open-uri + OpenSSL

[Matthew Lagace]

Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the 'connect' : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M

 

[dusty]

Hello,

I am usring open-uri to open an https:// link and when it tries to read
it, I get the 'connect' : certificate verify failed error. How can I
bypass this SSL verification?

Thanks,
M

Set the verify_mode to OpenSSL::SSL::VERIFY_NONE

eg:

http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

 

[Matthew Lagace]

Ok when I do that, it says:

ssl value changed, but session already started

 

[dusty]

Ok when I do that, it says:

ssl value changed, but session already started

Sorry, I guess you can't do it with open-uri. Here is a patch:

add this ssl_verify option to the top of the file.

FROM:

module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
}

TO:

module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
:ssl_verify => true
}

Change the part where it enables verification

FROM:

if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

TO:
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
if options[:ssl_verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

run it like this:

open("https://someurl", :ssl_verify => false) {|f|
print f.read
}

 

[dusty]

Ok when I do that, it says:

ssl value changed, but session already started

Sorry, I guess you can't do it with open-uri. Here is a patch:

add this ssl_verify option to the top of the file.

FROM:

module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
}

TO:

module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
:ssl_verify => true
}

Change the part where it enables verification

FROM:

if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

TO:
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
if options[:ssl_verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

run it like this:

open("https://someurl", :ssl_verify => false) {|f|
print f.read

}

Sorry, this all goes in open-uri.rb in your ruby base dir, eg:

/usr/lib/ruby/1.8/open-uri.rb
or
/opt/local/lib/ruby/1.8/open-uri.rb

or wherever it may be on your distro.

 

[mortee]

Ok when I do that, it says:
ssl value changed, but session already started
dusty wrote:
Hello,
I am usring open-uri to open an https:// link and when it tries to read
it, I get the 'connect' : certificate verify failed error. How can I
bypass this SSL verification?
Thanks,
M
--
Posted viahttp://www.ruby-forum.com/.
Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
eg:
http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

Sorry, I guess you can't do it with open-uri. Here is a patch:

add this ssl_verify option to the top of the file.

FROM:

module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
}

TO:

module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
:ssl_verify => true
}

Change the part where it enables verification

FROM:

if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

TO:
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
if options[:ssl_verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

run it like this:

open("https://someurl", :ssl_verify => false) {|f|
print f.read

}

Sorry, this all goes in open-uri.rb in your ruby base dir, eg:

/usr/lib/ruby/1.8/open-uri.rb
or
/opt/local/lib/ruby/1.8/open-uri.rb

or wherever it may be on your distro.

The nice thing about Ruby is that if you don't want to modify your
system files (for example I don't like to do it because it's quite hard
to track later), then you can simply patch the modules/classes in
question on the fly, at the beginning of your application. And possibly
file a bug report

However, I guess the verification-enabling code would be more versatile
this way:

if options[:ssl_verify]
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
else
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

mortee

 

[Matthew Lagace]

Great thanks guys!

 

[dusty]

Ok when I do that, it says:
ssl value changed, but session already started
dusty wrote:
Hello,
I am usring open-uri to open an https:// link and when it tries to read
it, I get the 'connect' : certificate verify failed error. How can I
bypass this SSL verification?
Thanks,
M
--
Posted viahttp://www.ruby-forum.com/.
Set the verify_mode to OpenSSL::SSL::VERIFY_NONE
eg:
http = Net::HTTP.new(host,port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
--
Posted viahttp://www.ruby-forum.com/.
Sorry, I guess you can't do it with open-uri. Here is a patch:
add this ssl_verify option to the top of the file.
FROM:
module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
}
TO:
module OpenURI
Options = {
roxy => true,
rogress_proc => true,
:content_length_proc => true,
:http_basic_authentication => true,
:ssl_verify => true
}
Change the part where it enables verification
FROM:
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end
TO:
if target.class == URI::HTTPS
require 'net/https'
http.use_ssl = true
http.enable_post_connection_check = true
if options[:ssl_verify] == false
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
else
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
end
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end
run it like this:
open("https://someurl", :ssl_verify => false) {|f|
print f.read
}

Sorry, this all goes in open-uri.rb in your ruby base dir, eg:

or wherever it may be on your distro.

The nice thing about Ruby is that if you don't want to modify your
system files (for example I don't like to do it because it's quite hard
to track later), then you can simply patch the modules/classes in
question on the fly, at the beginning of your application. And possibly
file a bug report

However, I guess the verification-enabling code would be more versatile
this way:

if options[:ssl_verify]
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
else
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end

mortee

Good idea. I submitted a patch to rubyforge. This might be useful
and simple enough to add.

http://rubyforge.org/tracker/?group_id=426&atid=1698&func=detail&aid=15390

 

[Marc Heiler]

Any news about the status of this?

 

[Junkone]

Any news about the status of this?

i too am waiting for this patch. appreciate early response.

Seede

 

[Junkone]

Any news about the status of this?

i tried to put the patch into my open-uri.rb and it failed with a new
error
irb(main):007:0* open("https://www.interactivebrokers.com/Universal/
servlet/FlexStatementService.GetStatement?
t=1437758&q=1126698&v=2",:ssl_verify => true){|f|puts f}
NoMethodError: undefined method `enable_post_connection_check=' for
#<Net::HTTP www.interactivebrokers.com:443 open=false>
from e:/ruby/lib/ruby/1.8/open-uri.rb:242:in `open_http'
from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in `buffer_open'
from e:/ruby/lib/ruby/1.8/open-uri.rb:170:in `open_loop'
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `catch'
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `open_loop'
from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in `open_uri'
from e:/ruby/lib/ruby/1.8/open-uri.rb:545:in `open'
from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open'
from (irb):7

 

[Ck Tricky]

i tried to put the patch into my open-uri.rb and it failed with a new
error
irb(main):007:0* open("https://www.interactivebrokers.com/Universal/
servlet/FlexStatementService.GetStatement?
t=1437758&q=1126698&v=2",:ssl_verify => true){|f|puts f}
NoMethodError: undefined method `enable_post_connection_check=' for
#<Net::HTTP www.interactivebrokers.com:443 open=false>
from e:/ruby/lib/ruby/1.8/open-uri.rb:242:in `open_http'
from e:/ruby/lib/ruby/1.8/open-uri.rb:643:in `buffer_open'
from e:/ruby/lib/ruby/1.8/open-uri.rb:170:in `open_loop'
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `catch'
from e:/ruby/lib/ruby/1.8/open-uri.rb:168:in `open_loop'
from e:/ruby/lib/ruby/1.8/open-uri.rb:138:in `open_uri'
from e:/ruby/lib/ruby/1.8/open-uri.rb:545:in `open'
from e:/ruby/lib/ruby/1.8/open-uri.rb:30:in `open'
from (irb):7

So basically if you are using ruby 1.8.6 (for me I'm using it on
BackTrack3) you simply omit the 'http.enable_post_connection_check =
true' from the code mentioned above and also remove
'sock.post_connection_check(target_host)'
that's it! I am using the open-uri just fine now to push thru multiple
URLs from an input file out to my local proxy in order to built a site
map via BurpSuite.