Enable SSL peer verification by default.

Fixes #139, #255 SSL verification will not be performed if `:verify_ssl` is falsy or a constant like `OpenSSL::SSL::VERIFY_NONE` that disables verification.
2022-11-09 13:49:40 -05:00 · 2014-03-13 00:09:54 -07:00 · 2014-03-13 00:09:54 -07:00 · f270844339
commit f270844339
parent ae88da404c
3 changed files with 22 additions and 11 deletions
--- a/lib/restclient/request.rb
+++ b/lib/restclient/request.rb
@ -20,7 +20,8 @@ module RestClient
  # * :block_response call the provided block with the HTTPResponse as parameter
  # * :raw_response return a low-level RawResponse instead of a Response
  # * :max_redirects maximum number of redirections (default to 10)
-  # * :verify_ssl enable ssl verification, possible values are constants from OpenSSL::SSL
+  # * :verify_ssl enable ssl verification, possible values are constants from
+  #     OpenSSL::SSL::VERIFY_*, defaults to OpenSSL::SSL::VERIFY_PEER
  # * :timeout and :open_timeout are how long to wait for a response and to
  #     open a connection, in seconds. Pass nil to disable the timeout.
  # * :ssl_client_cert, :ssl_client_key, :ssl_ca_file, :ssl_ca_path
@ -57,7 +58,7 @@ module RestClient
      end
      @block_response = args[:block_response]
      @raw_response = args[:raw_response] || false
-      @verify_ssl = args[:verify_ssl] || false
+      @verify_ssl = args.fetch(:verify_ssl, OpenSSL::SSL::VERIFY_PEER)
      @ssl_client_cert = args[:ssl_client_cert] || nil
      @ssl_client_key = args[:ssl_client_key] || nil
      @ssl_ca_file = args[:ssl_ca_file] || nil
@ -189,9 +190,10 @@ module RestClient
      net.use_ssl = uri.is_a?(URI::HTTPS)
      net.ssl_version = @ssl_version if @ssl_version
      err_msg = nil
-      if (@verify_ssl == false) || (@verify_ssl == OpenSSL::SSL::VERIFY_NONE)
-        net.verify_mode = OpenSSL::SSL::VERIFY_NONE
-      elsif @verify_ssl.is_a? Integer
+      if @verify_ssl
+        if @verify_ssl == true
+          @verify_ssl = OpenSSL::SSL::VERIFY_PEER
+        end
        net.verify_mode = @verify_ssl
        net.verify_callback = lambda do |preverify_ok, ssl_context|
          if (!preverify_ok) || ssl_context.error != 0
@ -200,6 +202,8 @@ module RestClient
          end
          true
        end
+      else
+        net.verify_mode = OpenSSL::SSL::VERIFY_NONE
      end
      net.cert = @ssl_client_cert if @ssl_client_cert
      net.key = @ssl_client_key if @ssl_client_key
--- a/spec/integration/request_spec.rb
+++ b/spec/integration/request_spec.rb
@ -14,7 +14,6 @@ describe RestClient::Request do
      request = RestClient::Request.new(
        :method => :get,
        :url => 'https://www.mozilla.org',
-        :verify_ssl => OpenSSL::SSL::VERIFY_PEER,
        :ssl_ca_file => File.join(File.dirname(__FILE__), "certs", "digicert.crt")
      )
      expect { request.execute }.to_not raise_error
@ -24,7 +23,6 @@ describe RestClient::Request do
      request = RestClient::Request.new(
        :method => :get,
        :url => 'https://www.mozilla.org',
-        :verify_ssl => OpenSSL::SSL::VERIFY_PEER,
        :ssl_ca_path => File.join(File.dirname(__FILE__), "capath_digicert")
      )
      expect { request.execute }.to_not raise_error
@ -44,7 +42,6 @@ describe RestClient::Request do
      request = RestClient::Request.new(
        :method => :get,
        :url => 'https://www.mozilla.com',
-        :verify_ssl => OpenSSL::SSL::VERIFY_PEER,
        :ssl_ca_file => File.join(File.dirname(__FILE__), "certs", "verisign.crt")
      )
      expect { request.execute }.to raise_error(RestClient::SSLCertificateNotVerified)
@ -54,7 +51,6 @@ describe RestClient::Request do
      request = RestClient::Request.new(
        :method => :get,
        :url => 'https://www.mozilla.com',
-        :verify_ssl => OpenSSL::SSL::VERIFY_PEER,
        :ssl_ca_path => File.join(File.dirname(__FILE__), "capath_verisign")
      )
      expect { request.execute }.to raise_error(RestClient::SSLCertificateNotVerified)
--- a/spec/unit/request_spec.rb
+++ b/spec/unit/request_spec.rb
@ -15,6 +15,7 @@ describe RestClient::Request do
    @net.stub(:start).and_yield(@http)
    @net.stub(:use_ssl=)
    @net.stub(:verify_mode=)
+    @net.stub(:verify_callback=)
    RestClient.log = nil
  end

@ -494,11 +495,12 @@ describe RestClient::Request do
      @request.transmit(@uri, 'req', 'payload')
    end

-    it "should default to not verifying ssl certificates" do
-      @request.verify_ssl.should eq false
+    it "should default to verifying ssl certificates" do
+      @request.verify_ssl.should eq OpenSSL::SSL::VERIFY_PEER
    end

    it "should set net.verify_mode to OpenSSL::SSL::VERIFY_NONE if verify_ssl is false" do
+      @request = RestClient::Request.new(:method => :put, :verify_ssl => false, :url => 'http://some/resource', :payload => 'payload')
      @net.should_receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_NONE)
      @http.stub(:request)
      @request.stub(:process_result)
@ -515,6 +517,15 @@ describe RestClient::Request do
      @request.transmit(@uri, 'req', 'payload')
    end

+    it "should set net.verify_mode to OpenSSL::SSL::VERIFY_PEER if verify_ssl is true" do
+      @request = RestClient::Request.new(:method => :put, :url => 'https://some/resource', :payload => 'payload', :verify_ssl => true)
+      @net.should_receive(:verify_mode=).with(OpenSSL::SSL::VERIFY_PEER)
+      @http.stub(:request)
+      @request.stub(:process_result)
+      @request.stub(:response_log)
+      @request.transmit(@uri, 'req', 'payload')
+    end
+
    it "should set net.verify_mode to the passed value if verify_ssl is an OpenSSL constant" do
      mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
      @request = RestClient::Request.new( :method => :put,