A lot of what I've seen around SO and blog posts is that
- By default, Net::HTTP does not verify peer SSL certificates
- To force Net::HTTP to verify peer, you need to to it too and supply a CA cert file containing trusted authorities
However, I've found that this is not completely necessary. On my Mac, I have the following code
http = Net::HTTP.new('www.google.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.start do
http.request_get('/') do |response|
puts response.body
end
end
This works. But what is Ruby using to verify the peer with? When I look at the output of http.ca_path
and http.ca_file
they are both blank.
I'm running this code in Ruby 1.9.3p374. Perhaps when Ruby was compiled on my Mac, it pulled in some default location of CA cert chains from openssl or something?
It looks like if no verify callback is set then OpenSSL library default callback is used. See line 217 in the openssl module verify callback wrapper (the
ok
argument is the result of the default callback).On OS X, Apple has apparently customized the default callback in their OpenSSL library to hook in to the OS X Keychain facility. The root CA of Google's certificate is Equifax Secure Certificate Authority. If you change the trust setting in Keychain (e.g. using the Keychain Access utility) for this CA then your ruby test behaves accordingly.
I believe the answer to your question is that when peer certificate verification is required but not configured, the ruby shipped with OS X verifies using Keychain.