Issue #14377 has been reported by graywolf (Gray Wolf).

----------------------------------------
Bug #14377: OpenSSL::X509::Store#verify_callback= doesn't seem to work as expected
https://bugs.ruby-lang.org/issues/14377

* Author: graywolf (Gray Wolf)
* Status: Open
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.6.0dev (2018-01-20 trunk 61969) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
I'm trying to use `OpenSSL::X509::Store#verify_callback=` to ignore all error during certificate validation, which according to `man SSL_CTX_set_verify` should be possible:

> If verify_callback always returns 1, the TLS/SSL handshake will not be
> terminated with respect to verification failures and the connection will
> be established.

However, when I try to use simplest possible callback satifying the condition
above

	cert_store.verify_callback = lambda do |preverify_ok, store_ctx|
		true
	end

ruby still throws exception about certificate being invalid:

	$ ~/ruby_debug/bin/ruby server.rb 
	Traceback (most recent call last):
		1: from server.rb:24:in `<main>'
	server.rb:24:in `accept': SSL_accept returned=1 errno=0 state=error: certificate verify failed (self signed certificate) (OpenSSL::SSL::SSLError)

and client

	$ ~/ruby_debug/bin/ruby client.rb 
	Traceback (most recent call last):
		1: from client.rb:20:in `<main>'
	client.rb:20:in `connect': SSL_connect returned=1 errno=0 state=SSLv3/TLS write finished: tlsv1 alert unknown ca (OpenSSL::SSL::SSLError)

Both `server.rb` and `client.rb` are attached.


---Files--------------------------------
client.rb (533 Bytes)
server.rb (709 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>