Issue #3150 has been updated by Hiroshi Nakamura.

Category set to ext
Status changed from Assigned to Third Party's Issue
Priority changed from High to Normal

Finally I found that Apple ships patched version of OpenSSL.

http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.h
    /*
     * X509_verify_cert
     *
     * Originally located in x509_vfy.c.
     *
     * Verify certificate with OpenSSL created X509_verify_cert. If and only if
     * OpenSSL cannot get certificate issuer locally then OS X security API will
     * verify the certificate, using TrustEvaluationAgent.
     *
     * Return values:
     * --------------
     * -1: Null was passed for either ctx or ctx->cert.
     *  0: Certificate is trusted.
     *  1: Certificate is not trusted.
     */
    int X509_verify_cert(X509_STORE_CTX *ctx);

So, with the OpenSSL on Show Leopard, a certificate is trusted if the certificate is trusted by system even if you don't set proper SSL_CERT_DIR.

You can see the original report have a verify callback and it reports 'false'. Here's what x509_apply_vfy.c is doing:

http://www.opensource.apple.com/source/OpenSSL098/OpenSSL098-27/src/crypto/x509/x509_vfy_apple.c
	/* Try OpenSSL, if we get a local certificate issue verify against trusted roots */
	ret = X509_verify_cert_orig(ctx);
	if (ret != 1 && (ctx->error & X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY)) {
            ...

So even though you return false from verify_callback, it could be trusted by system if the reason is X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY.

I close this as 'Third Party's Issue.' Yes, it's an *issue* of Snow Leopard.

Please let me know if I am wrong. I'll reopen this.
----------------------------------------
Bug #3150: net/https peer verification doesn't do anything
http://redmine.ruby-lang.org/issues/3150

Author: Hongli Lai
Status: Third Party's Issue
Priority: Normal
Assignee: Hiroshi Nakamura
Category: ext
Target version: 1.9.3
ruby -v: ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0]


=begin
 Setting verify_mode to VERIFY_PEER should make net/https raise an exception if peer certificate verification fails. For example:
 
    require 'net/http'
    require 'net/https'
    require 'openssl'
 
    url = URI.parse("https://bugzilla.redhat.com/")
    http = Net::HTTP.new(url.host, url.port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 
    http.verify_callback = proc do |preverify_ok, ssl_context|
      puts "verification succeeded: #{preverify_ok}"
    end
 
    request = Net::HTTP::Get.new(url.path)
    response = http.request(request)   # Should raise error
 
 Expected output:
 
    $ ruby ssltest.rb 
    verification succeeded: false
    .../lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)
 
 Actual output:
 
    $ ruby ssltest.rb
    verification succeeded: false
    (no exception raised)
 
 Either net/https is broken, or OpenSSL is broken, or OpenSSL changed some default behavior.
 I can reproduce the problem OS X Snow Leopard with OpenSSL 0.9.8k and the following Ruby versions:
 - ruby 1.8.6 (2010-02-05 patchlevel 399) [i686-darwin10.3.0]
 - ruby 1.8.7 (2009-06-08 patchlevel 173) [universal-darwin10.0]
 - ruby 1.9.1p376 (2009-12-07 revision 26041) [i386-darwin10.2.0]
 - ruby 1.9.2dev (2010-04-09 trunk 27271) [x86_64-darwin10.3.0]
 
 The problem does not occur on Debian Linux 5 with OpenSSL 0.9.8g and the following Ruby versions:
 - ruby 1.8.6 (2008-08-11 patchlevel 287) [i686-linux]
 
 I don't know whether 1.8.6-p287 exhibits the problem on Snow Leopard, it fails to compile with the following errors:
 
 gcc -I. -I../.. -I../../. -I../.././ext/openssl -DRUBY_EXTCONF_H=\"extconf.h\"   -fno-common -g -O2 -pipe -fno-common  -c openssl_missing.c
 In file included from openssl_missing.c:22:
 openssl_missing.h:123: error: conflicting types for 'BN_rand_range'
 /usr/include/openssl/bn.h:411: error: previous declaration of 'BN_rand_range' was here
 openssl_missing.h:124: error: conflicting types for 'BN_pseudo_rand_range'
 /usr/include/openssl/bn.h:412: error: previous declaration of 'BN_pseudo_rand_range' was here
=end



-- 
http://redmine.ruby-lang.org