From 0d9d05679247a6e77a24bf19d59035cec872a6f4 Mon Sep 17 00:00:00 2001
From: Eric Wong <e@80x24.org>
Date: Wed, 16 Mar 2016 00:34:34 +0000
Subject: doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE"

The Ruby default parameters on top of OpenSSL seem designed
for client usage.  For server usage, requiring client-side
certificate verification is uncommon for HTTPS sites.

So follow what WEBrick does for HTTPS and use SSL_VERIFY_NONE
in our documentation.

Thanks-to: Shota Fukumori (sora_h) <her@sorah.jp>
on the unicorn list:

<CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
---
 Documentation/yahns_config.pod | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

(limited to 'Documentation')

diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod
index 1b2595b..d8c6801 100644
--- a/Documentation/yahns_config.pod
+++ b/Documentation/yahns_config.pod
@@ -446,7 +446,10 @@ An example which seems to work is:
   ssl_ctx.key = OpenSSL::PKey::RSA.new(
     IO.read('/etc/ssl/private/example.key')
   )
-  ssl_ctx.set_params # use defaults provided by Ruby on top of OpenSSL
+
+  # use defaults provided by Ruby on top of OpenSSL,
+  # but disable client certificate verification as it is rare:
+  ssl_ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)
 
   app(:rack, "/path/to/my/app/config.ru") do
     listen 443, ssl_ctx: ssl_ctx
-- 
cgit v1.2.3-24-ge0c7