Net/https and VERIFY_PEER on 1.8.7, 1.9.2 and jruby

Ruby
1

The following code:

require 'net/https'

def get_http
  http = Net::HTTP.new("ssltest7.bbtest.net", 443)
  http.use_ssl = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  return http
end

puts "Without store: " +
  (get_http.request(Net::HTTP::Get.new("/")).code rescue "FAIL")


store = OpenSSL::X509::Store.new
store.set_default_paths
http = get_http()
http.cert_store = store

puts "With store: " +
  (http.request(Net::HTTP::Get.new("/")).code rescue "FAIL")

when run on 1.9.2-p180, outputs:

Without store: 200
With store: 200

However, on 1.8.7-p334, it outputs:

Without store: FAIL
With store: 200

In other words, VERIFY_PEER doesn’t work on 1.8.7 unless you provide a
certificate store. Is this expected, or is it a peculiarity of my
rvm-on-ubuntu-10.04 setup?

It’s worth noting that on jruby-1.6.0 I get:

Without store: FAIL
With store: FAIL

Is this a jruby bug? If not, how should I be setting up a Net::HTTP
for VERIFY_PEER?


Alex

2

Alex Y. wrote in post #1005011:

  http = Net::HTTP.new("ssltest7.bbtest.net", 443)

Oh, and to remove any confusion, ssltest7.bbtest.net is Thawte’s SSL
test site. If that isn’t a reliable SSL endpoint, I don’t know what
would be :slight_smile:


Alex

3

I see the same as you with 1.8.7, but

  http.ca_path = "/etc/ssl/certs"

is all you need to fix it (that’s the correct path for an Ubuntu system,
YMMV on other systems)

You could try that on jruby too, I don’t use jruby. Maybe it needs some
ugly Java truststore thingy.

HTH,

Brian.

4

Brian C. wrote in post #1005144:

I see the same as you with 1.8.7, but

  http.ca_path = "/etc/ssl/certs"

is all you need to fix it (that’s the correct path for an Ubuntu system,
YMMV on other systems)

As far as I can tell, #set_default_paths ought to be the
cross-platform way of doing this, but #set_default_paths doesn’t work on
JRuby, whereas #ca_path= apparently does.


Alex