rack-proxy icon indicating copy to clipboard operation
rack-proxy copied to clipboard
verified publisher icon ncr

Please let's never default to OpenSSL::SSL::VERIFY_NONE

Open oskarpearson opened this issue 2 years ago • 2 comments

Hi folks

The logic about ssl certificate verification in https://github.com/ncr/rack-proxy/blob/ce04ba5a15dd0c32d3f1b223fc980e3210f8008e/lib/rack/proxy.rb is pretty confusing.

There are two variables interacting - ssl_verify_none and verify_mode. imho we should only have one. Or are they doing different things entirely?

https://github.com/ncr/rack-proxy#using-ssltls-certificates-with-http-connection doesn't specifically make it clear that unless you supply verify_mode: OpenSSL::SSL::VERIFY_PEER it'll default to OpenSSL::SSL::VERIFY_NONE which is a really bad default. At least, that's my reading of the code!

Context: http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html

oskarpearson avatar Feb 21 '23 21:02 oskarpearson

At the very least I'd propose changing OpenSSL::SSL::VERIFY_NONE in the two places it's used in proxy.rb to refer to OpenSSL::SSL::VERIFY_NONE

oskarpearson avatar Feb 21 '23 21:02 oskarpearson

@ncr - not sure if you've had a look at this?

oskarpearson avatar Apr 17 '23 12:04 oskarpearson