From: "tisba (Sebastian Cohnen)" <ruby-lang@...> Date: 2013-11-05T17:54:30+09:00 Subject: [ruby-core:58169] [ruby-trunk - Bug #9053] SSL Issue with Ruby 2.0.0 Issue #9053 has been updated by tisba (Sebastian Cohnen). chittoor (Rajesh Malepati) wrote: > tisba (Sebastian Cohnen) wrote: > > chittoor (Rajesh Malepati) wrote: > > > Your certificate chain is incomplete. > > > Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate. > > > > Okay thanks, I'll take a look. > > > > But this doesn't really explain, why only Ruby 2.0 is affected, or does it? > > Are you sure it's just Ruby 2.0? openssl doesn't attempt to download missing certificates. > Browsers on the other hand, look at 'Authority Information Access' extension in the certificate to download additional certificates. I just removed the intermediate certificate again from the server to test it again. I noticed that Ruby 1.9.3 (and 1.8.7) does not seem to verify the SSL certificate by default (OpenSSL::SSL::VERIFY_NONE). This code fails for all Rubies (1.8.7, 1.9.3 and 2.0.0) with the missing intermediate certificate: require "net/http" http = Net::HTTP.new("stormforger.com", 443) http.use_ssl = true http.verify_mode = OpenSSL::SSL::VERIFY_PEER request = Net::HTTP::Get.new("/") response = http.request(request) results in: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ---------------------------------------- Bug #9053: SSL Issue with Ruby 2.0.0 https://bugs.ruby-lang.org/issues/9053#change-42754 Author: tisba (Sebastian Cohnen) Status: Assigned Priority: Normal Assignee: MartinBosslet (Martin Bosslet) Category: ext/openssl Target version: ruby -v: ruby 2.0.0p247 (2013-06-27 revision 41674) [x86_64-darwin13.0.0] Backport: 1.9.3: UNKNOWN, 2.0.0: UNKNOWN =begin Steps to reproduce: ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));' results in: /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `block in connect' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in `timeout' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in `do_start' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in `start' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in `start' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in `get_response' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in `get' from -e:1:in `<main>' But I expected no output from the program. Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was able to reproduce this issue with OS X 10.8.5 as well as with 10.9. Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27 revision 41674) [universal.x86_64-darwin13]}))) does not have the issue. I appended the output of (({otool -L})) to look for the used OpenSSL lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0 use the same OpenSSL lib, but only 2.0.0 fails on my test. ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413) [x86_64-darwin13.0.0]}))) is also affected. Just FYI: I initially reported the issue to RVM[0], but it appears to be not really RVM related. [0] https://github.com/wayneeseguin/rvm/issues/2315 [1] Output of otool for various tested Rubies: ((*1.9.3-p448*)) $ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs otool -L /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle: /Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib (compatibility version 1.9.1, current version 1.9.1) /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) ((*2.0.0-p247*)) $ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs otool -L /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle: /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0) /usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5) /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) ((*2.0.0-p247 System Ruby*)) $ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L /usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle: /System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0) /usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0) /usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0) /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1) /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) =end -- http://bugs.ruby-lang.org/