Language support: Ruby

[chriskilding]

Tracking the state of native TLS certificate verification in Ruby.

Interpreters to consider:

• CRuby (MRI etc.) - this will need support built for it
• JRuby - this will defer to Java's support for native TLS certs (see #1)

Note that macOS Monterey (and possibly later versions) ship with a system Ruby built by Apple. It is possible that, like the system curl, this was built with Secure Transport and therefore benefits from native TLS verification. This is not necessarily something that normal Ruby (as obtained from ruby.org, rbenv etc) does.

[chriskilding]

Minimal example to use for testing:

require 'net/http'

net = Net::HTTP.new("npmjs.com", 443)

net.use_ssl = true
net.verify_mode = OpenSSL::SSL::VERIFY_PEER

response = net.get("/")

puts "Response code: " + response.code

(Note that net/http is what most Ruby HTTP clients delegate to internally.)

[chriskilding]

When Homebrew is used to install Ruby, either directly or with a tool like rbenv, it may implicitly install ca-certificates as well. This applies a workaround where it exports the current contents of the system keychain into a cert.pem file on the filesystem. The result is that a custom TLS certificate may 'appear' to work on some systems.

But this is fragile...

For a start, it depends on the order of things happening. The custom certificate must be in the Keychain before ca-certificates is "installed".

Then, if the certificate is updated in the keychain in the future, the change will not propagate to the copy on the filesystem.

Therefore, it is no substitute for true support of the system truststore.