about 6 years ago
In case it's relevant, certs were generated using
openssl req -x509 -newkey rsa:4096 -sha512 -nodes -keyout server.key -out server.crt -subj "/CN=server"
openssl req -x509 -newkey rsa:4096 -sha512 -nodes -keyout client.key -out client.crt -subj "/CN=client"
Updated by graywolf (Gray Wolf) about 6 years ago
- Tracker changed from Bug to Feature
- Subject changed from OpenSSL::X509::Store#verify_callback= doesn't seem to work as expected to Improve documentation for `OpenSSL::X509::Store#verify_callback=` and `OpenSSL::SSL::SSLContext#verify_callback=`
- ruby -v deleted (
ruby 2.6.0dev (2018-01-20 trunk 61969) [x86_64-linux]) - Backport deleted (
2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN)
Please close.
I need to learn to read docs. The fact that Store#verify_callback=
is method (so listed in left pane) while SSLContext#verify_callback=
is attribute (so NOT listed in left pane) completely got me.
Updated by hsbt (Hiroshi SHIBATA) over 5 years ago
- Status changed from Open to Rejected