Why don't I need to specify a CA bundle to Net::HTTP SSL requests?

假如想象 提交于 2020-01-05 13:11:40

问题


A lot of what I've seen around SO and blog posts is that

  1. By default, Net::HTTP does not verify peer SSL certificates
  2. To force Net::HTTP to verify peer, you need to to it too and supply a CA cert file containing trusted authorities

However, I've found that this is not completely necessary. On my Mac, I have the following code

http = Net::HTTP.new('www.google.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.start do
  http.request_get('/') do |response|
    puts response.body
  end
end

This works. But what is Ruby using to verify the peer with? When I look at the output of http.ca_path and http.ca_file they are both blank.

I'm running this code in Ruby 1.9.3p374. Perhaps when Ruby was compiled on my Mac, it pulled in some default location of CA cert chains from openssl or something?


回答1:


It looks like if no verify callback is set then OpenSSL library default callback is used. See line 217 in the openssl module verify callback wrapper (the ok argument is the result of the default callback).

On OS X, Apple has apparently customized the default callback in their OpenSSL library to hook in to the OS X Keychain facility. The root CA of Google's certificate is Equifax Secure Certificate Authority. If you change the trust setting in Keychain (e.g. using the Keychain Access utility) for this CA then your ruby test behaves accordingly.

I believe the answer to your question is that when peer certificate verification is required but not configured, the ruby shipped with OS X verifies using Keychain.



来源:https://stackoverflow.com/questions/17454912/why-dont-i-need-to-specify-a-ca-bundle-to-nethttp-ssl-requests

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!