Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

SSL mode flags - verification of certificates: is it safe to use :none?

I am writing a soap request over SSL using Savon and HTTPi, a Ruby soap client and an interface for Ruby HTTP clients, respectively. Here's the code:

client = Savon::Client.new(original_class.constantize.wsdl_url)
client.http.auth.ssl.cert_key_file = "path_to_the_key"
client.http.auth.ssl.cert_key_password = 'secret'
client.http.auth.ssl.cert_file = "path_to_the_certification"
client.http.auth.ssl.verify_mode = :none
@response = client.request :ins0, action do
  soap.body = encoded_body
end

That's the only way I get this to work. But, I know that there is three others verify modes, which are:

  • :peer (SSL_VERIFY_PEER)
  • :fail_if_no_peer_cert (SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
  • :client_once (SSL_VERIFY_CLIENT_ONCE)

If I change the verify mode to any other of the above, I get this error:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Then comes my questions (among others I have):

  • Am I doing wrong if I keep the verify mode to :none? Is there any lack of security?
  • What does the error really mean? That my code is wrong or that my certificate (which is self-assigned --- I am in development environment) is not good?

I read the OpenSSL documentation about verify modes:

http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

About SSL_VERIFY_NONE, on Client Mode, says:

The result of the certificate verification process can be checked after the TLS/SSL handshake using the SSL_get_verify_result(3) function. The handshake will be continued regardless of the verification result.

Should I be worried about it? Should I see verify mode :none as a dangerous thing?

I am asking that because since I can't make it work with the others verify modes, I would like to release the soap request over SSL feature the way it is working now. But I surely wouldn't do it if that could be dangerous.

like image 307
DWS Avatar asked Sep 24 '12 13:09

DWS


People also ask

Is it safe to disable SSL verification?

SSL helps prevent a website from leaking sensitive personal or business data, such as a social security number or bank account information, to unapproved third parties. Firefox recommends that you do not turn off SSL certificates, but you may need to disable them temporarily to troubleshoot problems with the browser.

What is SSL verify mode?

Description. ssl-verify-peer-mode specifies whether the server requires clients to present a valid certificate to connect to it. Server instances allow clients to connect to it with or without providing a valid certificate. All requests will still require authorization.

How do I know if my certificate is trusted?

To check an SSL certificate on any website, all you need to do is follow two simple steps. First, check if the URL of the website begins with HTTPS, where S indicates it has an SSL certificate. Second, click on the padlock icon on the address bar to check all the detailed information related to the certificate.


1 Answers

After a while, I joined the OpenSSL User Support Mailing List and finally got helped.

In short:

The mode flags :fail_if_not_peer_cert and :client_once are for server only, meaning nothing to the client, so they are ignored on client.

For client purpose, :peer (SSL_VERIFY_PEER) is the only one the matters.

And is not safe to set verify mode to :none (SSL_VERIFY_NONE). That way, there will be not server authentication. If someone intercept the connection from my client, my client will not detect the difference and will give sensitive data to the attacker.

In order to use :peer, I need to have the certificate in the client trustedstore.

A big thanks to Dave Thompson from OpenSSL mailing list.

like image 136
DWS Avatar answered Oct 25 '22 05:10

DWS