Security: OpenSSL::SSL::VERIFY_NONE and some http-only requests

[rmoriz]

• Currently all https/TLS requests are vulnerable to MITM.

  See:

  jenkins_api_client/lib/jenkins_api_client/client.rb

  Lines 311 to 314 in b9a5e5d

  	if @ssl
  	http.use_ssl = true
  	http.verify_mode = OpenSSL::SSL::VERIFY_NONE
  	end

  jenkins_api_client/lib/jenkins_api_client/client.rb

  Lines 270 to 274 in b9a5e5d

  	def get_artifact(job_name,filename)
  	@artifact = job.find_artifact(job_name)
  	uri = URI.parse(@artifact)
  	http = Net::HTTP.new(uri.host, uri.port)
  	http.verify_mode = OpenSSL::SSL::VERIFY_NONE

  Suggestion: Change default to verify, allow users who are unable to fix their trust root to set an option to disable verification.

• exec_cli is hard-coded to http:

  jenkins_api_client/lib/jenkins_api_client/client.rb

  Lines 617 to 619 in b9a5e5d

  	def exec_cli(command, args = [])
  	base_dir = File.dirname(__FILE__)
  	server_url = "http://#{@server_ip}:#{@server_port}/#{@jenkins_path}"

• update center request is not made over https, too.

  jenkins_api_client/lib/jenkins_api_client/client.rb

  Lines 490 to 493 in b9a5e5d

  	@logger.info "Initializing Jenkins Update Center..."
  	@logger.debug "Obtaining the JSON data for Update Center..."
  	# TODO: Clean me up
  	update_center_data = open("http://updates.jenkins-ci.org/update-center.json").read

[rmoriz]

see #204