Closed mycargus closed 5 years ago
Perhaps we should document how turning of TLS Verification should only be turned off when you're absolutely sure you need to? And it doesn't actually fix talking to real remote sites? :wink: :wink:
What about rack test, does this api work for that too?
+1 @SecurityInsanity, I'll update the readme.
@sethpollack agh, I didn't think about rack test. I'll look into that.
Thank you both!
@sethpollack I could very well be wrong as I don't know Rack well, but I think disabling SSL cert verification in the RackTestRequester would require adding a Rack middleware gem. I couldn't find any SSL support in the rack-test gem besides setting a {'HTTPS' => 'on'}
env var, which as far as I can tell doesn't help us with this feature PR.
What do you think? Should this be a non-Rack feature only, or should we add a middleware gem dependency? Or might there be a different solution?
Not sure, but I think I was trying to keep the api consistent between all the requesters.
Understandable. As an end user I would prefer consistency as well.
So what do you suggest we do?
@sethpollack My team and I need this feature ASAP, so I'm biased. :) That said, I've been researching all morning and the solution for disabling SSL cert verification in Rack still isn't clear to me. The only semi-living Rack middleware gem for SSL I could find is https://github.com/tobmatth/rack-ssl-enforcer, but I can't find any option to disable cert verification in that code base.
My suggestion is to merge this PR after I add a note to the README to indicate this flag won't work for directly testing Rack apps that aren't running in a server, e.g.
Airborne.configure do |config|
config.rack_app = MySinatraApp
end
@sethpollack What do you think? We need to know if this can get merged and released today. Thanks!
thanks!
This should close issue #118
A few notes on this PR:
I don't quite grok the
head
andoptions
base methods, so I may have missed some necessary changes there.I came across the following related report in the rest-client repo, but I couldn't reproduce the reported error with this PR in place. ¯_(ツ)_/¯ https://github.com/rest-client/rest-client/issues/628
I wanted to refactor the base.rb methods to simplify the method parameters (for example, to avoid
get '/foo', nil, false
... feels icky) and to allow passing any desired options down to RestClient, but decided against it. I think most users will be served by theAirborne.configuration
and RSpec metadata tag for now.The excellent badssl.com project lets us manually verify these changes actually work:
Note they specifically recommend against using their servers for automated testing, so I didn't code a spec. I think having one would be a good addition though if y'all want to fork their repo and host a "bad ssl" server.
Let me know if anything needs changing!