How to bypass SSL certificate verification in open-uri?
Ruby on-RailsRuby on-Rails Problem Overview
I try to access a file with open-uri over an https connection. Unfortunately somethings wrong with the certificate, I get a certificate verify failed error. I can't do anything about that, so I have to bypass the verification.
I found this answer
I don't want to / can't change the oen-uri.rb on the server, and I'm running Ruby 1.8.6.
How do I change the verify mode? Or more exactly where do I change it?
Where can I put this?
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end
or the dirty hack: where can I put this?
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Ruby on-Rails Solutions
Solution 1 - Ruby on-Rails
Warning, do not do this in production, you are disabling SSL completely this way.
If you really don't want the additional security of using certificate verification, and can upgrade to Ruby 1.9.3p327+, you can pass the ssl_verify_mode option to the open method. Here for example is how I'm doing it:
request_uri=URI.parse('myuri?that_has=params&encoded=in_it&optionally=1')
# The params incidentally are available as a String, via request_uri.query
output = open(request_uri, {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
obj = JSON.parse output.readlines.join("")
Solution 2 - Ruby on-Rails
Found it out myself now: I used the dirty hack, which works fine for me.
I had to put it into: yourrailsapp/initalizers/
There I created a bypass_ssl_verification_for_open_uri.rb
And put:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Solution 3 - Ruby on-Rails
it's good (it may spawn uninitialized constant OpenSSL (NameError)) to put require 'openssl' before that line, so
app/config/initializers/bypass_ssl_verification_for_open_uri.rb (filename of initializer doesn' matter)
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Solution 4 - Ruby on-Rails
As you mentioned yourself, this is a dirty hack. Obviously, disabling SSL certificate verification is not a good idea.
There is a very helpful article by Mislav Marohnić, which goes into great detail why this is bad and how to address this properly.
In summary, you mostly get the SSL verify error if:
- the certificate is valid, but your system does not have the necessary root certificate for verification.
- the certificate is self-signed, e.g. in your company and you need to trust it
- you're subject to a man-in-the-middle attack
For me the first case applied, and simply updating the ca-certificates package on my Ubuntu system did the trick.
A great tool to track down your SSL error is the ssl doctor script.
Solution 5 - Ruby on-Rails
It's your call, but setting VERIFY_PEER to NONE is basically equivalent to disabling TLS altogether and connecting over plaintext HTTP. It makes man in the middle attacks trivial, and will not pass a PCI audit.
Solution 6 - Ruby on-Rails
Seems like a good candidate for inclusion in environment.rb, or if this hack is only necessary in particular environments, then in their individual config files.
Solution 7 - Ruby on-Rails
A weak but controlled way is
class XMLRPC::Client
# WEAK: Enrich the Client with a method for disabling SSL VERIFICATION
# See /usr/lib/ruby/1.9.1/xmlrpc/client.rb:324
# Bad hack but it works
def disableSSLVerification
@http.verify_mode = OpenSSL::SSL::VERIFY_NONE
warn "Proxyman SSL Verification disabled"
end
end
Then you simply call
client.disableSSLVerification()