From: "tisba (Sebastian Cohnen)" <ruby-lang@...>
Date: 2013-11-05T17:54:30+09:00
Subject: [ruby-core:58169] [ruby-trunk - Bug #9053] SSL Issue with Ruby 2.0.0


Issue #9053 has been updated by tisba (Sebastian Cohnen).


chittoor (Rajesh Malepati) wrote:
> tisba (Sebastian Cohnen) wrote:
> > chittoor (Rajesh Malepati) wrote:
> > > Your certificate chain is incomplete.
> > > Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.
> > 
> > Okay thanks, I'll take a look.
> > 
> > But this doesn't really explain, why only Ruby 2.0 is affected, or does it?
> 
> Are you sure it's just Ruby 2.0? openssl doesn't attempt to download missing certificates.
> Browsers on the other hand, look at 'Authority Information Access' extension in the certificate to download additional certificates.

I just removed the intermediate certificate again from the server to test it again. I noticed that Ruby 1.9.3 (and 1.8.7) does not seem to verify the SSL certificate by default (OpenSSL::SSL::VERIFY_NONE). This code fails for all Rubies (1.8.7, 1.9.3 and 2.0.0) with the missing intermediate certificate:

 require "net/http"
 http = Net::HTTP.new("stormforger.com", 443)
 http.use_ssl = true
 http.verify_mode = OpenSSL::SSL::VERIFY_PEER
 request = Net::HTTP::Get.new("/")
 response = http.request(request)

results in:

 OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
----------------------------------------
Bug #9053: SSL Issue with Ruby 2.0.0
https://bugs.ruby-lang.org/issues/9053#change-42754

Author: tisba (Sebastian Cohnen)
Status: Assigned
Priority: Normal
Assignee: MartinBosslet (Martin Bosslet)
Category: ext/openssl
Target version: 
ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin13.0.0]
Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN


=begin
Steps to reproduce:

  ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'

results in:

  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `block in connect'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in `timeout'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in `do_start'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in `start'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in `start'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in `get_response'
    from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in `get'
    from -e:1:in `<main>'

But I expected no output from the program.

Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was able to reproduce this issue with OS X 10.8.5 as well as with 10.9. Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27 revision 41674) [universal.x86_64-darwin13]}))) does not have the issue. I appended the output of (({otool -L})) to look for the used OpenSSL lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0 use the same OpenSSL lib, but only 2.0.0 fails on my test.

ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413) [x86_64-darwin13.0.0]}))) is also affected.

Just FYI: I initially reported the issue to RVM[0], but it appears to be not really RVM related.

[0] https://github.com/wayneeseguin/rvm/issues/2315

[1] Output of otool for various tested Rubies:

((*1.9.3-p448*))

  $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs otool -L
  /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
    /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib (compatibility version 1.9.1, current version 1.9.1)
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)


((*2.0.0-p247*))

  $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs otool -L
  /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
    /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
    /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)


((*2.0.0-p247 System Ruby*))

  $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
  /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
    /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
    /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
    /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
    /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

=end


-- 
http://bugs.ruby-lang.org/