Date
1 - 5 of 5
RestClient and SSL stores/default paths
David Ljung Madison <librelist.com@...>
I don't know much about SSL, but I'm trying to use RestClient to
connect to my SSL server. I tried the simple RestClient example
I found and added this to Resource.new:
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("gd_intermediate.pem")),
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
(Our server's cert is signed by GoDaddy)
This did not work (SSL verify failed) - everything works fine with
verify_ssl turned off.
I found a Net::HTTP example that worked fine by using an OpenSSL store:
net = Net::HTTP.new("custman.iceleropoc.net", 8443)
net.use_ssl = true
net.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths # This is required!
net.cert_store = store
RestClient doesn't seem to have a way to use the store, or to set
the default paths. If I understood x509/SSL better I might understand
what I'm doing wrong.
I tried adding the store with default paths to net in request.rb and
then RestClient started to work.
Is RestClient missing this feature, or is there some other way to do
what I'm trying to do?
Dave
---------------------------------------------------------------------------
Dave Ljung Madison http://GetDave.com/ 415.341.5555
--- "Debugging is twice as hard as writing the code in the first place. ---
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
connect to my SSL server. I tried the simple RestClient example
I found and added this to Resource.new:
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("gd_intermediate.pem")),
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
(Our server's cert is signed by GoDaddy)
This did not work (SSL verify failed) - everything works fine with
verify_ssl turned off.
I found a Net::HTTP example that worked fine by using an OpenSSL store:
net = Net::HTTP.new("custman.iceleropoc.net", 8443)
net.use_ssl = true
net.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.set_default_paths # This is required!
net.cert_store = store
RestClient doesn't seem to have a way to use the store, or to set
the default paths. If I understood x509/SSL better I might understand
what I'm doing wrong.
I tried adding the store with default paths to net in request.rb and
then RestClient started to work.
Is RestClient missing this feature, or is there some other way to do
what I'm trying to do?
Dave
---------------------------------------------------------------------------
Dave Ljung Madison http://GetDave.com/ 415.341.5555
--- "Debugging is twice as hard as writing the code in the first place. ---
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan
Cyril Rohr <cyril.rohr@...>
Hello,
On Apr 12, 2012, at 2:26 AM, David Ljung Madison wrote:
That being said, it would be nice to support a store path option so that it's easier to verify certificates delivered by common CAs.
Cyril
--
http://crohr.me
On Apr 12, 2012, at 2:26 AM, David Ljung Madison wrote:
I don't know much about SSL, but I'm trying to use RestClient toIf you want to verify server certificates, you need to pass the path to a Certification Authority (CA) file with the :ssl_ca_file option. This file should contain at least the certificate of the CA that signed the server certificate you want to verify (in your case, GoDaddy's).
connect to my SSL server. I tried the simple RestClient example
I found and added this to Resource.new:
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("gd_intermediate.pem")),
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
That being said, it would be nice to support a store path option so that it's easier to verify certificates delivered by common CAs.
Cyril
--
http://crohr.me
David Ljung Madison <librelist.com@...>
I tried that with:I don't know much about SSL, but I'm trying to use RestClient toIf you want to verify server certificates, you need to pass the
connect to my SSL server. I tried the simple RestClient example
I found and added this to Resource.new:
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("gd_intermediate.pem")),
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
path to a Certification Authority (CA) file with the :ssl_ca_file
:ssl_ca_file => "/etc/ssl/certs/Go_Daddy_Class_2_CA.pem",
But that didn't work either. What are the ssl settings I give to
RestClient and where do I get the certs?
Dave
-----------------------------------------------------------------------------
Dave Ljung Madison http://GetDave.com/ 415.341.5555
------- Walking on water and developing software from a specification -------
are easy if both are frozen. - Edward V. Berard
Cyril Rohr <cyril.rohr@...>
On Apr 12, 2012, at 9:57 AM, David Ljung Madison wrote:
Cyril
--
http://crohr.me
Actually, unless you're doing mutual SSL authentication with the server, you should not pass an :ssl_client_cert option. Is your server live somewhere so that we can test?I tried that with:I don't know much about SSL, but I'm trying to use RestClient toIf you want to verify server certificates, you need to pass the
connect to my SSL server. I tried the simple RestClient example
I found and added this to Resource.new:
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("gd_intermediate.pem")),
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
path to a Certification Authority (CA) file with the :ssl_ca_file
:ssl_ca_file => "/etc/ssl/certs/Go_Daddy_Class_2_CA.pem",
But that didn't work either. What are the ssl settings I give to
RestClient and where do I get the certs?
Cyril
--
http://crohr.me
David Ljung Madison <librelist.com@...>
Actually, unless you're doing mutual SSL authentication with theUnfortunately it's a work server for a startup, so not really.
server, you should not pass an :ssl_client_cert option. Is your
server live somewhere so that we can test?
I don't think I need mutual SSL authentication. This is a site
that works just fine with a browser, so it seems to figure it out.
I take it the :ssl_client_cert option is for the server's cert that I'm connecting to, and I don't need that?
Regardless, I've tried it with:
rc = RestClient::Resource.new(
url,
:timeout => 200,
:ssl_ca_file => "/etc/ssl/certs/Go_Daddy_Class_2_CA.pem",
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
)
And it doesn't work:
SSL Verification failed -- Preverify: false, Error: unable to get issuer certificate (2)
What do I need to do with RestClient to get it to act like the
browser or like Net::HTTP using the default store?
Dave
---------------------------------------------------------------------------
Dave Ljung Madison http://GetDave.com/ 415.341.5555
--- "Debugging is twice as hard as writing the code in the first place. ---
Therefore, if you write the code as cleverly as possible, you are,
by definition, not smart enough to debug it." - Brian W. Kernighan