Open-uri + OpenSSL

#1

Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the ‘connect’ : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M

#2

On Oct 27, 1:35 am, Matthew L. removed_email_address@domain.invalid wrote:

Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the ‘connect’ : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M

Posted viahttp://www.ruby-forum.com/.

Set the verify_mode to OpenSSL::SSL::VERIFY_NONE

eg:

http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

#3

Ok when I do that, it says:

ssl value changed, but session already started

dusty wrote:

On Oct 27, 1:35 am, Matthew L. removed_email_address@domain.invalid wrote:

Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the ‘connect’ : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M

Posted viahttp://www.ruby-forum.com/.

Set the verify_mode to OpenSSL::SSL::VERIFY_NONE

eg:

http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

#4

On Nov 5, 8:51 pm, dusty removed_email_address@domain.invalid wrote:

Hello,
Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
Sorry, I guess you can’t do it with open-uri. Here is a patch:
:http_basic_authentication => true,
:ssl_verify => true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
if options[:ssl_verify] == false

open(“https://someurl”, :ssl_verify => false) {|f|
print f.read

}

Sorry, this all goes in open-uri.rb in your ruby base dir, eg:

/usr/lib/ruby/1.8/open-uri.rb
or
/opt/local/lib/ruby/1.8/open-uri.rb

or wherever it may be on your distro.

#5

dusty wrote:

I am usring open-uri to open an https:// link and when it tries to read
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
:proxy => true,
:progress_proc => true,
require ‘net/https’
require ‘net/https’
end

/usr/lib/ruby/1.8/open-uri.rb
or
/opt/local/lib/ruby/1.8/open-uri.rb

or wherever it may be on your distro.

The nice thing about Ruby is that if you don’t want to modify your
system files (for example I don’t like to do it because it’s quite hard
to track later), then you can simply patch the modules/classes in
question on the fly, at the beginning of your application. And possibly
file a bug report (:

However, I guess the verification-enabling code would be more versatile
this way:

   if options[:ssl_verify]
     http.verify_mode = OpenSSL::SSL::VERIFY_PEER
   else
     http.verify_mode = OpenSSL::SSL::VERIFY_NONE
   end

mortee

#6

On Oct 27, 12:26 pm, Matthew L. removed_email_address@domain.invalid wrote:

I am usring open-uri to open an https:// link and when it tries to read
eg:

http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE


Posted viahttp://www.ruby-forum.com/.

Sorry, I guess you can’t do it with open-uri. Here is a patch:

add this ssl_verify option to the top of the file.

FROM:

module OpenURI
Options = {
:proxy => true,
:progress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
}

TO:

module OpenURI
Options = {
:proxy => true,
:progress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
:ssl_verify => true
}

Change the part where it enables verification

FROM:

if target.class == URI::HTTPS
  require 'net/https'
  http.use_ssl = true
  http.enable_post_connection_check = true
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  store = OpenSSL::X509::Store.new
  store.set_default_paths
  http.cert_store = store
end

TO:
if target.class == URI::HTTPS
require ‘net/https’
http.use_ssl = true
http.enable_post_connection_check = true
if options[:ssl_verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

run it like this:

open(“https://someurl”, :ssl_verify => false) {|f|
print f.read
}

#7

Great thanks guys!

#8

On Nov 5, 11:34 pm, mortee removed_email_address@domain.invalid wrote:

it, I get the ‘connect’ : certificate verify failed error. How can I

:progress_proc => true,
:content_length_proc => true,
http.use_ssl = true
http.use_ssl = true

or
However, I guess the verification-enabling code would be more versatile
this way:

   if options[:ssl_verify]
     http.verify_mode = OpenSSL::SSL::VERIFY_PEER
   else
     http.verify_mode = OpenSSL::SSL::VERIFY_NONE
   end

mortee

Good idea. I submitted a patch to rubyforge. This might be useful
and simple enough to add.

http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&aid=15390

#9

Any news about the status of this?

#10

On Jun 2, 7:01 am, Marc H. removed_email_address@domain.invalid wrote:

Any news about the status of this?

Posted viahttp://www.ruby-forum.com/.

i too am waiting for this patch. appreciate early response.

Seede

#11

On Jun 2, 7:01 am, Marc H. removed_email_address@domain.invalid wrote:

Any news about the status of this?

Posted viahttp://www.ruby-forum.com/.

i tried to put the patch into my open-uri.rb and it failed with a new
error
irb(main):007:0* open(“https://www.interactivebrokers.com/Universal/
servlet/FlexStatementService.GetStatement?
t=1437758&q=1126698&v=2”,:ssl_verify => true){|f|puts f}
NoMethodError: undefined method enable_post_connection_check=' for #<Net::HTTP www.interactivebrokers.com:443 open=false> from e:/ruby/lib/ruby/1.8/open-uri.rb:242:inopen_http’
from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in buffer_open' from e:/ruby/lib/ruby/1.8/open-uri.rb:170:inopen_loop’
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in catch' from e:/ruby/lib/ruby/1.8/open-uri.rb:168:inopen_loop’
from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in open_uri' from e:/ruby/lib/ruby/1.8/open-uri.rb:545:inopen’
from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open’
from (irb):7

#12

Although the ticket remains as open in the page, the feature has been
added at least for ruby-1.9.3-p125.

You can pass :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE as an option
to the open method.

Best Regards

#13

Junkone wrote:

On Jun 2, 7:01�am, Marc H. removed_email_address@domain.invalid wrote:

Any news about the status of this?

Posted viahttp://www.ruby-forum.com/.

i tried to put the patch into my open-uri.rb and it failed with a new
error
irb(main):007:0* open(“https://www.interactivebrokers.com/Universal/
servlet/FlexStatementService.GetStatement?
t=1437758&q=1126698&v=2”,:ssl_verify => true){|f|puts f}
NoMethodError: undefined method enable_post_connection_check=' for #<Net::HTTP www.interactivebrokers.com:443 open=false> from e:/ruby/lib/ruby/1.8/open-uri.rb:242:inopen_http’
from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in buffer_open' from e:/ruby/lib/ruby/1.8/open-uri.rb:170:inopen_loop’
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in catch' from e:/ruby/lib/ruby/1.8/open-uri.rb:168:inopen_loop’
from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in open_uri' from e:/ruby/lib/ruby/1.8/open-uri.rb:545:inopen’
from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open’
from (irb):7

So basically if you are using ruby 1.8.6 (for me I’m using it on
BackTrack3) you simply omit the ‘http.enable_post_connection_check =
true’ from the code mentioned above and also remove
‘sock.post_connection_check(target_host)’
that’s it! I am using the open-uri just fine now to push thru multiple
URLs from an input file out to my local proxy in order to built a site
map via BurpSuite.

#14

As Fernando points out, this feature is now available, at least post
1.9.3-p327. Here’s how I’m using it:

request_uri=URI.parse(‘myurl’)
request_uri.query=URI.encode_www_form params

output = open(request_uri, {ssl_verify_mode:
OpenSSL::SSL::VERIFY_NONE})
obj = JSON.parse output.readlines.join("")

sameer.