Ruby: How to connect to a host with expired SSL certificate

Posted About 1 month ago. Visible to the public.

If you need to make an HTTPS connection to a host which uses an expired certificate, do not disable certificate verifications entirely. Doing that enables e.g. man in the middle attacks.
If you accept only a single expired and known certificate, you are much less in trouble.

Setup

All the solutions described below use a verify_callback for the request's OpenSSL::X509::Store where you can specify a lambda to adjust its verification response.
Your callback must return either true or false and OpenSSL's verification result is the first callback block argument.

In our examples, we will be connecting to expired.badssl.com which uses an expired certificate.
The certificate is also a wildcard certificate, so its Common Name property (CN) is set to *.badssl.com.

Our verify_callback will allow connecting to an expired host only when its certificate contains CN=*.badssl.com.

uri = URI.parse('https://expired.badssl.com')
expected_common_name = '*.badssl.com'

verify_callback = lambda do |preverify_ok, store_context|
  if store_context.error == OpenSSL::X509::V_ERR_CERT_HAS_EXPIRED && store_context.current_cert.subject.to_s.include?("CN=#{expected_common_name}")
    # The certiciate for that host is expired, but it's fine for us.
    true
  else
    preverify_ok 
  end
end

Using that is fairly straightforward in your favorite connection library. We've described a few below.

Net::HTTP

Ruby's Net::HTTP requires the longest setup of all:

require 'net/https'

http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_callback = verify_callback

get = Net::HTTP::Get.new(uri.request_uri)
response = http.request(get)
puts response.body

HTTP

Using the http Show archive.org snapshot gem, you can pass along the verify_callback as an option like so:

require 'http'

response = HTTP.get(uri, ssl: { verify_callback: verify_callback })
puts response.body

RestClient

The rest-client Show archive.org snapshot gem also offers an ssl_verify_callback option, but not for its top-level utility methods, like RestClient.get.
Instead, you can use a RestClient::Resource.new like so:

require 'rest-client'

resource = RestClient::Resource.new(uri.to_s, ssl_verify_callback: verify_callback)
puts resource.get
Arne Hartherz
makandra.com
Say thanks
Last edit
About 1 month ago
Arne Hartherz
License
Source code in this card is licensed under the MIT License.

Related cards:

How to make changes to a Ruby gem (as a Rails developer)

At makandra, we've built a few gems over the years. Some of these are quite popular: spreewald (> 1M downloads), active_type (> 1M downloads), and geordi (> 200k downloads)

Developing a Ruby gem is different from developing Rails applications, w...

Async control flow in JavaScript: Promises, Microtasks, async/await

Slides for Henning's talk on Sep 21st 2017.

Understanding sync vs. async control flow

Talking to synchronous (or "blocking") API

print('script start')
html = get('/foo')
print(html)
print('s...

JavaScript without jQuery (presentation from 2019-01-21)

Summary

  • We want to move away from jQuery in future projects
  • Motivations are performance, bundle size and general trends for the web platform.
  • The native DOM API is much nicer than it used to be, and we can polyfill the missing pieces
  • Un...

How to: Upgrade CarrierWave to 3.x

While upgrading CarrierWave from version 0.11.x to 3.x, we encountered some very nasty fails. Below are the basic changes you need to perform and some behavior you may eventually run into when upgrading your application. This aims to save you some...

The Ruby Object Model

In Ruby (almost) everything is an Object. While this enables a lot of powerful features, this concept might be confusing for developers who have been programming in more static languages, such as Java or C#. This card should help understanding t...

The JavaScript Object Model: A deep dive into prototypes and properties

Speaker today is Henning Koch, Head of Development at makandra.

This talk will be in German with English slides.

Introduction

As web developers we work with JavaScript every day, even when our backend code uses anothe...

Delivering Carrierwave attachments to authorized users only

Preparation

To attach files to your records, you will need a new database column representing the filename of the file. To do this, add a new migration (rails g migration <name>) with the following content:

class AddAttachmentToNotes...

Lightning Talk: Coverage based Test Case Prioritization in Ruby on Rails

For my computer science bachelor's thesis I programmed and evaluated a CLI Test Case Prioritization (TCP) tool for makandra. It has been written as a Ruby Gem and was tested and evaluated against one Ruby on Rails project....

How to create giant memory leaks in AngularJS (and other client-side JavaScript)

This guide shows how to create an AngularJS application that consumes more and more memory until, eventually, the browser process crashes on your users.

Although this guide has been written for Angular 1 originally, most of the advice is relevant...

Invoices: How to properly round and calculate totals

While it might seem trivial to implement an invoice that sums up items and shows net, gross and vat totals, it actually involves a lot of rules and caveats. It is very easy to create invoices where numbers don't add up and a few cents are missing....

Posted by Arne Hartherz to makandra dev (2024-04-08 08:55)
This website uses short-lived cookies to improve usability.
or learn more