Net::HTTPS Vulnerability

A vulnerability on the net/https library was reported.

Detailed information should be found at the original advisory: <URL:>


The vulnerability exists in the connect method within http.rb file which fails to call post_connection_check after the SSL connection has been negotiated. Since the server certificate's CN is not validated against the requested DNS name, the attacker can impersonate the target server in a SSL connection. The integrity and confidentiality benefits of SSL are thereby eliminated.

Vulnerable versions

1.8 series
  • 1.8.4 and all prior versions
  • 1.8.5-p113 and all prior versions
  • 1.8.6-p110 and all prior versions
Development version (1.9 series)
All versions before 2006-09-23


1.8 series

Please upgrade to 1.8.6-p111 or 1.8.5-p114.

Then you should use Net::HTTP#enable_post_connection_check= to enable post_connection_check.

http =, 443)
http.use_ssl = true
http.enable_post_connection_check = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
store =
http.cert_store = store
http.start {
  response = http.get("/")

Please note that a package that corrects this weakness may already be available through your package management software.

Development version (1.9 series)
Please update your Ruby to a version after 2006-09-23. The default value of Net::HTTP#enable_post_connection_check is true on Ruby 1.9.


  • 2007-10-04 16:30 +09:00 added description for enable_post_connection_check to `Solution'.