Ruby Sinatra create post request without PEM and OpenSSL::SSL::VERIFY_NONE

Question

I try create POST request with SSL but without OpenSSL::SSL::VERIFY_NONE because it is opend up security attacks and without PEM certificate. But I catch problems, my ruby code for send POST request:

post '/test/test1' do
  cross_origin
  post_data = request.body.read
  res_Data = JSON.parse(post_data)
  userName = res_Data['username']

  @responseFromServer=''
  uri = URI('https://test.com/test1')
  Net::HTTP.start(uri.host, uri.port,
                  :use_ssl => uri.scheme == 'https',
                  :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
    request = Net::HTTP::Post.new uri.request_uri
    request.basic_auth 'aa', 'bb'
    request.body = {'username' =>userName}.to_json
    response = http.request request
    @responseFromServer = response.body.to_s
  end
  newJson = JSON.parse(@responseFromServer)

  status_msg = newJson['status']['status_msg']
  if (status_msg == "Success")
    return 'true'
  end
    return 'false'
end

It is method worked but he use OpenSSL::SSL::VERIFY_NONE. How to create method for send POST request without OpenSSL::SSL::VERIFY_NONE and PEM sertificate?

EDIT SSL/HTTPS request Update: There are some good reasons why this code example is bad. It introduces a potential security vulnerability if it's essential you use the server certificate to verify the identity of the server you're connecting to. There's a fix for the issue though!

require "net/https"
require "uri"

uri = URI.parse("https://secure.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(uri.request_uri)

response = http.request(request)
response.body
response.status
response["header-here"] # All headers are lowercase

SSL/HTTPS request with PEM certificate

require "net/https"
require "uri"

uri = URI.parse("https://secure.com/")
pem = File.read("/path/to/my.pem")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.cert = OpenSSL::X509::Certificate.new(pem)
http.key = OpenSSL::PKey::RSA.new(pem)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

request = Net::HTTP::Get.new(uri.request_uri)

My question: How to create POST method without PEM and OpenSSL::SSL::VERIFY_NONE?

Answer 1

This question is quite misleading, but I try my best to figure it out. Here is my advise:

Do you want to connect to a service that is only available through https and you do not care if the certificate is valid?

Then you can use :verify_mode => OpenSSL::SSL::VERIFY_NONE when initializing the Net::HTTP client. You will have some kind of transport security, but you cannot be sure the server you are talking to is the one you think it is. You are vulnerable.

Do you want to connect to a service that is available both through https and http, and you do not care about transport security?

Then you should use the http://... endpoint.

Do you want to connect to a service and you care about transport security?

Then you should definitely use the https://... endpoint. Do not override :verify_mode! If you are getting certificate verification errors, make sure you have the correct Certificate Authority installed on your system.