From: Eric Wong <e@80x24.org>
To: yahns-public@yhbt.net
Cc: russm <russm-rubyforge@slofith.org>,
"Shota Fukumori (sora_h)" <her@sorah.jp>
Subject: [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE"
Date: Wed, 16 Mar 2016 00:34:34 +0000 [thread overview]
Message-ID: <20160316003434.GA14791@dcvr.yhbt.net> (raw)
In-Reply-To: <CA+wiQwtPg9oUqMjNrZhwe7RYB+qquw7QDrBEAfGCcjMQLaeAZQ@mail.gmail.com>
The Ruby default parameters on top of OpenSSL seem designed
for client usage. For server usage, requiring client-side
certificate verification is uncommon for HTTPS sites.
So follow what WEBrick does for HTTPS and use SSL_VERIFY_NONE
in our documentation.
Thanks-to: Shota Fukumori (sora_h) <her@sorah.jp>
on the unicorn list:
<CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
---
(dropping unicorn-public from Cc: since this patch is for yahns)
Documentation/yahns_config.pod | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod
index 1b2595b..d8c6801 100644
--- a/Documentation/yahns_config.pod
+++ b/Documentation/yahns_config.pod
@@ -446,7 +446,10 @@ An example which seems to work is:
ssl_ctx.key = OpenSSL::PKey::RSA.new(
IO.read('/etc/ssl/private/example.key')
)
- ssl_ctx.set_params # use defaults provided by Ruby on top of OpenSSL
+
+ # use defaults provided by Ruby on top of OpenSSL,
+ # but disable client certificate verification as it is rare:
+ ssl_ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)
app(:rack, "/path/to/my/app/config.ru") do
listen 443, ssl_ctx: ssl_ctx
--
EW
prev parent reply other threads:[~2016-03-16 0:34 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
2016-03-15 8:58 ` https://unicorn.bogomips.org accepts client certificate? Eric Wong
2016-03-15 9:21 ` Shota Fukumori (sora_h)
2016-03-15 9:43 ` russm
2016-03-15 23:20 ` Shota Fukumori (sora_h)
2016-03-15 23:30 ` Eric Wong
2016-03-15 23:54 ` Shota Fukumori (sora_h)
2016-03-16 0:34 ` Eric Wong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/yahns/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160316003434.GA14791@dcvr.yhbt.net \
--to=e@80x24.org \
--cc=her@sorah.jp \
--cc=russm-rubyforge@slofith.org \
--cc=yahns-public@yhbt.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/yahns.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).