Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix SSL verify mode #320

Merged
merged 2 commits into from
Oct 15, 2015
Merged

Fix SSL verify mode #320

merged 2 commits into from
Oct 15, 2015

Conversation

jondeandres
Copy link
Contributor

No description provided.

mcmillan and others added 2 commits October 7, 2015 03:14
@mcmillan
Verify peer when connecting to Rollbar over HTTPS
10fc689 
At the moment, when connecting over HTTPS to Rollbar (the default, rightly so) and `use_eventmachine` is set to `false` (the default), `Net::HTTP`'s `verify_mode` is set to `OpenSSL::SSL::VERIFY_NONE`. This effectively means that the Rollbar gem doesn't validate whether or not the Rollbar endpoint it's talking to has a valid SSL certificate. This makes the Rollbar gem susceptible to MITM attacks.

The implications of this are obviously significant; sensitive data is often (intentionally or otherwise) transmitted as part of exception data which could be intercepted by a malicious third-party and tampered with. If a developer has Rollbar notifications switched on in their development environment and they're building a sweet new application in a coffee shop with insecure wifi, it's perfectly possible for an attacker to steal their exception data and do something nasty.

This changes the `verify_mode` to be `OpenSSL::SSL::VERIFY_PEER`, which will verify that the Rollbar endpoint that data is being sent to has a valid SSL certificate before transmitting data across.
Configure travis to set ROLLBAR_SSL_CERT_FILE and use it
28ec25d 
This is just needed for tests in 1.8.7 cause OpenSSL on that version
doesn't allow send the requests without it.
@brianr
Copy link
Member

brianr commented Oct 15, 2015

Nice, tests are passing! Looks good to me.

jondeandres added a commit that referenced this pull request Oct 15, 2015
@jondeandres
Merge pull request #320 from rollbar/fix-verify_mode
f97b47a 
Fix SSL verify mode
@jondeandres jondeandres merged commit f97b47a into master Oct 15, 2015
@jondeandres jondeandres deleted the fix-verify_mode branch October 15, 2015 23:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jondeandres @brianr @mcmillan