Created
September 6, 2012 04:11
-
-
Save mperham/3651105 to your computer and use it in GitHub Desktop.
Campfire's SSL cert doesn't verify with Ruby 1.9.3 p194
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This works for me in 1.9.3-p125 but not in p194. | |
| # Can anyone explain why? | |
| require 'net/http' | |
| http = Net::HTTP.new("theclymb1.campfirenow.com", 443) | |
| http.use_ssl = true | |
| http.verify_mode = OpenSSL::SSL::VERIFY_PEER | |
| request = Net::HTTP::Get.new("/login") | |
| response = http.request(request) | |
| raise response.inspect if response.code != '200' |
What does it do in p194?
$ ruby -v -ropenssl -e 'p OpenSSL::OPENSSL_VERSION, OpenSSL::Config::DEFAULT_CONFIG_FILE'
ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-darwin12.1.0]
"OpenSSL 0.9.8r 8 Feb 2011"
"/System/Library/OpenSSL/openssl.cnf"
I'm using OS X certificates, maybe you are not?
If your DEFAULT_CONFIG_FILE isn't in /System you probably need to give OpenSSL some trusted certs:
- Open Keychain Access
- Click "System Roots" in the Keychains sidebar
- Select All (⌘A)
- Export Items (⇧⌘E)
- Select "Privacy Enhanced Mail (.pem)" format
- Type "cert.pem" in the "Save As" text area
- Save the cert.pem to the same directory as the openssl.cnf
- Retry your program
Doc, here's what I've got:
> ruby -v -ropenssl -e 'p OpenSSL::OPENSSL_VERSION, OpenSSL::Config::DEFAULT_CONFIG_FILE'
ruby 1.9.3p194 (2012-04-20 revision 35410) [x86_64-darwin11.4.0]
malloc_limit=59000000 (8000000)
heap_min_slots=600000 (10000)
"OpenSSL 0.9.8t 18 Jan 2012"
"/Users/mperham/.rvm/usr/ssl/openssl.cnf"
This is the result:
> response = http.request(request)
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in `start'
from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in `request'
On my p125 install which does work, I have this output:
> ruby -v -ropenssl -e 'p OpenSSL::OPENSSL_VERSION, OpenSSL::Config::DEFAULT_CONFIG_FILE'
ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-darwin11.3.0]
malloc_limit=59000000 (8000000)
heap_min_slots=600000 (10000)
"OpenSSL 0.9.8r 8 Feb 2011"
"/System/Library/OpenSSL/openssl.cnf"
> which ruby
/Users/mperham/.rvm/rubies/ruby-1.9.3-p125/bin/ruby
I thought there were some openssl changes in p194, checked changelog ?
I just ran "rvm pkg install openssl" and "rvm reinstall 1.9.3-p194". Exact same problem.
p194 just turned on SSL verification for Rubygems. It doesn't say anything about openssl in general.
@mperharm here is the difference (openssl) p125-p194:
+
+Sat Mar 31 12:11:21 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
+
+ * ext/openssl/ossl_x509cert.c: Fix doc typo.
+
+Fri Mar 30 14:17:17 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
+
+ * ext/openssl/ossl_pkcs7.c: fix crash when parsing garbage data.
+ * test/openssl/test_pkcs7.rb: assert correct behavior for it.
+ Thanks to Matt Venables for reporting the issue.
+ [ruby-core:43250][Bug #6134]
+
+Fri Mar 30 14:17:17 2012 Martin Bosslet <Martin.Bosslet@googlemail.com>
+
+ * test/openssl/test_x509cert.rb: exclude test that fails when issuing
+ a certificate with RSA signature and DSS1 digest for earlier
+ OpenSSL versions when used in conjunction with OpenSSL 1.0.1.
+ Thanks, Vit Ondruch, for reporting the issue.
+ [ruby-core:42949][Bug #6089]
+my guess is you could try reverse patch from Bug #6134 -> http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/35167/diff.diff
This fixed the problem, from http://stackoverflow.com/a/11041391/1494519
$ cd $rvm_path/usr/ssl
$ curl -O http://curl.haxx.se/ca/cacert.pem
$ mv cacert.pem cert.pem
Here is what works for me witih macports and rbenv: https://gist.github.com/2315629
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The exact same code works for me in p125. Both are running on OSX, installed via RVM.