发表新帖
发表新帖

How to bypass SSL certificate verification in open-uri?

后端 未结
关注
7 1107
無奈伤痛
無奈伤痛 2020-12-02 12:30

I try to access a file with open-uri over an https connection. Unfortunately somethings wrong with the certificate, I get a certificate verify failed error. I can\'

相关标签:
7条回答
  • 忘掉有多难
    2020-12-02 12:43

    A weak but controlled way is

    class XMLRPC::Client
 # WEAK: Enrich the Client with a method for disabling SSL VERIFICATION
 # See /usr/lib/ruby/1.9.1/xmlrpc/client.rb:324
 # Bad hack but it works
 def disableSSLVerification
   @http.verify_mode = OpenSSL::SSL::VERIFY_NONE
   warn "Proxyman SSL Verification disabled"
 end
end

    Then you simply call 

    client.disableSSLVerification()
    0 讨论(0)
  • 终归单人心
    2020-12-02 12:44

    it's good (it may spawn uninitialized constant OpenSSL (NameError)) to put require 'openssl' before that line, so

    app/config/initializers/bypass_ssl_verification_for_open_uri.rb (filename of initializer doesn' matter)

    require 'openssl'
    OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

    0 讨论(0)
  • 抹茶落季
    2020-12-02 12:44

    It's your call, but setting VERIFY_PEER to NONE is basically equivalent to disabling TLS altogether and connecting over plaintext HTTP. It makes man in the middle attacks trivial, and will not pass a PCI audit.

    0 讨论(0)
  • 礼貌的吻别
    2020-12-02 12:47

    As you mentioned yourself, this is a dirty hack. Obviously, disabling SSL certificate verification is not a good idea.

    There is a very helpful article by Mislav Marohnić, which goes into great detail why this is bad and how to address this properly.

    In summary, you mostly get the SSL verify error if:

    1. the certificate is valid, but your system does not have the necessary root certificate for verification.
    2. the certificate is self-signed, e.g. in your company and you need to trust it
    3. you're subject to a man-in-the-middle attack

    For me the first case applied, and simply updating the ca-certificates package on my Ubuntu system did the trick.

    A great tool to track down your SSL error is the ssl doctor script.

    0 讨论(0)
  • 走了就别回头了
    2020-12-02 12:49

    Warning, do not do this in production, you are disabling SSL completely this way.

    If you really don't want the additional security of using certificate verification, and can upgrade to Ruby 1.9.3p327+, you can pass the ssl_verify_mode option to the open method. Here for example is how I'm doing it:

    request_uri=URI.parse('myuri?that_has=params&encoded=in_it&optionally=1')

# The params incidentally are available as a String, via request_uri.query
output = open(request_uri, {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
obj = JSON.parse output.readlines.join("")
    0 讨论(0)
  • 栀梦
    2020-12-02 12:51

    Seems like a good candidate for inclusion in environment.rb, or if this hack is only necessary in particular environments, then in their individual config files.

    0 讨论(0)
 看不清?
提交回复
热议问题