Forum: Ruby open-uri + OpenSSL

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
E097e05db53608b7855d91705c5e7516?d=identicon&s=25 Matthew Lagace (turnkeytraders)
on 2007-10-27 07:35
Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the 'connect' : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M
2e8848a777f7165f80da876ab1e6e7e5?d=identicon&s=25 dusty (Guest)
on 2007-10-27 19:05
(Received via mailing list)
On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
> Hello,
>
> I am usring open-uri to open an https:// link and when it tries to read
> it, I get the 'connect' : certificate verify failed error. How can I
> bypass this SSL verification?
>
> Thanks,
> M
> --
> Posted viahttp://www.ruby-forum.com/.

Set the verify_mode to OpenSSL::SSL::VERIFY_NONE

eg:

http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
E097e05db53608b7855d91705c5e7516?d=identicon&s=25 Matthew Lagace (turnkeytraders)
on 2007-10-27 19:26
Ok when I do that, it says:

 ssl value changed, but session already started


dusty wrote:
> On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
>> Hello,
>>
>> I am usring open-uri to open an https:// link and when it tries to read
>> it, I get the 'connect' : certificate verify failed error. How can I
>> bypass this SSL verification?
>>
>> Thanks,
>> M
>> --
>> Posted viahttp://www.ruby-forum.com/.
>
> Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
>
> eg:
>
> http = Net::HTTP.new(host,port)
> http.use_ssl = true
> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
2e8848a777f7165f80da876ab1e6e7e5?d=identicon&s=25 dusty (Guest)
on 2007-11-06 03:00
(Received via mailing list)
On Oct 27, 12:26 pm, Matthew Lagace <matthewlag...@gmail.com> wrote:
> >> I am usring open-uri to open an https:// link and when it tries to read
> > eg:
>
> > http = Net::HTTP.new(host,port)
> > http.use_ssl = true
> > http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>
> --
> Posted viahttp://www.ruby-forum.com/.

Sorry, I guess you can't do it with open-uri.  Here is a patch:

add this ssl_verify option to the top of the file.

FROM:

module OpenURI
  Options = {
    :proxy => true,
    :progress_proc => true,
    :content_length_proc => true,
    :http_basic_authentication => true,
  }

TO:

module OpenURI
  Options = {
    :proxy => true,
    :progress_proc => true,
    :content_length_proc => true,
    :http_basic_authentication => true,
    :ssl_verify => true
  }

Change the part where it enables verification

FROM:

    if target.class == URI::HTTPS
      require 'net/https'
      http.use_ssl = true
      http.enable_post_connection_check = true
      http.verify_mode = OpenSSL::SSL::VERIFY_PEER
      store = OpenSSL::X509::Store.new
      store.set_default_paths
      http.cert_store = store
    end

TO:
    if target.class == URI::HTTPS
      require 'net/https'
      http.use_ssl = true
      http.enable_post_connection_check = true
      if options[:ssl_verify] == false
        http.verify_mode = OpenSSL::SSL::VERIFY_NONE
      else
        http.verify_mode = OpenSSL::SSL::VERIFY_PEER
      end
      store = OpenSSL::X509::Store.new
      store.set_default_paths
      http.cert_store = store
    end

run it like this:

open("https://someurl", :ssl_verify => false) {|f|
  print f.read
}
2e8848a777f7165f80da876ab1e6e7e5?d=identicon&s=25 dusty (Guest)
on 2007-11-06 03:04
(Received via mailing list)
On Nov 5, 8:51 pm, dusty <dusty.do...@gmail.com> wrote:
> > >> Hello,
> > > Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
> Sorry, I guess you can't do it with open-uri.  Here is a patch:
>     :http_basic_authentication => true,
>     :ssl_verify => true
>       http.verify_mode = OpenSSL::SSL::VERIFY_PEER
>       if options[:ssl_verify] == false
>
> open("https://someurl", :ssl_verify => false) {|f|
>   print f.read
>
> }


Sorry, this all goes in open-uri.rb in your ruby base dir, eg:

/usr/lib/ruby/1.8/open-uri.rb
or
/opt/local/lib/ruby/1.8/open-uri.rb

or wherever it may be on your distro.
53bb5456c86e48e788fb09bb67ebcf62?d=identicon&s=25 mortee (Guest)
on 2007-11-06 05:35
(Received via mailing list)
dusty wrote:
>>>>> I am usring open-uri to open an https:// link and when it tries to read
>>>> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>>     :proxy => true,
>>     :progress_proc => true,
>>       require 'net/https'
>>       require 'net/https'
>>     end
>
> /usr/lib/ruby/1.8/open-uri.rb
> or
> /opt/local/lib/ruby/1.8/open-uri.rb
>
> or wherever it may be on your distro.

