Expose verify_callback option from Net::HTTP

[ngsikai]

Summary

Currently when calling an API using HTTParty and facing a certificate error, we see a log like this OpenSSL::SSL::SSLError, SSL_connect returned=1 errno=0 peeraddr=<ip_address>:443 state=error: certificate verify failed (unable to get issuer certificate).

In a bid to get more verbose logs that specify which certificate is failing verification, we found a thread here that suggested using the verify_callback option of Net::HTTP that acts as a hook for adding custom logic like logging more details about which cert failed and the cert issuer etc.

This is an example implementation we have for the block which enables us to get more logs when an SSL verification failure happens:

def verify_callback_lambda
    lambda do |verify_ok, store_context|
      unless verify_ok
        failed_cert = store_context.current_cert
        failed_cert_reason = format('%d: %s', store_context.error, store_context.error_string)
        error_message = 'SSL verification failed for certificate:  ' \
                        "subject: #{failed_cert.subject} " \
                        "issuer: #{failed_cert.issuer} " \
                        "error code: #{failed_cert_reason}"
        log(error_message)
      end
      verify_ok
    end
  end

Technical implementation

It is a simple addition to the list of https options we are passing in through attach_ssl_certificates method

[ngsikai]

Hi @jnunemaker, we have this monkeypatched in our app currently and no issues faced so far. Let me know if there are any further updates needed. 🙏