I'm making an API call out to an OAuth 2.0 provider over SSL. I know that it's been a common practice in Ruby in the past to set Net::HTTP#verify_mode to VERIFY_NONE, which is a bad thing to do. The Ruby libraries I'm using all call back to Faraday, and I have now dug into Faraday where Net::HTTP is configured and seen that in the calls that are being made, #verify_mode is properly set to VERIFY_PEER. What else should I do, if anything, to ensure that the OAuth provider's SSL cert is being properly verified? Is there a good smoke test that can toggle the behavior between acceptance and rejection of the cert?
I am not sure which public key is being used and where it is found in my development environment. The OAuth provider I am using is Google, and a previous post suggests that Mac patches OpenSSL to hook into the keychain and use Equifax Secure Certificate Authority. While toggling the trust mode of this cert does change the behavior of Chrome when there is a callback redirect, it does not lead to an exception in the Ruby code that initiated the API call, so I suspect a different key is being used for the initial call.
