From: dsh0416@... Date: 2018-06-29T14:53:50+00:00 Subject: [ruby-core:87693] [Ruby trunk Bug#14630] DON'T IGNORE ME!!! Uncaught exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (error number 1) Issue #14630 has been updated by dsh0416 (Delton Ding). The option hash passing to `Net::HTTP::start` seems to contain misspelling key. ```ruby @options = { use_ssl: true, ssl_version: :TLSv1_2, verify_mode: OpenSSL::SSL::VERIFY_PEER, store: store, keep_alive_timeout: 30, cert: config[:cert].nil? ? nil : OpenSSL::X509::Certificate.new(File.read(config[:cert])), key: config[:key].nil? ? nil : OpenSSL::PKey::EC.new(File.read(config[:key])) } ``` This should be ```ruby @options = { use_ssl: true, ssl_version: :TLSv1_2, verify_mode: OpenSSL::SSL::VERIFY_PEER, cert_store: store, keep_alive_timeout: 30, cert: config[:cert].nil? ? nil : OpenSSL::X509::Certificate.new(File.read(config[:cert])), key: config[:key].nil? ? nil : OpenSSL::PKey::EC.new(File.read(config[:key])) } ``` You'd better double check ruby-doc described [here](https://ruby-doc.org/stdlib-2.5.1/libdoc/net/http/rdoc/Net/HTTP.html#method-c-start): opt sets following values by its accessor. The keys are #ca_file, #ca_path, cert, **#cert_store**, ciphers, #close_on_empty_response, key, #open_timeout, #read_timeout, #ssl_timeout, #ssl_version, use_ssl, #verify_callback, #verify_depth and verify_mode. If you set :use_ssl as true, you can use https and default value of #verify_mode is set as OpenSSL::SSL::VERIFY_PEER. ---------------------------------------- Bug #14630: DON'T IGNORE ME!!! Uncaught exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (error number 1) https://bugs.ruby-lang.org/issues/14630#change-72716 * Author: paul_coppinger (Paul Coppinger) * Status: Open * Priority: Normal * Assignee: * Target version: * ruby -v: ruby 2.5.0p0 (2017-12-25 revision 61468) [x86_64-darwin17] * Backport: 2.3: UNKNOWN, 2.4: UNKNOWN, 2.5: UNKNOWN ---------------------------------------- I'm attempting to connect to a server with verify_mode = OpenSSL::SSL::VERIFY_PEER. It fails with the error: Uncaught exception: SSL_connect returned=1 errno=0 state=error: certificate verify failed (error number 1) /usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock' /usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect' /usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:981:in `connect' /usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:920:in `do_start' /usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:909:in `start' /usr/local/Cellar/ruby/2.5.0_2/lib/ruby/2.5.0/net/http.rb:609:in `start' /Users/pc/work/unipagos/node/test/tester.rb:93:in `request' /Users/pc/work/unipagos/node/test/unipagos_tester.rb:79:in `authenticate_user' /Users/pc/work/unipagos/node/test/authenticate.rb:111:in `' Strange thing is, if I attempt to verify the certificates directly there is no problem. This is two-level PKI with a root CA (root.pem) that has two sub-CAs. One sub-CA (admin.pem) is used to issue server certificates (such as mobile.pem) and the other sub-CA (user.pem) is used to issue user certificates. I have included the PEM files for all four certificates. Here's the code to setup the options for the connection: store = OpenSSL::X509::Store.new store.add_cert(OpenSSL::X509::Certificate.new(File.read('./root.pem'))) store.add_cert(OpenSSL::X509::Certificate.new(File.read('./admin.pem'))) store.add_cert(OpenSSL::X509::Certificate.new(File.read('./user.pem'))) @options = { use_ssl: true, ssl_version: :TLSv1_2, verify_mode: OpenSSL::SSL::VERIFY_PEER, store: store, keep_alive_timeout: 30, cert: config[:cert].nil? ? nil : OpenSSL::X509::Certificate.new(File.read(config[:cert])), key: config[:key].nil? ? nil : OpenSSL::PKey::EC.new(File.read(config[:key])) } result = store.verify(@options[:cert]) puts result result = store.verify(OpenSSL::X509::Certificate.new(File.read('./mobile.pem'))) puts result The output of the above is: true true However, I get the above error when I try to connect to the server (identified by mobile.pem) as follows: req = Net::HTTP::Get.new(uri, headers) res = Net::HTTP::start(req.uri.hostname, req.uri.port, @options) do |http| http.request(req) end Any ideas? ---Files-------------------------------- admin.pem (835 Bytes) mobile.pem (955 Bytes) user.pem (830 Bytes) root.pem (782 Bytes) -- https://bugs.ruby-lang.org/ Unsubscribe: