Turn off SSL certificate verification in Ruby
18,841
The following code will disable verification of the certificate. Note that this necessarily implies that invalid certificates will be accepted.
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
Author by
ChrisInEdmonton
Updated on June 26, 2022Comments
-
ChrisInEdmonton almost 2 years
When using 'net/https' and ssl, how do I disable verification of the resulting SSL certificate?
-
EricLaw almost 15 yearsWhich, in turn, implies that any code that does this is inherently a security hole.
-
ChrisInEdmonton almost 15 yearsThis is most certainly true. It should be true that the security hole is exactly the same as if you had simply not used https in the first place.
-
Henley about 11 yearsA security hole in the right context. Otherwise, it gets the job done.
-
Matthew Clark over 10 yearsI found this useful in a development environment by using
if Rails.env.development?
. I use a Mac, and even though I have an up-to-date ca-bundle.crt, sometimes I'd get the "SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed" error anyway. This way, my production servers stay secure. -
Justin Ohms over 7 years@ChrisInEdmonton The security hole presented by allowing invalid certificates is significantly different than the hole of not using https. While neither is secure they are insecure for different reasons. Without https the payload is not encrypted in anyway. With an invalid cert the payload is encrypted you just have no guarantee of authenticity of the provider of the cert. Both are bad but not equivalent and with very different implications.