#781 ActiveResource should allow SSL verification - Ruby on Rails

Type	To find
responsible:me	tickets assigned to you
tagged:"@high"	tickets tagged @high
milestone:next	tickets in the upcoming milestone
state:invalid	tickets with the state invalid
created:"last week"	tickets created last week
sort:number, importance, updated	tickets sorted by #, importance or updated
Combine keywords for powerful searching.
Use advanced searching »

This project is archived and is in readonly mode.

#781 ✓duplicate

ActiveResource should allow SSL verification

Reported by rcoder | August 8th, 2008 @ 12:33 AM | in 2.x

As shipped right now, all ARes clients are subject to man-in-the-middle attacks by any server claiming to be a trusted API provider. We're using ActiveResource in some security-sensitive internal applications, and the lack of SSL certificate verification is worrisome.

I understand that configuring OpenSSL to properly verify all certificates in an application may be too high a barrier for some applications, but it would be preferable to at least have the option to override the default 'trust anyone' setting made in active_resource/connection.rb.

I've attached a simple patch against the current edge tree as an example; the particular configuration variable name is less important to me than the ability to turn on certificate verification in cases where the certificate infrastructure allows it.

Comments and changes to this ticket

DHH September 10th, 2008 @ 06:09 AM
- State changed from “new” to “incomplete”
I think this is reasonable, but we need tests and documentation.
CancelProfileIsBroken August 3rd, 2009 @ 03:13 PM
- Tag changed from “activeresource, patch, security, ssl” to “activeresource, bugmash, patch, security, ssl”
Jeremy Kemper August 9th, 2009 @ 09:24 PM
- State changed from “incomplete” to “duplicate”
- Tag changed from “activeresource, bugmash, patch, security, ssl” to “activeresource, patch, security, ssl”
#2370