Project

General

Profile

Bug #12687

OpenSSL::X509::Store wont load certificates from set_default_paths

Added by bararchy (Bar Hofesh) about 3 years ago. Updated about 1 month ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
-
ruby -v:
"2.2.5" revision: 54072
[ruby-core:76962]

Description

Setting up a new instance of OpenSSL::X509::Store, and setting "set_default_paths" will not actually import any certificates into Store.

Environment: Ubuntu 14.04

File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE
=> "/usr/lib/ssl"

use the store to verify a certificate (store.verify(ssl_certificate)) returns false

After manually doing:

Dir.glob("/usr/lib/ssl/certs/*").each do |cert|
begin
cert_store.add_file cert
rescue Exception
next
end
end

the verify returns true.

History

Updated by bararchy (Bar Hofesh) about 3 years ago

  • Description updated (diff)

Updated by rhenium (Kazuki Yamaguchi) about 3 years ago

  • Status changed from Open to Feedback

It's working for me:

OpenSSL::X509::DEFAULT_CERT_DIR #=> "/usr/lib/ssl/certs"
cert, *chain = OpenSSL::SSL::SSLSocket.new(TCPSocket.new("bugs.ruby-lang.org", 443)).connect.peer_cert_chain
store = OpenSSL::X509::Store.new
store.verify(cert, chain) #=> false
store.set_default_paths
store.verify(cert, chain) #=> true

OpenSSL::X509::Store#set_default_paths itself does not import any certificates but configures the store to load from OpenSSL::X509::DEFAULT_CERT_{DIR,FILE} as needed.

If you added a custom certificate to the directory, you have to run c_rehash so that OpenSSL can find it.

Updated by bararchy (Bar Hofesh) about 3 years ago

Kazuki Yamaguchi wrote:

It's working for me:

OpenSSL::X509::DEFAULT_CERT_DIR #=> "/usr/lib/ssl/certs"
cert, *chain = OpenSSL::SSL::SSLSocket.new(TCPSocket.new("bugs.ruby-lang.org", 443)).connect.peer_cert_chain
store = OpenSSL::X509::Store.new
store.verify(cert, chain) #=> false
store.set_default_paths
store.verify(cert, chain) #=> true

OpenSSL::X509::Store#set_default_paths itself does not import any certificates but configures the store to load from OpenSSL::X509::DEFAULT_CERT_{DIR,FILE} as needed.

If you added a custom certificate to the directory, you have to run c_rehash so that OpenSSL can find it.

I see, is there a way to call c_rehash from Ruby ?

Updated by jeremyevans0 (Jeremy Evans) about 1 month ago

  • Status changed from Feedback to Closed

I'm guessing c_rehash in this case refers to sample/c_rehash.rb in the ruby/openssl repository (or sample/openssl/c_rehash.rb in the ruby repository).

Also available in: Atom PDF