Upgrading the ssl and https examples, now that I actually know what I…

…'m talking about.

ssl_and_https.rb

@@ -1,39 +1,52 @@
 require "net/https"
 require "uri"
 
-# This URL is Thawte's SSL test site.
-uri = URI.parse("https://ssltest7.bbtest.net")
-http = Net::HTTP.new(uri.host, uri.port)
+# A regular-ish https request.
+#
+# ssltest7.bbtest.net is Thawte's SSL test site. Net::HTTP will use the CA
+# certificates installed on your system by default, which most likely includes
+# the Thawte cert that signed ssltest7.bbtest.net.
+http = Net::HTTP.new("ssltest7.bbtest.net", 443)
 http.use_ssl = true
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+
+response = http.request(Net::HTTP::Get.new("/"))
+response.body
+response.status
+# .. do normal Net::HTTP response stuff here (see separate cheat sheet entry)
 
-# You can use a certificate to verify the server you're connecting to is the
-# server you indented to connect to.
+# You can specify custom CA certs. If your production system only connects to
+# one particular server, you should specify these, and bundle them with your
+# app, so that you don't depend on the pre-installed certs on the system that
+# may or may not exist.
+http = Net::HTTP.new("verysecure.com", 443)
+http.use_ssl = true
 http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-http.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/cert.pem"))
 
-# You can also use a SSL store to automatically use all the certs installed on
-# your systems. Most setups have root certs for verisign, entrust, thawte, etc
-# installed.
 store = OpenSSL::X509::Store.new
-store.set_default_paths
+store.set_default_paths # Optional method that will auto-include the system CAs.
+store.add_cert(OpenSSL::X509::Certificate.new(File.read("/path/to/ca1.crt")))
+store.add_cert(OpenSSL::X509::Certificate.new(File.read("/path/to/ca2.crt")))
+store.add_file("/path/to/ca3.crt") # Alternative syntax for adding certs.
+http.cert_store = store
 
-# You can also manually provide certs to the store. Download a cert for
-# ssltest7 at https://www.thawte.com/roots and provide the full path to
-# that file here, and remove `set_default_paths`.
-store.add_file("/path/to/cert.pem")
+response = http.request(Net::HTTP::Get.new("/"))
 
-# Or add a OpenSSL Ruby object, instead of a string.
-store.add_cert(OpenSSL::X509::Certificate.new(File.read("/path/to/cert.pem")))
 
-http.cert_store = store
+# Client certificate example. Some servers use this to authorize the connecting
+# client, i.e. you. The server you connect to gets the certificate you specify,
+# and they can use it to check who signed the certificate, and use the
+# certificate fingerprint to identify exactly which certificate you're using.
+http = Net::HTTP.new("ssltest7.bbtest.net", 443)
+http.use_ssl = true
+http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+http.key = OpenSSL::PKey::RSA.new(File.read("/path/to/client.key"), "optional passphrase argument")
+http.cert = OpenSSL::X509::Certificate.new(File.read("/path/to/client.crt"))
 
-# You can also skip verification. That may be a bad idea, though, read more here:
-# http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html
-http.verify_mode = OpenSSL::SSL::VERIFY_NONE
+response = http.request(Net::HTTP::Get.new("/"))
 
-request = Net::HTTP::Get.new(uri.request_uri)
 
-response = http.request(request)
-response.body
-response.status
-response["header-here"] # All headers are lowercase
+# You can also skip verification. This is almost certainly a bad idea, read more
+# here:
+# http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html
+http.verify_mode = OpenSSL::SSL::VERIFY_NONE