As I noted in my entry on Ruby security, VERIFY_NONE is used all over the place. And what I realized when I tried to use VERIFY_PEER was that it really doesn’t work for net/https, and doesn’t seem to ever have worked for me. I got a bit mystified by this since I couldn’t find much mention about it online. And then Victor Grey came to the rescue in one of the comments. The solution is to not use net/https at all, but instead use the httpclient gem (formerly called http-access2). So do a ‘gem install httpclient’. Then you can use this code:
require 'rubygems' require 'httpclient' clnt = HTTPClient.new puts clnt.get_content("https://www.random.org/")
This will just work. Under the covers, httpclient uses VERIFY_PEER as default. And you can see this by changing the hostname from www.random.org to random.org. That will generate a verification error directly. Awesome. So what’s the lesson? Never use net/https, folks!
2 Comments, Comment or Ping
Good point and the httpclient gem is really great!
Only for the sake of completeness here’s an alternative version using Net::HTTP:
require ‘net/https’
url = ARGV[0] || ‘www.random.org’
https = Net::HTTP.new(url, Net::HTTP.https_default_port)
https.use_ssl = true
https.ssl_timeout = 2
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = ‘/usr/share/curl/curl-ca-bundle.crt’
https.verify_depth = 2
https.enable_post_connection_check = true
https.start do |http|
request = Net::HTTP::Get.new(‘/’)
response = https.request(request)
end
ca_file has to point to a file containing certificates from certificate authorities. Usually, you can find such a file on nearly every system, because it comes with web browsers, curl, and so on.
Then, you have to set enable_post_connection_check to true! Otherwise, a message gets logged to the console, but no exception is raised.
Run the program passing it ‘random.org’ on the command line and it will die after dumping a stack trace.
August 29th, 2008
net/https has been like this for a while. I wonder why they don’t just fix it.
August 29th, 2008
Reply to “Ruby HTTPS web calls”