The nice thing about Ruby is that if you don't want to modify your
system files (for example I don't like to do it because it's quite hard
to track later), then you can simply patch the modules/classes in
question on the fly, at the beginning of your application. And possibly
file a bug report (:

However, I guess the verification-enabling code would be more versatile
this way:

       if options[:ssl_verify]
         http.verify_mode = OpenSSL::SSL::VERIFY_PEER
       else
         http.verify_mode = OpenSSL::SSL::VERIFY_NONE
       end

mortee
E097e05db53608b7855d91705c5e7516?d=identicon&s=25 Matthew Lagace (turnkeytraders)
on 2007-11-06 13:14
Great thanks guys!
2e8848a777f7165f80da876ab1e6e7e5?d=identicon&s=25 dusty (Guest)
on 2007-11-06 15:35
(Received via mailing list)
On Nov 5, 11:34 pm, mortee <mortee.li...@kavemalna.hu> wrote:
> >>>>> it, I get the 'connect' : certificate verify failed error. How can I
> >>> --
> >>     :progress_proc => true,
> >>     :content_length_proc => true,
> >>       http.use_ssl = true
> >>       http.use_ssl = true
>
> > or
> However, I guess the verification-enabling code would be more versatile
> this way:
>
>        if options[:ssl_verify]
>          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
>        else
>          http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>        end
>
> mortee

Good idea.  I submitted a patch to rubyforge.  This might be useful
and simple enough to add.

http://rubyforge.org/tracker/?group_id=426&atid=16...
4828d528e2e46f7c8160c336eb332836?d=identicon&s=25 Robert Heiler (shevegen)
on 2008-06-02 13:01
Any news about the status of this?
5044d0567cc7ae2e52cbd511958e2c15?d=identicon&s=25 Junkone (Guest)
on 2008-06-02 17:12
(Received via mailing list)
On Jun 2, 7:01 am, Marc Heiler <sheve...@linuxmail.org> wrote:
> Any news about the status of this?
> --
> Posted viahttp://www.ruby-forum.com/.

i too am waiting for this patch. appreciate early response.

Seede
5044d0567cc7ae2e52cbd511958e2c15?d=identicon&s=25 Junkone (Guest)
on 2008-06-02 17:36
(Received via mailing list)
On Jun 2, 7:01 am, Marc Heiler <sheve...@linuxmail.org> wrote:
> Any news about the status of this?
> --
> Posted viahttp://www.ruby-forum.com/.

i tried to put the patch into my open-uri.rb and it failed with a new
error
irb(main):007:0*  open("https://www.interactivebrokers.com/Universal/
servlet/FlexStatementService.GetStatement?
t=1437758&q=1126698&v=2",:ssl_verify => true){|f|puts f}
NoMethodError: undefined method `enable_post_connection_check=' for
#<Net::HTTP www.interactivebrokers.com:443 open=false>
        from e:/ruby/lib/ruby/1.8/open-uri.rb:242:in `open_http'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in `buffer_open'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:170:in `open_loop'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `catch'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `open_loop'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in `open_uri'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:545:in `open'
        from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open'
        from (irb):7
0005eee4f8cea99461cbe3b8bcc78002?d=identicon&s=25 Ck Tricky (cktricky)
on 2009-06-28 23:05
Junkone wrote:
> On Jun 2, 7:01�am, Marc Heiler <sheve...@linuxmail.org> wrote:
>> Any news about the status of this?
>> --
>> Posted viahttp://www.ruby-forum.com/.
>
> i tried to put the patch into my open-uri.rb and it failed with a new
> error
> irb(main):007:0*  open("https://www.interactivebrokers.com/Universal/
> servlet/FlexStatementService.GetStatement?
> t=1437758&q=1126698&v=2",:ssl_verify => true){|f|puts f}
> NoMethodError: undefined method `enable_post_connection_check=' for
> #<Net::HTTP www.interactivebrokers.com:443 open=false>
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:242:in `open_http'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in `buffer_open'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:170:in `open_loop'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `catch'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `open_loop'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in `open_uri'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:545:in `open'
>         from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open'
>         from (irb):7

So basically if you are using ruby 1.8.6 (for me I'm using it on
BackTrack3) you simply omit the 'http.enable_post_connection_check =
true' from the code mentioned above and also remove
'sock.post_connection_check(target_host)'
that's it! I am using the open-uri just fine now to push thru multiple
URLs from an input file out to my local proxy in order to built a site
map via BurpSuite.
Eda78848469c136805aa43656440e223?d=identicon&s=25 Fernando Alvarez (arbesulo)
on 2012-06-13 11:09
Although the ticket remains as open in the page, the feature has been
added at least for ruby-1.9.3-p125.

You can pass :ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE as an option
to the open method.

Best Regards
C72203d0cdf7624dcbebb67f6172b916?d=identicon&s=25 Sameer S. (sameer_s)
on 2013-10-04 04:31
As Fernando points out, this feature is now available, at least post
1.9.3-p327. Here's how I'm using it:

  request_uri=URI.parse('myurl')
  request_uri.query=URI.encode_www_form params

  output = open(request_uri, {ssl_verify_mode:
OpenSSL::SSL::VERIFY_NONE})
  obj = JSON.parse output.readlines.join("")

sameer.
This topic is locked and can not be replied to.