search

jamesgolick / always_verify_ssl_certificates

Ruby's net/http is setup to never verify SSL certificates by default. Most ruby libraries do the same. That means that you're not verifying the identity of the server you're communicating with and are therefore exposed to man in the middle attacks. This gem monkey-patches net/http to force certificate verification and make turning it off impossible.
MIT License
97 stars 16 forks source link

CA certificates bundle needed? #7

Closed cimm closed 8 years ago

cimm commented 12 years ago

The RubyInside artcile mentions the CA certificates bundle:

To get going, you need a local CA certificates bundle, the official 
curl site maintains an up to date cacert.pem / ca-bundle.crt file containing
all of the major certificates if you need one.

The README does not. This confuses me, do I need the CA certificates bundle or will the gem does it job without it? Thanks!

Shelvetco commented 8 years ago

Some OSs include the certificate bundle as part of the system. If this is the case, you're all good to go. If not, you do need it. Without it, this gem will raise on any https connection

cimm commented 8 years ago

@Shelvetco I no longer remember posting this question but thank you for the clarification. ;)