For a project, we are considering a little-less-than-trivial HTTPS setup for communication between components. Amongst other things, we need RoR to consume a REST interface implemented by a Java servlet. For reasons beyond the scope of this post, we need the client to validate the server not against the DNS name of the server but on some application specific "Common Name" in the server certificate.
That's why I was examining today exactly how an ActiveResource client in RoR handles server verification. I was suprised to see that there is no validation at all
From the file connection.rb of the ActiveResource source (I checked both version 2.0.2 and 2.1.0)
def http http = Net::HTTP.new(@site.host, @site.port) http.use_ssl = @site.is_a?(URI::HTTPS) http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl http.read_timeout = @timeout if @timeout # If timeout is not set, the default Net::HTTP timeout (60s) is used. http end
This function seems to be called each time a request is made to the server. If SSL is used, it sets verify_mode to VERIFY_NONE. Furhtermore, I could not find method or property to override this default.
The file base.rb in ActiveResource states:
# For obvious security reasons, it is probably best if such services are available # over HTTPS.
Without server verification, however, it seems to me that not much security is left. RoR applications acting as a REST client using ActiveResource could easily be lured into disclosing sensitive information to impersonated servers.
Is this indeed to be considered a security flaw in ActiveResource or am I missing something?
-- Duco