Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to bypass SSL certificate verification in open-uri?

Tags:

ruby-on-rails

People also ask

What is peer SSL certificate verification?

Peer authentication means that the other side of the SSL connection is authenticated based on a trusted certificate installed locally. Alternatively, a Certification Authority (CA) certificate may be installed locally and the peer has a certificate signed by that authority.

Warning, do not do this in production, you are disabling SSL completely this way.

If you really don't want the additional security of using certificate verification, and can upgrade to Ruby 1.9.3p327+, you can pass the ssl_verify_mode option to the open method. Here for example is how I'm doing it:

request_uri=URI.parse('myuri?that_has=params&encoded=in_it&optionally=1')

# The params incidentally are available as a String, via request_uri.query
output = open(request_uri, {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
obj = JSON.parse output.readlines.join("")

Found it out myself now: I used the dirty hack, which works fine for me.

I had to put it into: yourrailsapp/initalizers/

There I created a bypass_ssl_verification_for_open_uri.rb

And put:

OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE

it's good (it may spawn uninitialized constant OpenSSL (NameError)) to put require 'openssl' before that line, so

app/config/initializers/bypass_ssl_verification_for_open_uri.rb (filename of initializer doesn' matter)

require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE


As you mentioned yourself, this is a dirty hack. Obviously, disabling SSL certificate verification is not a good idea.

There is a very helpful article by Mislav Marohnić, which goes into great detail why this is bad and how to address this properly.

In summary, you mostly get the SSL verify error if:

  1. the certificate is valid, but your system does not have the necessary root certificate for verification.
  2. the certificate is self-signed, e.g. in your company and you need to trust it
  3. you're subject to a man-in-the-middle attack

For me the first case applied, and simply updating the ca-certificates package on my Ubuntu system did the trick.

A great tool to track down your SSL error is the ssl doctor script.


It's your call, but setting VERIFY_PEER to NONE is basically equivalent to disabling TLS altogether and connecting over plaintext HTTP. It makes man in the middle attacks trivial, and will not pass a PCI audit.

Related questions

Gem::LoadError: can't activate pg (~> 0.18), already activated pg-1.0.0 [duplicate]
What is the proper "Rails Way" to consume a RESTful web service on another domain?
Difference between -%> and %> in rails [duplicate]
PG::UndefinedTable: ERROR: missing FROM-clause entry for table when using joins and where
Rails Migration: How to increase column data type size by using ROR migration
remove a blank option of select field that was generated by SimpleForm
Why does false invalidate validates_presence_of?
How to change a Ruby on Rails application name?
How do i get rid of @controller is nil error in my tests
rails override default getter for a relationship (belongs_to)
Check select box has certain options with Capybara
Undefined instance method "respond_to" in Rails 5 API Controller
Create .ruby-version and .ruby-gemset with rvm
Irregular bootstrap column wrapping
Rails 3: Multiple Select with has_many through associations
What does the j function in Rails do?
How to do case-insensitive order in Rails with postgresql
Gem file with git remote failing on heroku push
How to avoid precompiled assets being served in development mode?
Rails 3: OpenSSL::SSL::SSLError: hostname was not match with the server certificate

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!