dove Ruby sta cercando SSL_CERT_FILE?

7

Sto cercando di scoprire dove Ruby si aspetta di trovare la sua lista CA opensl. Il mio ambiente è:

Conferma che il mio Ruby sta usando homebrew OpenSSL (nota: /Users/me è una versione redatta della directory utente in tutti gli esempi di seguito):

$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
        /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

Per testare, ho scritto il seguente script:

#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'

Se specifichi manualmente il percorso al mio SSL_CERT_FILE, funziona:

$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb 
success!

In caso contrario, si interrompe:

$ ./test_ssl.rb 
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
        from ./test_ssl.rb:6:in '<main>'

Per inciso, sono già consapevole che potrei controllare manualmente vari percorsi per il file CA dal mio script. Tuttavia lo script è un test di operazioni net / http simili all'interno di Ruby gem "faraday" sul mio sistema. Non voglio hackerare la gemma di faraday per aggirare questo problema.

Quindi ho usato dtruss per cercare i comandi stat e vedere se qualcuno di essi ha tentato di cercare file CA:

$ sudo dtruss -f -t stat64 ./test_ssl.rb
        PID/THRD  SYSCALL(args)                  = return
96741/0x6b4be4:  stat64("/usr/lib/dtrace/libdtrace_dyld.dylib
$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
        /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
", 0x7FFF6A9BE810, 0x7FFF6A9BF700) = 0 0 96741/0x6b4be4: stat64("/usr/lib/libSystem.B.dylib
#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'
", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcache.dylib
$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb 
success!
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcommonCrypto.dylib
$ ./test_ssl.rb 
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
        from ./test_ssl.rb:6:in '<main>'
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcompiler_rt.dylib
$ sudo dtruss -f -t stat64 ./test_ssl.rb
        PID/THRD  SYSCALL(args)                  = return
96741/0x6b4be4:  stat64("/usr/lib/dtrace/libdtrace_dyld.dylib%pre%", 0x7FFF6A9BE810, 0x7FFF6A9BF700)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/libSystem.B.dylib%pre%", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0)          = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcache.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcommonCrypto.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcompiler_rt.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)            = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0)                 = -1 Err#2
96741/0x6b4be4:  stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0)          = 0 0
96741/0x6b4be4:  stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0)            = 0 0
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0) = -1 Err#2 96741/0x6b4be4: stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0) = 0 0

Nessuna delle statistiche del file ha l'aspetto di una ricerca di file CA! Sto usando correttamente dtruss? C'è un altro modo per me per scoprire dove deve essere posizionato il file dei certificati CA?

    
posta EdwardTeach 28.12.2012 - 00:19
fonte

2 risposte

2

Ho avuto lo stesso problema con Ubuntu. Sembra che non ci sia più una compilazione predefinita (se mai lo fosse, in teoria potrebbe anche essere stato il lavoro dei distributori).

Ho deciso di impostare il percorso in apache config (la mia app per i binari è controllata dal passeggero).

SetEnv SSL_CERT_DIR /usr/share/ca-certificates/mozilla

Funziona ora.

C'è anche un SSL_CERT_FILE per un singolo certificato.

Devi aggiustare i percorsi.

Basta controllare le pagine principali e questa pagina. Anche la linea 4 qui dice così: link

Potrei anche aver impostato il percorso a livello di sistema in / etc / environment e riavviato il sistema.

    
risposta data 04.01.2013 - 17:35
fonte
0

Anche se non capisco dove ruby si aspetta di trovarlo, potresti provare ad aggiungere

export SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem

a ~/.bash_profile per farlo funzionare con gli strumenti della riga di comando (si noti 'export' davanti a SSL_CERT_FILE, su sistemi Windows (fuori tema, lo so) questo sarebbe 'set')

    
risposta data 05.03.2013 - 15:53
fonte

Leggi altre domande sui tag