From ede362588cc32e6273fdc2788c9fdd5ce1664b69 Mon Sep 17 00:00:00 2001
From: Andy Brody <andy@stripe.com>
Date: Thu, 9 Apr 2015 16:03:13 -0700
Subject: [PATCH] Remove SSL certificate blacklist checks.

---
 lib/stripe.rb                             | 39 +++++-----------
 lib/stripe/certificate_blacklist.rb       | 55 -----------------------
 test/stripe/certificate_blacklist_test.rb | 18 --------
 3 files changed, 11 insertions(+), 101 deletions(-)
 delete mode 100644 lib/stripe/certificate_blacklist.rb
 delete mode 100644 test/stripe/certificate_blacklist_test.rb

diff --git a/lib/stripe.rb b/lib/stripe.rb
index d3a9b6a2..16249753 100644
--- a/lib/stripe.rb
+++ b/lib/stripe.rb
@@ -26,7 +26,6 @@ require 'stripe/account'
 require 'stripe/balance'
 require 'stripe/balance_transaction'
 require 'stripe/customer'
-require 'stripe/certificate_blacklist'
 require 'stripe/invoice'
 require 'stripe/invoice_item'
 require 'stripe/charge'
@@ -62,7 +61,6 @@ module Stripe
 
   @ssl_bundle_path  = DEFAULT_CA_BUNDLE_PATH
   @verify_ssl_certs = true
-  @CERTIFICATE_VERIFIED = false
 
 
   class << self
@@ -91,15 +89,17 @@ module Stripe
         'email support@stripe.com if you have any questions.)')
     end
 
-    request_opts = { :verify_ssl => false }
-
-    if ssl_preflight_passed?
-      request_opts.update(:verify_ssl => OpenSSL::SSL::VERIFY_PEER,
-                          :ssl_ca_file => @ssl_bundle_path)
-    end
-
-    if @verify_ssl_certs and !@CERTIFICATE_VERIFIED
-      @CERTIFICATE_VERIFIED = CertificateBlacklist.check_ssl_cert(api_base_url, @ssl_bundle_path)
+    if verify_ssl_certs
+      request_opts = {:verify_ssl => OpenSSL::SSL::VERIFY_PEER,
+                      :ssl_ca_file => @ssl_bundle_path}
+    else
+      unless @verify_ssl_warned
+        @verify_ssl_warned = true
+        $stderr.puts("WARNING: Running without SSL cert verification. " \
+          "You should never do this in production. " \
+          "Execute 'Stripe.verify_ssl_certs = true' to enable verification.")
+        request_opts = {:verify_ssl => false}
+      end
     end
 
     params = Util.objects_to_ids(params)
@@ -149,23 +149,6 @@ module Stripe
 
   private
 
-  def self.ssl_preflight_passed?
-    if !verify_ssl_certs && !@no_verify
-      $stderr.puts "WARNING: Running without SSL cert verification. " \
-        "Execute 'Stripe.verify_ssl_certs = true' to enable verification."
-
-      @no_verify = true
-
-    elsif !Util.file_readable(@ssl_bundle_path) && !@no_bundle
-      $stderr.puts "WARNING: Running without SSL cert verification " \
-        "because #{@ssl_bundle_path} isn't readable"
-
-      @no_bundle = true
-    end
-
-    !(@no_verify || @no_bundle)
-  end
-
   def self.user_agent
     @uname ||= get_uname
     lang_version = "#{RUBY_VERSION} p#{RUBY_PATCHLEVEL} (#{RUBY_RELEASE_DATE})"
diff --git a/lib/stripe/certificate_blacklist.rb b/lib/stripe/certificate_blacklist.rb
deleted file mode 100644
index 80feecb0..00000000
--- a/lib/stripe/certificate_blacklist.rb
+++ /dev/null
@@ -1,55 +0,0 @@
-require 'uri'
-require 'digest/sha1'
-
-module Stripe
-  module CertificateBlacklist
-
-    BLACKLIST = {
-      "api.stripe.com" => [
-        '05c0b3643694470a888c6e7feb5c9e24e823dc53',
-      ],
-      "revoked.stripe.com" => [
-        '5b7dc7fbc98d78bf76d4d4fa6f597a0c901fad5c',
-      ]
-    }
-
-    # Preflight the SSL certificate presented by the backend. This isn't 100%
-    # bulletproof, in that we're not actually validating the transport used to
-    # communicate with Stripe, merely that the first attempt to does not use a
-    # revoked certificate.
-
-    # Unfortunately the interface to OpenSSL doesn't make it easy to check the
-    # certificate before sending potentially sensitive data on the wire. This
-    # approach raises the bar for an attacker significantly.
-
-    def self.check_ssl_cert(uri, ca_file)
-      uri = URI.parse(uri)
-
-      sock = TCPSocket.new(uri.host, uri.port)
-      ctx = OpenSSL::SSL::SSLContext.new
-      ctx.set_params(:verify_mode => OpenSSL::SSL::VERIFY_PEER,
-                     :ca_file => ca_file)
-
-      socket = OpenSSL::SSL::SSLSocket.new(sock, ctx)
-      socket.connect
-
-      certificate = socket.peer_cert.to_der
-      fingerprint = Digest::SHA1.hexdigest(certificate)
-
-      if blacklisted_certs = BLACKLIST[uri.host]
-        if blacklisted_certs.include?(fingerprint)
-          raise APIConnectionError.new(
-            "Invalid server certificate. You tried to connect to a server that" \
-            "has a revoked SSL certificate, which means we cannot securely send" \
-            "data to that server. Please email support@stripe.com if you need" \
-            "help connecting to the correct API server."
-          )
-        end
-      end
-
-      socket.close
-
-      return true
-    end
-  end
-end
diff --git a/test/stripe/certificate_blacklist_test.rb b/test/stripe/certificate_blacklist_test.rb
deleted file mode 100644
index 21779f24..00000000
--- a/test/stripe/certificate_blacklist_test.rb
+++ /dev/null
@@ -1,18 +0,0 @@
-require File.expand_path('../../test_helper', __FILE__)
-
-module Stripe
-
-  class CertificateBlacklistTest < Test::Unit::TestCase
-    should "not trust revoked certificates" do
-      assert_raises(Stripe::APIConnectionError) {
-        Stripe::CertificateBlacklist.check_ssl_cert("https://revoked.stripe.com:444",
-                                                    Stripe::DEFAULT_CA_BUNDLE_PATH)
-      }
-    end
-
-    should "trust api.stripe.com" do
-      assert_true Stripe::CertificateBlacklist.check_ssl_cert("https://api.stripe.com",
-                                                              Stripe::DEFAULT_CA_BUNDLE_PATH)
-    end
-  end
-end