Why don't I need to specify a CA bundle to Net::HTTP SSL requests?

Question

A lot of what I've seen around SO and blog posts is that

1. By default, Net::HTTP does not verify peer SSL certificates
2. To force Net::HTTP to verify peer, you need to to it too and supply a CA cert file containing trusted authorities

However, I've found that this is not completely necessary. On my Mac, I have the following code

http = Net::HTTP.new('www.google.com', 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.start do
  http.request_get('/') do |response|
    puts response.body
  end
end

This works. But what is Ruby using to verify the peer with? When I look at the output of http.ca_path and http.ca_file they are both blank.

I'm running this code in Ruby 1.9.3p374. Perhaps when Ruby was compiled on my Mac, it pulled in some default location of CA cert chains from openssl or something?

Answer 1

It looks like if no verify callback is set then OpenSSL library default callback is used. See line 217 in the openssl module verify callback wrapper (the ok argument is the result of the default callback).

On OS X, Apple has apparently customized the default callback in their OpenSSL library to hook in to the OS X Keychain facility. The root CA of Google's certificate is Equifax Secure Certificate Authority. If you change the trust setting in Keychain (e.g. using the Keychain Access utility) for this CA then your ruby test behaves accordingly.

I believe the answer to your question is that when peer certificate verification is required but not configured, the ruby shipped with OS X verifies using Keychain.