VERIFY_PEER by default - no need for a cert_store option

[mohamedhafez]

Testing all the way back to ruby 2.1.10, the last supported version of ruby still supported, if we don't specify the cert store and leave out the line http.verify_mode = OpenSSL::SSL::VERIFY_NONE, ruby will use its own cert store by default and conduct VERIFY_PEER verification. I can't see any reason why this shouldn't be the default...

Also, since Ruby's default cert_store is capable of verifying our small set of endpoints, I don't think we need an option to specify a custom cert_store so I've removed that as well

[mohamedhafez]

@zaru or @rossta could you take a look at this? I'm 99% certain I'm correct here, and that not doing the ssl peer verification by default is a big, unnecessary security hole...

[rossta]

Yes, I support the change to switch to VERIFY_PEER by default.

If needed, we could later provide an http_options option instead and pass that directly to HTTP.start to allow for control over HTTP behavior.

[zaru]

@mohamedhafez sorry! I had missed.
Certainly it VERIFY_PEER is the better of the default.
Thanks for PR.

[mohamedhafez]

no worries, thanks for merging @zaru !