Merge pull request #288 from greggersh/ssl_verify_none_with_client_certificate

Allow inclusion of client certificate while not verifying server certificate
2023-03-27 23:23:07 -04:00 · 2014-04-15 09:38:41 -04:00 · 2014-04-15 09:38:41 -04:00 · de013560e6
commit de013560e6
parent a570e54dd3 d1c376d40c
2 changed files with 20 additions and 3 deletions
--- a/lib/httparty/connection_adapter.rb
+++ b/lib/httparty/connection_adapter.rb
@ -45,6 +45,7 @@ module HTTParty
  # * :+debug_output+: see HTTParty::ClassMethods.debug_output.
  # * :+pem+: contains pem data. see HTTParty::ClassMethods.pem.
  # * :+verify+: verify the server’s certificate against the ca certificate.
+  # * :+verify_peer+: set to false to turn off server verification but still send client certificate
  # * :+ssl_ca_file+: see HTTParty::ClassMethods.ssl_ca_file.
  # * :+ssl_ca_path+: see HTTParty::ClassMethods.ssl_ca_path.
  # * :+connection_adapter_options+: contains the hash you passed to HTTParty.connection_adapter when you configured your connection adapter
@ -155,7 +156,7 @@ module HTTParty
        if options[:pem]
          http.cert = OpenSSL::X509::Certificate.new(options[:pem])
          http.key = OpenSSL::PKey::RSA.new(options[:pem], options[:pem_password])
-          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.verify_mode = options[:verify_peer] == false ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
        end

        # PKCS12 client certificate authentication
@ -163,7 +164,7 @@ module HTTParty
          p12 = OpenSSL::PKCS12.new(options[:p12], options[:p12_password])
          http.cert = p12.certificate
          http.key = p12.key
-          http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+          http.verify_mode = options[:verify_peer] == false ? OpenSSL::SSL::VERIFY_NONE : OpenSSL::SSL::VERIFY_PEER
        end

        # SSL certificate authority file and/or directory
--- a/spec/httparty/connection_adapter_spec.rb
+++ b/spec/httparty/connection_adapter_spec.rb
@ -279,7 +279,7 @@ describe HTTParty::ConnectionAdapter do
            OpenSSL::PKey::RSA.should_receive(:new).with(pem, "password").and_return(key)
          end

-          it "uses the provided PEM certificate " do
+          it "uses the provided PEM certificate" do
            subject.cert.should == cert
            subject.key.should == key
          end
@ -287,6 +287,14 @@ describe HTTParty::ConnectionAdapter do
          it "will verify the certificate" do
            subject.verify_mode.should == OpenSSL::SSL::VERIFY_PEER
          end
+          
+          context "when options include verify_peer=false" do
+            let(:options) { {:pem => pem, :pem_password => "password", :verify_peer => false} }
+            
+            it "should not verify the certificate" do
+              subject.verify_mode.should == OpenSSL::SSL::VERIFY_NONE
+            end
+          end
        end

        context "when scheme is not https" do
@ -330,6 +338,14 @@ describe HTTParty::ConnectionAdapter do
          it "will verify the certificate" do
            subject.verify_mode.should == OpenSSL::SSL::VERIFY_PEER
          end
+          
+          context "when options include verify_peer=false" do
+            let(:options) { {:p12 => p12, :p12_password => "password", :verify_peer => false} }
+            
+            it "should not verify the certificate" do
+              subject.verify_mode.should == OpenSSL::SSL::VERIFY_NONE
+            end
+          end
        end

        context "when scheme is not https" do