For a project, we are considering a little-less-than-trivial HTTPS
setup for communication between components. Amongst other things, we
need RoR to consume a REST interface implemented by a Java servlet.
For reasons beyond the scope of this post, we need the client to
validate the server not against the DNS name of the server but on some
application specific "Common Name" in the server certificate.
That's why I was examining today exactly how an ActiveResource client
in RoR handles server verification. I was suprised to see that there
is no validation at all
From the file connection.rb of the ActiveResource source (I checked
both version 2.0.2 and 2.1.0)
http = Net::HTTP.new(@site.host, @site.port)
http.use_ssl = @site.is_a?(URI::HTTPS)
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl
http.read_timeout = @timeout if @timeout # If timeout is not
set, the default Net::HTTP timeout (60s) is used.
This function seems to be called each time a request is made to the
server. If SSL is used, it sets verify_mode to VERIFY_NONE.
Furhtermore, I could not find method or property to override this
The file base.rb in ActiveResource states:
# For obvious security reasons, it is probably best if such services
# over HTTPS.
Without server verification, however, it seems to me that not much
security is left. RoR applications acting as a REST client using
ActiveResource could easily be lured into disclosing sensitive
information to impersonated servers.
Is this indeed to be considered a security flaw in ActiveResource or
am I missing something?