Asp Forum - open-uri + OpenSSL

Matthew Lagace

10/27/2007 5:36:00 AM

Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the 'connect' : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M
--
Posted via http://www.ruby-....

10 Answers

dusty

10/27/2007 5:04:00 PM

On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
> Hello,
>
> I am usring open-uri to open an https:// link and when it tries to read
> it, I get the 'connect' : certificate verify failed error. How can I
> bypass this SSL verification?
>
> Thanks,
> M
> --
> Posted viahttp://www.ruby-....

Set the verify_mode to OpenSSL::SSL::VERIFY_NONE

eg:

http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

Matthew Lagace

10/27/2007 5:26:00 PM

Ok when I do that, it says:

ssl value changed, but session already started

dusty wrote:
> On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
>> Hello,
>>
>> I am usring open-uri to open an https:// link and when it tries to read
>> it, I get the 'connect' : certificate verify failed error. How can I
>> bypass this SSL verification?
>>
>> Thanks,
>> M
>> --
>> Posted viahttp://www.ruby-....
>
> Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
>
> eg:
>
> http = Net::HTTP.new(host,port)
> http.use_ssl = true
> http.verify_mode = OpenSSL::SSL::VERIFY_NONE

--
Posted via http://www.ruby-....

dusty

11/6/2007 1:51:00 AM

On Oct 27, 12:26 pm, Matthew Lagace <matthewlag...@gmail.com> wrote:
> Ok when I do that, it says:
>
> ssl value changed, but session already started
>
>
>
> dusty wrote:
> > On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
> >> Hello,
>
> >> I am usring open-uri to open an https:// link and when it tries to read
> >> it, I get the 'connect' : certificate verify failed error. How can I
> >> bypass this SSL verification?
>
> >> Thanks,
> >> M
> >> --
> >> Posted viahttp://www.ruby-....
>
> > Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
>
> > eg:
>
> > http = Net::HTTP.new(host,port)
> > http.use_ssl = true
> > http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>
> --
> Posted viahttp://www.ruby-....

Sorry, I guess you can't do it with open-uri. Here is a patch:

add this ssl_verify option to the top of the file.

FROM:

module OpenURI
Options = {
:proxy => true,
:progress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
}

TO:

module OpenURI
Options = {
:proxy => true,
:progress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
:ssl_verify => true
}

Change the part where it enables verification

FROM:

if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

TO:
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
if options[:ssl_verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

run it like this:

open("https://someurl", :ssl_verify => false) {|f|
print f.read
}

dusty

11/6/2007 1:54:00 AM

On Nov 5, 8:51 pm, dusty <dusty.do...@gmail.com> wrote:
> On Oct 27, 12:26 pm, Matthew Lagace <matthewlag...@gmail.com> wrote:
>
>
>
> > Ok when I do that, it says:
>
> > ssl value changed, but session already started
>
> > dusty wrote:
> > > On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
> > >> Hello,
>
> > >> I am usring open-uri to open an https:// link and when it tries to read
> > >> it, I get the 'connect' : certificate verify failed error. How can I
> > >> bypass this SSL verification?
>
> > >> Thanks,
> > >> M
> > >> --
> > >> Posted viahttp://www.ruby-....
>
> > > Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
>
> > > eg:
>
> > > http = Net::HTTP.new(host,port)
> > > http.use_ssl = true
> > > http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>
> > --
> > Posted viahttp://www.ruby-....
>
> Sorry, I guess you can't do it with open-uri. Here is a patch:
>
> add this ssl_verify option to the top of the file.
>
> FROM:
>
> module OpenURI
> Options = {
> :proxy => true,
> :progress_proc => true,
> :content_length_proc => true,
> :http_basic_authentication => true,
> }
>
> TO:
>
> module OpenURI
> Options = {
> :proxy => true,
> :progress_proc => true,
> :content_length_proc => true,
> :http_basic_authentication => true,
> :ssl_verify => true
> }
>
> Change the part where it enables verification
>
> FROM:
>
> if target.class == URI::HTTPS
> require 'net/https'
> http.use_ssl = true
> http.enable_post_connection_check = true
> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> store = OpenSSL::X509::Store.new
> store.set_default_paths
> http.cert_store = store
> end
>
> TO:
> if target.class == URI::HTTPS
> require 'net/https'
> http.use_ssl = true
> http.enable_post_connection_check = true
> if options[:ssl_verify] == false
> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
> else
> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> end
> store = OpenSSL::X509::Store.new
> store.set_default_paths
> http.cert_store = store
> end
>
> run it like this:
>
> open("https://someurl", :ssl_verify => false) {|f|
> print f.read
>
> }

Sorry, this all goes in open-uri.rb in your ruby base dir, eg:

/usr/lib/ruby/1.8/open-uri.rb
or
/opt/local/lib/ruby/1.8/open-uri.rb

or wherever it may be on your distro.

mortee

11/6/2007 4:35:00 AM

dusty wrote:
> On Nov 5, 8:51 pm, dusty <dusty.do...@gmail.com> wrote:
>> On Oct 27, 12:26 pm, Matthew Lagace <matthewlag...@gmail.com> wrote:
>>
>>
>>
>>> Ok when I do that, it says:
>>> ssl value changed, but session already started
>>> dusty wrote:
>>>> On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
>>>>> Hello,
>>>>> I am usring open-uri to open an https:// link and when it tries to read
>>>>> it, I get the 'connect' : certificate verify failed error. How can I
>>>>> bypass this SSL verification?
>>>>> Thanks,
>>>>> M
>>>>> --
>>>>> Posted viahttp://www.ruby-....
>>>> Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
>>>> eg:
>>>> http = Net::HTTP.new(host,port)
>>>> http.use_ssl = true
>>>> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>>> --
>>> Posted viahttp://www.ruby-....
>> Sorry, I guess you can't do it with open-uri. Here is a patch:
>>
>> add this ssl_verify option to the top of the file.
>>
>> FROM:
>>
>> module OpenURI
>> Options = {
>> :proxy => true,
>> :progress_proc => true,
>> :content_length_proc => true,
>> :http_basic_authentication => true,
>> }
>>
>> TO:
>>
>> module OpenURI
>> Options = {
>> :proxy => true,
>> :progress_proc => true,
>> :content_length_proc => true,
>> :http_basic_authentication => true,
>> :ssl_verify => true
>> }
>>
>> Change the part where it enables verification
>>
>> FROM:
>>
>> if target.class == URI::HTTPS
>> require 'net/https'
>> http.use_ssl = true
>> http.enable_post_connection_check = true
>> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
>> store = OpenSSL::X509::Store.new
>> store.set_default_paths
>> http.cert_store = store
>> end
>>
>> TO:
>> if target.class == URI::HTTPS
>> require 'net/https'
>> http.use_ssl = true
>> http.enable_post_connection_check = true
>> if options[:ssl_verify] == false
>> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
>> else
>> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
>> end
>> store = OpenSSL::X509::Store.new
>> store.set_default_paths
>> http.cert_store = store
>> end
>>
>> run it like this:
>>
>> open("https://someurl", :ssl_verify => false) {|f|
>> print f.read
>>
>> }
>
>
> Sorry, this all goes in open-uri.rb in your ruby base dir, eg:
>
> /usr/lib/ruby/1.8/open-uri.rb
> or
> /opt/local/lib/ruby/1.8/open-uri.rb
>
> or wherever it may be on your distro.

The nice thing about Ruby is that if you don't want to modify your
system files (for example I don't like to do it because it's quite hard
to track later), then you can simply patch the modules/classes in
question on the fly, at the beginning of your application. And possibly
file a bug report (:

However, I guess the verification-enabling code would be more versatile
this way:

if options[:ssl_verify]
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
else
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

mortee

Matthew Lagace

11/6/2007 12:15:00 PM

Great thanks guys!

--
Posted via http://www.ruby-....

