9

I try create POST request with SSL but without OpenSSL::SSL::VERIFY_NONE because it is opend up security attacks and without PEM certificate. But I catch problems, my ruby code for send POST request:

post '/test/test1' do
  cross_origin
  post_data = request.body.read
  res_Data = JSON.parse(post_data)
  userName = res_Data['username']

  @responseFromServer=''
  uri = URI('https://test.com/test1')
  Net::HTTP.start(uri.host, uri.port,
                  :use_ssl => uri.scheme == 'https',
                  :verify_mode => OpenSSL::SSL::VERIFY_NONE) do |http|
    request = Net::HTTP::Post.new uri.request_uri
    request.basic_auth 'aa', 'bb'
    request.body = {'username' =>userName}.to_json
    response = http.request request
    @responseFromServer = response.body.to_s
  end
  newJson = JSON.parse(@responseFromServer)

  status_msg = newJson['status']['status_msg']
  if (status_msg == "Success")
    return 'true'
  end
    return 'false'
end

It is method worked but he use OpenSSL::SSL::VERIFY_NONE. How to create method for send POST request without OpenSSL::SSL::VERIFY_NONE and PEM sertificate?

EDIT SSL/HTTPS request Update: There are some good reasons why this code example is bad. It introduces a potential security vulnerability if it's essential you use the server certificate to verify the identity of the server you're connecting to. There's a fix for the issue though!

require "net/https"
require "uri"

uri = URI.parse("https://secure.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE

request = Net::HTTP::Get.new(uri.request_uri)

response = http.request(request)
response.body
response.status
response["header-here"] # All headers are lowercase

SSL/HTTPS request with PEM certificate

require "net/https"
require "uri"

uri = URI.parse("https://secure.com/")
pem = File.read("/path/to/my.pem")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.cert = OpenSSL::X509::Certificate.new(pem)
http.key = OpenSSL::PKey::RSA.new(pem)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER

request = Net::HTTP::Get.new(uri.request_uri)

My question: How to create POST method without PEM and OpenSSL::SSL::VERIFY_NONE?

Taras Kovalenko
  • 2,323
  • 3
  • 24
  • 49
  • 2
    This might help you: http://stackoverflow.com/questions/1113422/how-to-bypass-ssl-certificate-verification-in-open-uri – karlingen Apr 20 '15 at 08:34
  • @karlingen You mean what I need use **OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE**? It is works but I need use **POST request without OpenSSL::SSL::VERIFY_NONE** – Taras Kovalenko Apr 20 '15 at 08:51
  • @karlingen Or if I use **OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE** it is solves the problem of security? – Taras Kovalenko Apr 20 '15 at 08:58
  • I honestly can not understand exactly what you are asking. – karlingen Apr 20 '15 at 14:40
  • What are the reasons not to use PEM? – Sir l33tname Apr 21 '15 at 14:26
  • 2
    So the question is, do you want to use SSL or not? Because if you do VERIFY_NONE you at least have self-signed certs, you are still exposed to MiTM attacks though. If you do VERIFY_PEER and pass a good cert then you are doing it properly. But from your post you don't want to do neither, so I guess that you want your stuff in the clear. – Phobos Apr 21 '15 at 23:51

1 Answers1

1

This question is quite misleading, but I try my best to figure it out. Here is my advise:

Do you want to connect to a service that is only available through https and you do not care if the certificate is valid?

Then you can use :verify_mode => OpenSSL::SSL::VERIFY_NONE when initializing the Net::HTTP client. You will have some kind of transport security, but you cannot be sure the server you are talking to is the one you think it is. You are vulnerable.

Do you want to connect to a service that is available both through https and http, and you do not care about transport security?

Then you should use the http://... endpoint.

Do you want to connect to a service and you care about transport security?

Then you should definitely use the https://... endpoint. Do not override :verify_mode! If you are getting certificate verification errors, make sure you have the correct Certificate Authority installed on your system.

Overbryd
  • 4,612
  • 2
  • 33
  • 33