Peer authentication means that the other side of the SSL connection is authenticated based on a trusted certificate installed locally. Alternatively, a Certification Authority (CA) certificate may be installed locally and the peer has a certificate signed by that authority.
Warning, do not do this in production, you are disabling SSL completely this way.
If you really don't want the additional security of using certificate verification, and can upgrade to Ruby 1.9.3p327+, you can pass the ssl_verify_mode
option to the open
method. Here for example is how I'm doing it:
request_uri=URI.parse('myuri?that_has=params&encoded=in_it&optionally=1')
# The params incidentally are available as a String, via request_uri.query
output = open(request_uri, {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
obj = JSON.parse output.readlines.join("")
Found it out myself now: I used the dirty hack, which works fine for me.
I had to put it into: yourrailsapp/initalizers/
There I created a bypass_ssl_verification_for_open_uri.rb
And put:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
it's good (it may spawn uninitialized constant OpenSSL (NameError)
) to put require 'openssl' before that line, so
app/config/initializers/bypass_ssl_verification_for_open_uri.rb (filename of initializer doesn' matter)
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
As you mentioned yourself, this is a dirty hack. Obviously, disabling SSL certificate verification is not a good idea.
There is a very helpful article by Mislav Marohnić, which goes into great detail why this is bad and how to address this properly.
In summary, you mostly get the SSL verify error if:
For me the first case applied, and simply updating the ca-certificates package on my Ubuntu system did the trick.
A great tool to track down your SSL error is the ssl doctor script.
It's your call, but setting VERIFY_PEER to NONE is basically equivalent to disabling TLS altogether and connecting over plaintext HTTP. It makes man in the middle attacks trivial, and will not pass a PCI audit.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With