How to verify the SSL connection when calling a URI?
I am developing a web application that is authenticated using CAS (A开发者_StackOverflow single-sign-on solution: http://www.ja-sig.org/wiki/display/CAS/Home).
For security reasons, I need two things to work:
- The communication between CAS and my application needs to be secure
- My application needs to accept the certification coming from CAS, so that I can guarantee that the CAS responding is the real CAS server
This is what I got so far:
uri = URI.parse("https://www.google.com/accounts")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = (uri.scheme == 'https')
https.verify_mode = (OpenSSL::SSL::VERIFY_PEER)
raw_res = https.start do |conn|
conn.get("#{uri.path}?#{uri.query}")
end
This works just great in Mac OS X. When I try to reach an insecure URI, it raises an exception, and when I try to reach a secure URI, it allows me normally, just like expected.
The problem starts when I deploy my application on my Linux server. I tried in both Ubuntu and Red Hat. Independent of what URI I try to reach, it always raises this exception:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
from /usr/local/lib/ruby/1.8/net/http.rb:553:in `do_start'
from /usr/local/lib/ruby/1.8/net/http.rb:542:in `start'
from (irb):7
I think this have something to do with my installed OpenSSL package, but I can't be sure. This are my installed OpenSSL packages:
openssl.x86_64 0.9.8e-12.el5 installed
openssl-devel.x86_64 0.9.8e-12.el5 installed
I tried using HTTParty as well, but it just ignores the SSL certificate.
I hope someone can help me, or tell me about a gem that works the way I need.
Thanks.
I would bet that there's a difference in the Certificate Authorities file. Try setting https.ca_file
to another pem file, like maybe this one, and ensure that your cert's CA is in that list.
Or, perhaps one or both of the machines' clocks are wrong. (via this page)
Check that the clocks between the puppetmaster and client are in sync, if the client is behind when the certificate was generated, then the client sees that the start date of the certificate is in the future and therefore is invalid. Just for reference you can find out this info from the cert using the following:
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/hostname.tld.pem | grep -A2 Validity
Validity Not Before: Apr 19 23:21:29 2009 GMT Not After : Apr 18 23:21:29 2014 GMT
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
精彩评论