Skip to content

Instantly share code, notes, and snippets.

@mperham

mperham/gist:3651105

Created September 6, 2012 04:11
Show Gist options
  • Save mperham/3651105 to your computer and use it in GitHub Desktop.
Save mperham/3651105 to your computer and use it in GitHub Desktop.
Download ZIP
Campfire's SSL cert doesn't verify with Ruby 1.9.3 p194
Raw
gistfile1.rb
# This works for me in 1.9.3-p125 but not in p194.
# Can anyone explain why?
require 'net/http'
http = Net::HTTP.new("theclymb1.campfirenow.com", 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
request = Net::HTTP::Get.new("/login")
response = http.request(request)
raise response.inspect if response.code != '200'
@mperham
Copy link
Author

mperham commented Sep 6, 2012

This is the result:

>         response = http.request(request)
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in `start'
    from /Users/mperham/.rvm/rubies/ruby-1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in `request'

@mperham
Copy link
Author

mperham commented Sep 6, 2012

On my p125 install which does work, I have this output:

 > ruby -v -ropenssl -e 'p OpenSSL::OPENSSL_VERSION, OpenSSL::Config::DEFAULT_CONFIG_FILE'
ruby 1.9.3p125 (2012-02-16 revision 34643) [x86_64-darwin11.3.0]
malloc_limit=59000000 (8000000)
heap_min_slots=600000 (10000)
"OpenSSL 0.9.8r 8 Feb 2011"
"/System/Library/OpenSSL/openssl.cnf"
 > which ruby
/Users/mperham/.rvm/rubies/ruby-1.9.3-p125/bin/ruby

@mpapis
Copy link

mpapis commented Sep 6, 2012

I thought there were some openssl changes in p194, checked changelog ?

@mperham
Copy link
Author

mperham commented Sep 6, 2012

I just ran "rvm pkg install openssl" and "rvm reinstall 1.9.3-p194". Exact same problem.

p194 just turned on SSL verification for Rubygems. It doesn't say anything about openssl in general.

@mpapis
Copy link

mpapis commented Sep 6, 2012

@mperharm here is the difference (openssl) p125-p194:

+
+Sat Mar 31 12:11:21 2012  Martin Bosslet  <[email protected]>
+
+   * ext/openssl/ossl_x509cert.c: Fix doc typo.
+
+Fri Mar 30 14:17:17 2012  Martin Bosslet  <[email protected]>
+
+   * ext/openssl/ossl_pkcs7.c: fix crash when parsing garbage data.
+   * test/openssl/test_pkcs7.rb: assert correct behavior for it.
+     Thanks to Matt Venables for reporting the issue.
+     [ruby-core:43250][Bug #6134]
+
+Fri Mar 30 14:17:17 2012  Martin Bosslet  <[email protected]>
+
+   * test/openssl/test_x509cert.rb: exclude test that fails when issuing
+     a certificate with RSA signature and DSS1 digest for earlier
+     OpenSSL versions when used in conjunction with OpenSSL 1.0.1.
+     Thanks, Vit Ondruch, for reporting the issue.
+     [ruby-core:42949][Bug #6089]
+

my guess is you could try reverse patch from Bug #6134 -> http://bugs.ruby-lang.org/projects/ruby-trunk/repository/revisions/35167/diff.diff

@mperham
Copy link
Author

mperham commented Sep 6, 2012

This fixed the problem, from http://stackoverflow.com/a/11041391/1494519

$ cd $rvm_path/usr/ssl
$ curl -O http://curl.haxx.se/ca/cacert.pem
$ mv cacert.pem cert.pem

@jjb
Copy link

jjb commented Sep 11, 2012

Here is what works for me witih macports and rbenv: https://gist.github.com/2315629

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment