Making open-uri play nice with HTTPS and expired certificates

I was using the open-uri library to download HTML in an accessibility test when I found that it does not work well when the remote site has an expired certificate. In this case open-uri will throw a “certificate expired” exception. This may be ok as a default behaviour, but there is no option to override the check.

Fortunately you can easily change the behaviour by editing the open-uri source. If you are on Windows it is available in C:\ruby\lib\ruby\1.8\open-uri.rb depending on your installation directory of course.

Somewhere around line 232 (in the version distributed in Ruby 1.8.5) you can see the certificate verification mode used:

http.verify_mode = OpenSSL::SSL::VERIFY_PEER

To skip certificate verification you can change VERIFY_PEER to VERIFY_NONE. The complete section should read:

if target.class == URI::HTTPS
require ‘net/https’
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
store = OpenSSL::X509::Store.new
store.set_default_paths
http.cert_store = store
end

Related Posts:

  • No Related Posts
  • Dyldev

    Nice! It would be great if this was an option though. Are there other verification modes?

  • dominic

    in ruby 1.9 open-uri has this

    open(uri,:ssl_verify_mode => OpenSSL::SSL::VERIFY_NONE)

  • Rolf Bjaanes

    To be extremely dirty you can just do this to bypass:

    OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE