Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE
In (at least) net/http, the TLS connection is OK even if
verify_mode is set to
The callback is really called, but the TLS handshake is not stopped.
Use case: self-signed certificate (so imply
VERIFY_NONE) but direct key pinning for trust (implying
Enclosed to this ticket, a example to reproduce the trouble.
For me, because of
false in all case, none of the connection must succeed.
Updated by jeremyevans0 (Jeremy Evans) 6 months ago
- Status changed from Open to Rejected
I believe this is expected behavior and not a bug. From the man page for
The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set.
Basically, if you are not using
SSL_VERIFY_PEER, then the
verify_callback result is not used to make a decision on whether to accept the certificate. The fact that the
verify_callback is called even if
SSL_VERIFY_PEER is not set appears to be also implied in the man page.
If you would like this changed, you would have to work with OpenSSL and the various forks to get them to change the behavior of the
SSL_CTX_set_verify function, which seems unlikely.