Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL: ca_path not honored #2010

Closed
tomekw opened this issue Sep 29, 2014 · 4 comments
Closed

SSL: ca_path not honored #2010

tomekw opened this issue Sep 29, 2014 · 4 comments
Labels
openssl
Milestone
Invalid or Duplicate

Comments

@tomekw
Copy link

tomekw commented Sep 29, 2014

Hi!

I've a web service over HTTPS with self-signed SSL certificate on CentOS 6.5. I can't connect to it securely when providing ca_path parameter with net/http and JRuby 1.7.16 (works with MRI Ruby 2.1.2):

require 'net/http'
require 'net/https'
require 'uri'

# Standard path on RedHat systems
ca_path = '/etc/pki/tls/certs'
url = URI.parse 'https://api.example.com'

http = Net::HTTP.new(url.host, url.port)
http.set_debug_output $stderr
http.use_ssl = (url.scheme == 'https')
if (File.directory?(ca_path) && http.use_ssl?)
  http.ca_path = ca_path
  http.verify_mode = OpenSSL::SSL::VERIFY_PEER
  http.verify_depth = 5
else
  http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
request = Net::HTTP::Get.new(url.path)
response = http.request(request)

puts response.inspect

Result:

certificate verify failed

It works when providing ca_file = '/etc/pki/tls/certs/ca-bundle.crt' instead (but adding self-signed certificates to the bundle is a bad idea...)
@tomekw
Copy link
Author

tomekw commented Sep 29, 2014

It works on FreeBSD 9.2-RELEASE with JRuby... Is it platform-dependent?

@emilupnext
Copy link

Solution: generate x509 certificate hashes with -subject_hash_old instead of (or in addition to) -subject_hash.

JRuby's implementation of OpenSSL uses old, 0.9.8-compatible hashes (that's why it works out of the box in FreeBSD 9.x). I think it should be documented somewhere, because it is surprising that something works with openssl s_client testing (and in every program that links to OpenSSL library) and fails with JRuby.

@tomekw
Copy link
Author

tomekw commented Sep 29, 2014

+1 !

Can it be closed?

@kares kares added the openssl label Jan 15, 2016
@josejulio josejulio mentioned this issue Aug 10, 2016
Merged
@kares
Copy link
Member

kares commented Jan 18, 2017

this seems resolved, sorry for the delay!

@kares kares closed this as completed Jan 18, 2017
@kares kares added this to the Invalid or Duplicate milestone Jan 18, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
openssl
Projects
None yet
Milestone
Invalid or Duplicate
Development

No branches or pull requests
3 participants
@kares @tomekw @emilupnext