为什么我不需要为Net :: HTTP SSL请求指定CA捆绑包? [英] Why don't I need to specify a CA bundle to Net::HTTP SSL requests?
问题描述
我在SO和博客文章中看到的很多内容是
A lot of what I've seen around SO and blog posts is that
- 默认情况下,Net :: HTTP不会验证对等SSL证书
- 要强制Net :: HTTP验证对等方,您也需要对其进行验证,并提供包含受信任权限的CA证书文件
但是,我发现这并不是完全必要的.在我的Mac上,我有以下代码
However, I've found that this is not completely necessary. On my Mac, I have the following code
http = Net::HTTP.new('www.google.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.start do
http.request_get('/') do |response|
puts response.body
end
end
这有效.但是,Ruby使用什么来验证对等方呢?当我查看http.ca_path和http.ca_file的输出时,它们都是空白.
This works. But what is Ruby using to verify the peer with? When I look at the output of http.ca_path and http.ca_file they are both blank.
我正在Ruby 1.9.3p374中运行此代码.也许当Ruby在我的Mac上编译时,它从openssl或其他东西中提取了CA证书链的某些默认位置?
I'm running this code in Ruby 1.9.3p374. Perhaps when Ruby was compiled on my Mac, it pulled in some default location of CA cert chains from openssl or something?
推荐答案
如果未设置验证回调,则使用OpenSSL库默认回调.请参见 openssl模块验证回调包装器(ok参数是默认回调的结果).
It looks like if no verify callback is set then OpenSSL library default callback is used. See line 217 in the openssl module verify callback wrapper (the ok argument is the result of the default callback).
在OS X上,Apple显然已经在其OpenSSL库中自定义了默认回调,以挂接到OS X钥匙串工具. Google证书的根CA是Equifax安全证书颁发机构.如果您更改了此CA的钥匙串"中的信任设置(例如,使用钥匙串访问"实用程序),则您的红宝石测试将相应地起作用.
On OS X, Apple has apparently customized the default callback in their OpenSSL library to hook in to the OS X Keychain facility. The root CA of Google's certificate is Equifax Secure Certificate Authority. If you change the trust setting in Keychain (e.g. using the Keychain Access utility) for this CA then your ruby test behaves accordingly.
我相信您的问题的答案是,当需要但未配置对等证书验证时,OS X附带的红宝石会使用钥匙串进行验证.
I believe the answer to your question is that when peer certificate verification is required but not configured, the ruby shipped with OS X verifies using Keychain.
这篇关于为什么我不需要为Net :: HTTP SSL请求指定CA捆绑包?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
