Bug #12687
closedOpenSSL::X509::Store wont load certificates from set_default_paths
Description
Setting up a new instance of OpenSSL::X509::Store, and setting "set_default_paths" will not actually import any certificates into Store.
Environment: Ubuntu 14.04
File.dirname OpenSSL::Config::DEFAULT_CONFIG_FILE => "/usr/lib/ssl"
use the store to verify a certificate (store.verify(ssl_certificate)) returns false
After manually doing:
Dir.glob("/usr/lib/ssl/certs/*").each do |cert| begin cert_store.add_file cert rescue Exception next end end
the verify returns true.
Updated by bararchy (Bar Hofesh) over 8 years ago
- Description updated (diff)
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
- Status changed from Open to Feedback
It's working for me:
OpenSSL::X509::DEFAULT_CERT_DIR #=> "/usr/lib/ssl/certs"
cert, *chain = OpenSSL::SSL::SSLSocket.new(TCPSocket.new("bugs.ruby-lang.org", 443)).connect.peer_cert_chain
store = OpenSSL::X509::Store.new
store.verify(cert, chain) #=> false
store.set_default_paths
store.verify(cert, chain) #=> true
OpenSSL::X509::Store#set_default_paths itself does not import any certificates but configures the store to load from OpenSSL::X509::DEFAULT_CERT_{DIR,FILE} as needed.
If you added a custom certificate to the directory, you have to run c_rehash
so that OpenSSL can find it.
Updated by bararchy (Bar Hofesh) over 8 years ago
Kazuki Yamaguchi wrote:
It's working for me:
OpenSSL::X509::DEFAULT_CERT_DIR #=> "/usr/lib/ssl/certs" cert, *chain = OpenSSL::SSL::SSLSocket.new(TCPSocket.new("bugs.ruby-lang.org", 443)).connect.peer_cert_chain store = OpenSSL::X509::Store.new store.verify(cert, chain) #=> false store.set_default_paths store.verify(cert, chain) #=> true
OpenSSL::X509::Store#set_default_paths itself does not import any certificates but configures the store to load from OpenSSL::X509::DEFAULT_CERT_{DIR,FILE} as needed.
If you added a custom certificate to the directory, you have to run
c_rehash
so that OpenSSL can find it.
I see, is there a way to call c_rehash from Ruby ?
Updated by jeremyevans0 (Jeremy Evans) over 5 years ago
- Status changed from Feedback to Closed
I'm guessing c_rehash
in this case refers to sample/c_rehash.rb
in the ruby/openssl repository (or sample/openssl/c_rehash.rb
in the ruby repository).