Skip to content

HTTPS

Jump to bottom Edit New page
Jorge Daniel Sampayo Vargas edited this page Sep 26, 2023 · 19 revisions

The HTTP gem supports HTTPS via Ruby's built-in OpenSSL module. Unlike certain other Ruby HTTP clients, all you have to do in order to use HTTPS is pass in an https://-prefixed URL. That's it!

Client Certificates

To use client certificates, you can pass in a custom OpenSSL::SSL::SSLContext object containing the certificates you wish to use:

HTTP.get("https://example.com", ssl_context: OpenSSL::SSL::SSLContext.new.tap do |ctx|
  ctx.set_params(
    cert: OpenSSL::X509::Certificate.new(File.read("client.crt")),
    key:  OpenSSL::PKey::RSA.new(File.read("client.key"))
  )
end)

Handling Multiple Certificates in a PEM File

If your PEM file contains multiple certificates (e.g., root and intermediate certificates), you need to separate them to set up a correct SSL context:

bundle = File.read("path_to_your_fullchain.pem")
certificate_content_regex = /-----BEGIN CERTIFICATE-----(?:.|\n)+?-----END CERTIFICATE-----/
certs = bundle.scan(certificate_content_regex).map { OpenSSL::X509::Certificate.new(_1) }

ssl_context = OpenSSL::SSL::SSLContext.new.tap do |ctx|
  ctx.set_params(
    cert: certs.shift,  # The root certificate
    key:  OpenSSL::PKey::RSA.new(File.read("path_to_your_private_key.pem")),
    extra_chain_cert: certs  # The intermediate certificates
  )
end

HTTP.get("https://example.com", ssl_context: ssl_context)

This ensures that the full certificate chain is presented during the SSL/TLS handshake, meeting the requirements of some servers.

Disabling Certificate Verification (i.e. INSECURE USAGE)

This section describes how to turn off HTTPS security while still pretending to use HTTPS. Please do NOT do this. With certificate verification disabled, HTTPS provides NO SECURITY. We include this information in our documentation extremely reluctantly, after having been asked about it repeatedly.

We do so only because we'd rather have a single, easy-to-grep-for pattern for locating instances where security has been explicitly disabled, and furthermore use one people are already looking for, i.e. VERIFY_NONE.

Here is how to create an OpenSSL::SSL::SSLContext with certificate verification disabled and pass it to a request method:

ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE

HTTP.get("https://www.google.com", :ssl_context => ctx)
Add a custom footer
Add a custom sidebar
Clone this wiki locally