[英]Ruby 1.8.7 and Net::HTTP: Making an SSL GET request with client cert?
I'm trying to fetch a resource via SSL using Net::HTTP
. 我正在尝试使用Net::HTTP
通过 SSL获取资源。 Here is the relevant code fragment: 这是相关的代码片段:
req = Net::HTTP::Get.new(ContentURI.path)
https = Net::HTTP.new(ContentURI.host, ContentURI.port)
https.use_ssl = true
https.cert = OpenSSL::X509::Certificate.new(@cert_raw)
https.key = OpenSSL::PKey::RSA.new(@cert_key_raw)
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = File.join(TestDataPath, 'cacert.pem')
resp = https.start { |cx| cx.request(req) }
or with the alternate last line: 或者使用备用的最后一行:
resp = https.get(ContentURI.path)
I have verified that the various bits (cert, key, CA cert, etc. ) are correct. 我已经验证了各种位(证书,密钥,CA证书等 )是正确的。
The problem is that the cx.request(req)
throws an exception: 问题是cx.request(req)
抛出异常:
OpenSSL::SSL::SSLError: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read server session ticket A
The Apache SSL error log on the server contains the following: 服务器上的Apache SSL错误日志包含以下内容:
[Tue Jan 24 11:47:26 2012] [debug] ssl_engine_kernel.c(1876): OpenSSL: Loop: SSLv3 read finished A
[Tue Jan 24 11:47:26 2012] [debug] ssl_engine_kernel.c(1905): OpenSSL: Exit: error in SSLv3 write session ticket A
[Tue Jan 24 11:47:26 2012] [debug] ssl_engine_kernel.c(1905): OpenSSL: Exit: error in SSLv3 write session ticket A
[Tue Jan 24 11:47:26 2012] [info] [client 10.11.88.53] SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[Tue Jan 24 11:47:26 2012] [info] [client 10.11.88.53] Connection closed to child 0 with abortive shutdown (server _SERVERNAME_:443
The cert, key, and CA cert file work with this SSL host through other tools; 证书,密钥和CA证书文件通过其他工具与此SSL主机一起使用; I'm just having trouble reproducing that success programatically using Net::HTTP[S]
. 我只是在使用Net::HTTP[S]
编程方式复制成功时遇到了麻烦。
Thanks to anyone who can identify what I'm doing wrong! 感谢任何能够识别我做错的人!
I'd say this is matter of your Apache setup rather than problem with Ruby itself. 我想说这是你的Apache设置的问题,而不是Ruby本身的问题。
Check this out: 看一下这个:
$ curl https://palladium.wejn.cz/sslcerttest/
curl: (56) SSL read: error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure, errno 0
$ curl https://palladium.wejn.cz/sslcerttest/ -E client.pem
<pre>Yop.</pre>
And then: 然后:
#!/usr/bin/ruby
require 'net/http'
require 'net/https'
require 'openssl'
require 'uri'
ContentURI = URI.parse("https://palladium.wejn.cz/sslcerttest/")
@cert_raw = File.read('client.pem')
@cert_key_raw = @cert_raw
TestDataPath = '.'
req = Net::HTTP::Get.new(ContentURI.path)
https = Net::HTTP.new(ContentURI.host, ContentURI.port)
https.use_ssl = true
https.cert = OpenSSL::X509::Certificate.new(@cert_raw)
https.key = OpenSSL::PKey::RSA.new(@cert_key_raw)
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.ca_file = File.join(TestDataPath, 'cacert.pem')
resp = https.start { |cx| cx.request(req) }
p resp
p resp.body
results in: 结果是:
$ ruby a.rb
#<Net::HTTPOK 200 OK readbody=true>
"<pre>Yop.</pre>\n"
$ dpkg -l ruby1.8 | tail -n1 | awk '{print $3}'
1.8.7.302-2squeeze1
$ ruby -v
ruby 1.8.7 (2010-08-16 patchlevel 302) [x86_64-linux]
Of course, the apache config in question is: 当然,有问题的apache配置是:
<Directory /var/www/sslcerttest/>
SSLVerifyClient require
SSLVerifyDepth 5
SSLCACertificateFile /var/www/sslcerttest/cacert.pem
SSLCACertificatePath /var/www/sslcerttest/
SSLOptions +FakeBasicAuth
SSLRequireSSL
SSLRequire %{SSL_CLIENT_S_DN_O} eq "Wejn s.r.o." and %{SSL_CLIENT_S_DN_OU} eq "Server Certificate"
</Directory>
Maybe posting additional details (apache config to test against) would be of some help when tracking this issue down... 也许发布其他详细信息(apache配置以进行测试)在跟踪此问题时会有所帮助...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.