«

»

Jan 12

HTTPClient and SSL verify certificate

If you as us in my company use self signed certificate and ran into an OpenSSL::SSL::SSLError when using httpclient gem.

Here is how to bypass ssl certificate verification :

The issue :

require 'rubygems'
require 'httpclient'
 
client = HTTPClient.new
url = "https://www.server1.com"
client.get(url)
at depth 1 - 19: self signed certificate in certificate chain
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:247:in `connect'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:247:in `ssl_connect'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:639:in `connect'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/timeout.rb:128:in `timeout'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:631:in `connect'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:522:in `query'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:147:in `query'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:953:in `do_get_block'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:765:in `do_request'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:848:in `protect_keep_alive_disconnected'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:764:in `do_request'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:666:in `request'
	from /home/hery/.gem/ruby/1.8/gems/httpclient-2.1.5.2/lib/httpclient.rb:591:in `get'
	from (irb):5

Solution :

client.ssl_config.verify_mode = OpenSSL::SSL::VERIFY_NONE
client.get(url)

1 comment

  1. Claudius

    This is not the solution, as you’re now attackable with man-in-the-middle attacks with different self-signed certs.

    The ACTUAL way to do it, would be to add your own Certificate Authority (the one you signed your self-signed cert with) to the List of trusted certificate authorities. That way you could keep VERIFY_PEER.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>