Handle SSL certificate chains where not all certs will verify, but th…

…ere is some chain between the client's trusted certs and the server's leaf cert; to handle how Let's Encrypt certificates work
faye · Mar 22, 2023 · d9428fa · d9428fa
1 parent 4263db1
commit d9428fa
Showing 1 changed file with 8 additions and 5 deletions.
diff --git a/lib/faye/websocket/ssl_verifier.rb b/lib/faye/websocket/ssl_verifier.rb
@@ -42,21 +42,24 @@ def ssl_verify_peer(cert_text)
         return true unless should_verify?
 
         certificate = parse_cert(cert_text)
-        return false unless certificate
-
-        unless @cert_store.verify(certificate)
-          raise SSLError, "Unable to verify the server certificate for '#{ @hostname }'"
+        unless certificate
+          raise SSLError, "Unable to parse SSL certificate for '#{ @hostname }'"
         end
 
-        store_cert(certificate)
         @last_cert = certificate
+        @last_cert_verified = @cert_store.verify(certificate)
+        store_cert(certificate) if @last_cert_verified
 
         true
       end
 
       def ssl_handshake_completed
         return unless should_verify?
 
+        unless @last_cert_verified
+          raise SSLError, "Unable to verify the server certificate for '#{ @hostname }'"
+        end
+
         unless identity_verified?
           raise SSLError, "Host '#{ @hostname }' does not match the server certificate"
         end