I am writing a soap request over SSL using Savon and HTTPi, a Ruby soap client and an interface for Ruby HTTP clients, respectively. Here’s the code:

client = Savon::Client.new(original_class.constantize.wsdl_url)
client.http.auth.ssl.cert_key_file = "path_to_the_key"
client.http.auth.ssl.cert_key_password = 'secret'
client.http.auth.ssl.cert_file = "path_to_the_certification"
client.http.auth.ssl.verify_mode = :none
@response = client.request :ins0, action do
  soap.body = encoded_body
end

That’s the only way I get this to work. But, I know that there is three others verify modes, which are:

• :peer (SSL_VERIFY_PEER)
• :fail_if_no_peer_cert (SSL_VERIFY_FAIL_IF_NO_PEER_CERT)
• :client_once (SSL_VERIFY_CLIENT_ONCE)

If I change the verify mode to any other of the above, I get this error:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed

Then comes my questions (among others I have):

• Am I doing wrong if I keep the verify mode to :none? Is there any lack of security?
• What does the error really mean? That my code is wrong or that my certificate (which is self-assigned — I am in development environment) is not good?

I read the OpenSSL documentation about verify modes:

http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html

About SSL_VERIFY_NONE, on Client Mode, says:

The result of the certificate verification process can be checked
after the TLS/SSL handshake using the SSL_get_verify_result(3)
function. The handshake will be continued regardless of the
verification result.

Should I be worried about it? Should I see verify mode :none as a dangerous thing?

I am asking that because since I can’t make it work with the others verify modes, I would like to release the soap request over SSL feature the way it is working now. But I surely wouldn’t do it if that could be dangerous.