Product SiteDocumentation Site

2.7. SSL in Ruby

Ruby uses OpenSSL implementation of common cryptographic primitives, which are accessible through OpenSSL module included in standard library. This module is then used by other parts of standard library to manage SSL, including Net::HTTP, Net::POP, Net::IMAP, Net::SMTP and others.
There are four valid verification modes VERIFY_NONE, VERIFY_PEER, VERIFY_FAIL_IF_NO_PEER_CERT and VERIFY_CLIENT_ONCE. These correspond to underlying OpenSSL modes.
SSL connection can be created using OpenSSL module directly:
>> require 'openssl'
=> true
>> require 'socket'
=> true
>> tcp_client = TCPSocket.new 'redhat.com', 443
=> #<TCPSocket:fd 5>
>> ssl_context = OpenSSL::SSL::SSLContext.new
=> #<OpenSSL::SSL::SSLContext:0x00000000fcf918>
>> ssl_context.set_params
=> {:ssl_version=>"SSLv23", :verify_mode=>1, :ciphers=>"ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", :options=>-2147480585}
>> ssl_client = OpenSSL::SSL::SSLSocket.new tcp_client, ssl_context
=> #<OpenSSL::SSL::SSLSocket:0x0000000106a418>
>> ssl_client.connect
=> #<OpenSSL::SSL::SSLSocket:0x0000000106a418>
Note the call to ssl_context.set_params: by default, when context is created, all its instance variables are nil. Before using the context, set_params should be called to initialize them (when called without argument, default parameters are chosen). In case this call is omitted and variables are left uninitialized, certificate verification is not performed (effectively the same as VERIFY_NONE mode). Default parameters are stored in the constant:
>> OpenSSL::SSL::SSLContext::DEFAULT_PARAMS
=> {:ssl_version=>"SSLv23", :verify_mode=>1, :ciphers=>"ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", :options=>-2147480585}
One of the side effects of set_params is that it also sets up certificate store with certificates from default certificate area (see Section 2.7.1, “Certificate store” below):
>> ssl_context.cert_store
=> nil
>> ssl_context.set_params
=> {:ssl_version=>"SSLv23", :verify_mode=>1, :ciphers=>"ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW", :options=>-2147480585}
>> ssl_context.cert_store
=> #<OpenSSL::X509::Store:0x00000000fea740>