dusty

11/6/2007 2:26:00 PM

On Nov 5, 11:34 pm, mortee <mortee.li...@kavemalna.hu> wrote:
> dusty wrote:
> > On Nov 5, 8:51 pm, dusty <dusty.do...@gmail.com> wrote:
> >> On Oct 27, 12:26 pm, Matthew Lagace <matthewlag...@gmail.com> wrote:
>
> >>> Ok when I do that, it says:
> >>> ssl value changed, but session already started
> >>> dusty wrote:
> >>>> On Oct 27, 1:35 am, Matthew Lagace <matthewlag...@gmail.com> wrote:
> >>>>> Hello,
> >>>>> I am usring open-uri to open an https:// link and when it tries to read
> >>>>> it, I get the 'connect' : certificate verify failed error. How can I
> >>>>> bypass this SSL verification?
> >>>>> Thanks,
> >>>>> M
> >>>>> --
> >>>>> Posted viahttp://www.ruby-....
> >>>> Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
> >>>> eg:
> >>>> http = Net::HTTP.new(host,port)
> >>>> http.use_ssl = true
> >>>> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
> >>> --
> >>> Posted viahttp://www.ruby-....
> >> Sorry, I guess you can't do it with open-uri. Here is a patch:
>
> >> add this ssl_verify option to the top of the file.
>
> >> FROM:
>
> >> module OpenURI
> >> Options = {
> >> :proxy => true,
> >> :progress_proc => true,
> >> :content_length_proc => true,
> >> :http_basic_authentication => true,
> >> }
>
> >> TO:
>
> >> module OpenURI
> >> Options = {
> >> :proxy => true,
> >> :progress_proc => true,
> >> :content_length_proc => true,
> >> :http_basic_authentication => true,
> >> :ssl_verify => true
> >> }
>
> >> Change the part where it enables verification
>
> >> FROM:
>
> >> if target.class == URI::HTTPS
> >> require 'net/https'
> >> http.use_ssl = true
> >> http.enable_post_connection_check = true
> >> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> >> store = OpenSSL::X509::Store.new
> >> store.set_default_paths
> >> http.cert_store = store
> >> end
>
> >> TO:
> >> if target.class == URI::HTTPS
> >> require 'net/https'
> >> http.use_ssl = true
> >> http.enable_post_connection_check = true
> >> if options[:ssl_verify] == false
> >> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
> >> else
> >> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> >> end
> >> store = OpenSSL::X509::Store.new
> >> store.set_default_paths
> >> http.cert_store = store
> >> end
>
> >> run it like this:
>
> >> open("https://someurl", :ssl_verify => false) {|f|
> >> print f.read
>
> >> }
>
> > Sorry, this all goes in open-uri.rb in your ruby base dir, eg:
>
> > /usr/lib/ruby/1.8/open-uri.rb
> > or
> > /opt/local/lib/ruby/1.8/open-uri.rb
>
> > or wherever it may be on your distro.
>
> The nice thing about Ruby is that if you don't want to modify your
> system files (for example I don't like to do it because it's quite hard
> to track later), then you can simply patch the modules/classes in
> question on the fly, at the beginning of your application. And possibly
> file a bug report (:
>
> However, I guess the verification-enabling code would be more versatile
> this way:
>
> if options[:ssl_verify]
> http.verify_mode = OpenSSL::SSL::VERIFY_PEER
> else
> http.verify_mode = OpenSSL::SSL::VERIFY_NONE
> end
>
> mortee

Good idea. I submitted a patch to rubyforge. This might be useful
and simple enough to add.

http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&...

Marc Heiler

6/2/2008 11:01:00 AM

Any news about the status of this?
--
Posted via http://www.ruby-....

Junkone

6/2/2008 3:09:00 PM

On Jun 2, 7:01 am, Marc Heiler <sheve...@linuxmail.org> wrote:
> Any news about the status of this?
> --
> Posted viahttp://www.ruby-....

i too am waiting for this patch. appreciate early response.

Seede

Junkone

6/2/2008 3:33:00 PM

On Jun 2, 7:01 am, Marc Heiler <sheve...@linuxmail.org> wrote:
> Any news about the status of this?
> --
> Posted viahttp://www.ruby-....

i tried to put the patch into my open-uri.rb and it failed with a new
error
irb(main):007:0* open("https://www.interactivebrokers.com/...
servlet/FlexStatementService.GetStatement?
t=1437758&q=1126698&v=2",:ssl_verify => true){|f|puts f}
NoMethodError: undefined method `enable_post_connection_check=' for
#<Net::HTTP www.interactivebrokers.com:443 open=false>
from e:/ruby/lib/ruby/1.8/open-uri.rb:242:in `open_http'
from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in `buffer_open'
from e:/ruby/lib/ruby/1.8/open-uri.rb:170:in `open_loop'
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `catch'
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `open_loop'
from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in `open_uri'
from e:/ruby/lib/ruby/1.8/open-uri.rb:545:in `open'
from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open'
from (irb):7

comp.lang.ruby

open-uri + OpenSSL

Matthew Lagace

dusty

Matthew Lagace

dusty

dusty

mortee

Matthew Lagace

dusty

Marc Heiler

Junkone

Junkone

x Login to ForumsZone