How to bypass SSL certificate verification in open-uri?
Warning, do not do this in production, you are disabling SSL completely this way.
If you really don't want the additional security of using certificate verification, and can upgrade to Ruby 1.9.3p327+, you can pass the ssl_verify_mode
option to the open
method. Here for example is how I'm doing it:
request_uri=URI.parse('myuri?that_has=params&encoded=in_it&optionally=1')
# The params incidentally are available as a String, via request_uri.query
output = open(request_uri, {ssl_verify_mode: OpenSSL::SSL::VERIFY_NONE})
obj = JSON.parse output.readlines.join("")
it's good (it may spawn uninitialized constant OpenSSL (NameError)
) to put require 'openssl' before that line, so
app/config/initializers/bypass_ssl_verification_for_open_uri.rb (filename of initializer doesn' matter)
require 'openssl'
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
Found it out myself now: I used the dirty hack, which works fine for me.
I had to put it into: yourrailsapp/initalizers/
There I created a bypass_ssl_verification_for_open_uri.rb
And put:
OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE
As you mentioned yourself, this is a dirty hack. Obviously, disabling SSL certificate verification is not a good idea.
There is a very helpful article by Mislav Marohnić, which goes into great detail why this is bad and how to address this properly.
In summary, you mostly get the SSL verify error if:
- the certificate is valid, but your system does not have the necessary root certificate for verification.
- the certificate is self-signed, e.g. in your company and you need to trust it
- you're subject to a man-in-the-middle attack
For me the first case applied, and simply updating the ca-certificates package on my Ubuntu system did the trick.
A great tool to track down your SSL error is the ssl doctor script.