Sto cercando di scoprire dove Ruby si aspetta di trovare la sua lista CA opensl. Il mio ambiente è:
- Mac OS 10.7.5
- OpenSSL da homebrew
- Rbenv da homebrew
- Ruby 1.9.3, installato usando rbenv e CONFIGURE_OPTS="- with-openssl-dir = 'brew --prefix OpenSSL ' "
Conferma che il mio Ruby sta usando homebrew OpenSSL (nota: /Users/me
è una versione redatta della directory utente in tutti gli esempi di seguito):
$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
Per testare, ho scritto il seguente script:
#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'
Se specifichi manualmente il percorso al mio SSL_CERT_FILE, funziona:
$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb
success!
In caso contrario, si interrompe:
$ ./test_ssl.rb
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
from ./test_ssl.rb:6:in '<main>'
Per inciso, sono già consapevole che potrei controllare manualmente vari percorsi per il file CA dal mio script. Tuttavia lo script è un test di operazioni net / http simili all'interno di Ruby gem "faraday" sul mio sistema. Non voglio hackerare la gemma di faraday per aggirare questo problema.
Quindi ho usato dtruss per cercare i comandi stat e vedere se qualcuno di essi ha tentato di cercare file CA:
$ sudo dtruss -f -t stat64 ./test_ssl.rb
PID/THRD SYSCALL(args) = return
96741/0x6b4be4: stat64("/usr/lib/dtrace/libdtrace_dyld.dylib$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
", 0x7FFF6A9BE810, 0x7FFF6A9BF700) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libSystem.B.dylib#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'
", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcache.dylib$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb
success!
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcommonCrypto.dylib$ ./test_ssl.rb
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
from ./test_ssl.rb:6:in '<main>'
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcompiler_rt.dylib$ sudo dtruss -f -t stat64 ./test_ssl.rb
PID/THRD SYSCALL(args) = return
96741/0x6b4be4: stat64("/usr/lib/dtrace/libdtrace_dyld.dylib%pre%", 0x7FFF6A9BE810, 0x7FFF6A9BF700) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libSystem.B.dylib%pre%", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcache.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcommonCrypto.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcompiler_rt.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0) = -1 Err#2
96741/0x6b4be4: stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0) = 0 0
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0) = -1 Err#2
96741/0x6b4be4: stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0) = 0 0
Nessuna delle statistiche del file ha l'aspetto di una ricerca di file CA! Sto usando correttamente dtruss? C'è un altro modo per me per scoprire dove deve essere posizionato il file dei certificati CA?