Ruby验证安全ldap服务器的证书
[英]Ruby verify the certificate of secure ldap server
问题描述
I am using https://github.com/ruby-ldap/ruby-net-ldap (net-ldap) gem to verify the authenticity of a user in my rails app. 
我正在使用https://github.com/ruby-ldap/ruby-net-ldap(net-ldap)gem来验证Rails应用程序中用户的真实性。 But before passing data to the ldap server, I need to verify that I am talking with the same secure server. 但是,在将数据传递到ldap服务器之前,我需要确认我正在使用同一安全服务器。 Is there a workaround which allows me to verify the certificate in ruby 有没有一种解决方法,可以让我验证红宝石证书
Additional details: (things I have tried) 其他详细信息:(我尝试过的事情)
The certificate which is passed on to me is same as the one I see when I run
传递给我的证书与我运行时看到的证书相同 openssl s_client -showcerts -connect "<host>:<port>" </dev/null 2>/dev/null|openssl x509 -outform PEMI used http://www.ldapsoft.com/ to connect to client's server Unless I add the certificate file given to me in Security > Manage server certificates , I get a warning saying unknown security certificate
我使用http://www.ldapsoft.com/连接到客户端的服务器除非在“ 安全性”>“管理服务器证书”中添加给我的证书文件,否则会收到警告,提示未知的安全证书 I tried do it manually first in plain ruby (without gem) But i get following error
我尝试先在纯红宝石(无宝石)中手动进行此操作,但出现以下错误 test-ssl.rb:23:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)Code:
码: cert_store = OpenSSL::X509::Store.new cert_store.add_file "server-wildcard.crt" io = TCPSocket.new("SECURELDAP.MYSITE.EDU","636") ctx = OpenSSL::SSL::SSLContext.new #ctx.cert = OpenSSL::X509::Certificate.new(File.read("server-wildcard.crt")) #ctx.client_ca = OpenSSL::X509::Certificate.new(File.read("server-wildcard.crt")) #ctx.ca_file = "server-wildcard.crt" #ctx.ca_path = "./" ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT ctx.cert_store = cert_store conn = OpenSSL::SSL::SSLSocket.new(io, ctx) conn.connect
2 个解决方案
解决方案1
1 2014-04-02 11:31:04
I am posting my solution here for the sake of completeness. 为了完整起见,我在这里发布我的解决方案。
net-ldap gem override to support certificate validation https://gist.github.com/mintuhouse/9931865 net-ldap gem覆盖以支持证书验证https://gist.github.com/mintuhouse/9931865
Ideal Solution: 理想的解决方案:
Maintain list of trusted root CAs on your server (If you are lazy like me, have a cron job which will download (weekly maintained by curl) copy from http://curl.haxx.se/ca/cacert.pem ) 维护服务器上受信任的根CA的列表(如果像我一样懒,请执行cron作业,该作业将从http://curl.haxx.se/ca/cacert.pem下载(由curl每周维护)副本)
Override Net::HTTP to always use this trusted certificate list 覆盖Net :: HTTP以始终使用此受信任的证书列表
解决方案2
0 2016-12-19 22:03:02
As of today (late 2016), ruby-net-ldap supports this upstream! 截至今天(2016年末),ruby-net-ldap支持此上游! However, tls_options needs to be passed with verify_mode set to a value other than the default VERIFY_NONE . 然而, tls_options需要与传递verify_mode设置为默认值以外的值VERIFY_NONE 。
# optional: create/pass your own cert_store
cert_store = OpenSSL::X509::Store.new
cert_store.set_default_paths # or add your own CAdir, &c.
# attributes documented for OpenSSL::SSL::SSLContext are valid here
tls_options = {
verify_mode: OpenSSL::SSL::VERIFY_PEER
cert_store: cert_store
}
ldap = Net::LDAP.new(
:host => host,
:port => port,
:encryption => {
:method => :simple_tls, # could also be :start_tls
:tls_options => tls_options
}
)
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.