Issue #14848 has been updated by jeremyevans0 (Jeremy Evans).

Status changed from Open to Rejected

I believe this is expected behavior and not a bug.  From the man page for `SSL_CTX_set_verify` (https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify.html):

```
The verify_callback function is used to control the behaviour when the SSL_VERIFY_PEER flag is set.
```

Basically, if you are not using `SSL_VERIFY_PEER`, then the `verify_callback` result is not used to make a decision on whether to accept the certificate.  The fact that the `verify_callback` is called even if `SSL_VERIFY_PEER` is not set appears to be also implied in the man page.

If you would like this changed, you would have to work with OpenSSL and the various forks to get them to change the behavior of the `SSL_CTX_set_verify` function, which seems unlikely.

----------------------------------------
Bug #14848: Net/HTTP doesn't take verify_callback into account when OpenSSL::SSL::VERIFY_NONE
https://bugs.ruby-lang.org/issues/14848#change-78739

* Author: aeris (Nicolas Vinot)
* Status: Rejected
* Priority: Normal
* Assignee: 
* Target version: 
* ruby -v: ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux]
* Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN
----------------------------------------
Hi,

In (at least) net/http, the TLS connection is OK even if `verify_callback` return `false` if `verify_mode` is set to `OpenSSL::SSL::VERIFY_NONE`.
The callback is really called, but the TLS handshake is not stopped.

Use case: self-signed certificate (so imply `VERIFY_NONE`) but direct key pinning for trust (implying `verify_callback`).

Enclosed to this ticket, a example to reproduce the trouble.
For me, because of `verify_callback` returning `false` in all case, none of the connection must succeed.

---Files--------------------------------
verify_callback.rb (394 Bytes)


-- 
https://bugs.ruby-lang.org/

Unsubscribe: <mailto:ruby-core-request / ruby-lang.org?subject=unsubscribe>
<http://lists.ruby-lang.org/cgi-bin/mailman/options/ruby-core>