Comments on: Verified HTTPS in Ruby

By: JJB Code Blog - How to securely acquire the Mozilla root certificate bundle for use with curl, Net::HTTP, etc.

Thu, 05 Jan 2012 07:33:45 +0000

[...] can manually install the root certs, but first you have to get them from somewhere. This article gives a nice description of how to do that. The source of the cert files it points to is hosted [...]

By: David Vrensk

David Vrensk — Sat, 28 May 2011 08:10:41 +0000

Hey John, that’s really nice! I’ll add a note to the original post.

By: John

John — Sat, 28 May 2011 02:03:16 +0000

Your blog post helped/inspired me to come up with this, which is a more secure way to acquire the cert list:

https://gist.github.com/996292

And then this, which sets ruby to use the cert list library-wide:

https://gist.github.com/996510

Thanks!

By: Flavio Duarte

Flavio Duarte — Mon, 13 Apr 2009 11:13:32 +0000

@David

ok, thanks

By: David Vrensk

David Vrensk — Fri, 10 Apr 2009 15:48:25 +0000

@Flavio: No, I haven’t used this with SOAP. Actually, I rarely use Soap4r, but instead I create an XML request and parse the XML response using something like HappyMapper. It doesn’t really scale, but sometimes it’s good enough.

By: Flavio Duarte

Flavio Duarte — Thu, 09 Apr 2009 18:04:11 +0000

Hello,
Have You an example of request soap with certified authentication?

thanks

By: grosser

grosser — Wed, 28 Jan 2009 09:20:55 +0000

thanks for the writeup, just saved me lot of time

By: Thibaut Barrère

Thibaut Barrère — Wed, 12 Nov 2008 17:20:19 +0000

When it’s too tricky and if possible, I switch to curl or wget inside a queue. But thanks for posting these tips!

By: David Vrensk

David Vrensk — Thu, 06 Nov 2008 18:44:12 +0000

@Stephan: your last two comments were caught in the spam filter which I didn’t cull until today. Sorry, my bad.
I’ll get back to you later; have to run now.

By: BusinessRx Reading List : Verified HTTPS in Ruby

BusinessRx Reading List : Verified HTTPS in Ruby — Tue, 04 Nov 2008 03:51:22 +0000

[...] thought this would be straight-forward but it turned out to be slightly tricky. Thankfully I found this post that outlines the basics of setting up HTTPS in Ruby. Most people probably take the first method of [...]

By: Stephan Wehner

Stephan Wehner — Wed, 22 Oct 2008 23:07:57 +0000

If you look at the tests that come with httpclient, http://raa.ruby-lang.org/project/httpclient/ they run their own test server to get a handle on https security.

Do you think the original code of your blog post verifies the server certificate? The implementation of validate_certificate at http://dev.ctor.org/soap4r/wiki/SslCertificateVerification does this for the case that one already has the file from the CA.

Here might be another way,

http.cert=OpenSSL::X509::Certificate.new(IO.read(path-to-already-available-cert))

Stephan

By: Stephan Wehner

Stephan Wehner — Wed, 22 Oct 2008 22:43:37 +0000

If you look at the tests that come with httpclient, http://raa.ruby-lang.org/project/httpclient/ they run their own test server to get a handle on https security.

Do you think the original code of your blog post verifies the server certificate. The implementation of validate_certificate at http://dev.ctor.org/soap4r/wiki/SslCertificateVerification does this for the case that one already has the file from the CA.

Stephan

By: David Vrensk

David Vrensk — Wed, 22 Oct 2008 22:09:33 +0000

Good question. I suppose the best way to find out is to build a nice test suite, but that would require having hosts that respond in the right way (like https://google.com/ and https://www.google.com/, which of course cannot be trusted to behave like they did when I wrote this post).
I have checked out the diff and it’s nice and simple and a step in the right direction.

By: Stephan Wehner

Stephan Wehner — Wed, 22 Oct 2008 21:58:59 +0000

Yes, I am thinking the same, however I am not sure.

For example, are there earlier Ruby versions that didn’t have this method (then it was added, then it was removed again)?

By: David Vrensk

David Vrensk — Wed, 22 Oct 2008 21:56:01 +0000

Ah! So basically I should be good with

http.enable_post_connection_check = true if http.responds_to? :enable_post_connection_check

if I understand you right? Many thanks!

By: Stephan Wehner

Stephan Wehner — Wed, 22 Oct 2008 21:51:07 +0000

… I forgot …. the enable_post_connection_check method is removed since the check is performed by default …. one turns it off with Net::HTTP#verify_mode= OpenSSL::SSL::VERIFY_NONE

By: Stephan Wehner

Stephan Wehner — Wed, 22 Oct 2008 21:48:12 +0000

I think “more modern Ruby versions” are more secure. How much more secure, I can’t tell, sorry. I don’t think they include the “CA Root Certificates bundle”.

By: David Vrensk

David Vrensk — Wed, 22 Oct 2008 20:17:50 +0000

@Stephan: Thanks, that is really valuable information, especially since the app where I developed this solution is running on a managed host. I’ll see if I can find time to work out something for more modern Ruby versions. If you beat me to it, please tell me!

By: Stephan Wehner

Stephan Wehner — Wed, 22 Oct 2008 20:00:04 +0000

The method “enable_post_connection_check” is not available since 1.8.6 129

Log Message:
merge revision(s) 13657:
* lib/net/http.rb, lib/open-uri.rb: remove
Net::HTTP#enable_post_connection_check. [ruby-dev:31960]

See http://svn.ruby-lang.org/cgi-bin/viewvc.cgi/tags/v1_8_6_129/ChangeLog

Stephan