From dc9c1385cca7b6e62eadd76930fc0d58a65ffca6 Mon Sep 17 00:00:00 2001 From: Michal Cichra Date: Tue, 27 Feb 2018 10:59:21 +0100 Subject: [PATCH] [ssl] use OpenSSL default paths by default * do not rely on distributed cacer.pem file * respect SSL_CERT_DIR and SSL_CERT_FILE --- lib/httpclient/ssl_config.rb | 8 +++++++- test/test_ssl.rb | 11 +++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/lib/httpclient/ssl_config.rb b/lib/httpclient/ssl_config.rb index c11dea2b..9cf2c4e9 100644 --- a/lib/httpclient/ssl_config.rb +++ b/lib/httpclient/ssl_config.rb @@ -146,6 +146,9 @@ def initialize(client) return unless SSLEnabled @client = client @cert_store = X509::Store.new + @cert_store.set_default_paths + @cacerts_loaded = working_openssl_platform? + @cert_store_crl_items = [] @client_cert = @client_key = @client_key_pass = @client_ca = nil @verify_mode = SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT @@ -162,7 +165,6 @@ def initialize(client) @options |= OpenSSL::SSL::OP_NO_SSLv3 if defined?(OpenSSL::SSL::OP_NO_SSLv3) # OpenSSL 0.9.8 default: "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH" @ciphers = CIPHERS_DEFAULT - @cacerts_loaded = false end # Sets certificate and private key for SSL client authentication. @@ -413,6 +415,10 @@ def change_notify nil end + def working_openssl_platform? + true # TODO: this could potentially return false on Windows + end + # Use 2048 bit certs trust anchor def load_cacerts(cert_store) certs = if ENV.key?('SSL_CERT_DIR'.freeze) || ENV.key?('SSL_CERT_FILE') diff --git a/test/test_ssl.rb b/test/test_ssl.rb index 2e634d71..755cebee 100644 --- a/test/test_ssl.rb +++ b/test/test_ssl.rb @@ -245,6 +245,17 @@ def test_set_default_paths end end + def test_default_paths + assert_raise(OpenSSL::SSL::SSLError) do + @client.get(@url) + end + escape_env do + ENV['SSL_CERT_FILE'] = File.join(DIR, 'ca-chain.pem') + setup_client + @client.get(@url) + end + end + def test_no_sslv3 teardown_server setup_server_with_ssl_version(:SSLv3)