Project

General

Profile

Bug #14848

Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Added by aeris (Nicolas Vinot) 5 months ago. Updated 5 months ago.

Status:
Open
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
[ruby-core:87499]

Description

Hi,

In (at least) net/http, the TLS connection is OK even if verify_callback return false if verify_mode is set to OpenSSL::SSL::VERIFY_NONE.
The callback is really called, but the TLS handshake is not stopped.

Use case: self-signed certificate (so imply VERIFY_NONE) but direct key pinning for trust (implying verify_callback).

Enclosed to this ticket, a example to reproduce the trouble.
For me, because of verify_callback returning false in all case, none of the connection must succeed.

verify_callback.rb (394 Bytes) verify_callback.rb aeris (Nicolas Vinot), 06/15/2018 10:00 AM

History

#1 Updated by aeris (Nicolas Vinot) 5 months ago

  • Subject changed from Net/HTTP don't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE to Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE

Also available in: Atom PDF