https://redmine.ruby-lang.org/https://redmine.ruby-lang.org/favicon.ico?17113305112013-10-26T05:59:12ZRuby Issue Tracking SystemRuby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=426162013-10-26T05:59:12Zdrbrain (Eric Hodel)drbrain@segment7.net
<ul><li><strong>Category</strong> set to <i>ext/openssl</i></li><li><strong>Status</strong> changed from <i>Open</i> to <i>Rejected</i></li><li><strong>Assignee</strong> set to <i>drbrain (Eric Hodel)</i></li></ul><p>You need to install certificates when using non-platform OpenSSL on OS X. Your certificates should be installed here:</p>
<p>ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'</p>
<p>There are instructions on how to install them for RVM:</p>
<p><a href="http://rvm.io/support/fixing-broken-ssl-certificates" class="external">http://rvm.io/support/fixing-broken-ssl-certificates</a></p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=426192013-10-26T10:30:42Zmpapis (Michal Papis)mpapis@gmail.com
<ul></ul><p>=begin<br>
as per the RVM ticket<br>
rvm osx-ssl-certs update all<br>
was used, I do not think this one is missing certificates, any steps to help debug it?<br>
=end</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=426202013-10-26T11:12:02Zdrbrain (Eric Hodel)drbrain@segment7.net
<ul><li><strong>Status</strong> changed from <i>Rejected</i> to <i>Assigned</i></li><li><strong>Assignee</strong> changed from <i>drbrain (Eric Hodel)</i> to <i>MartinBosslet (Martin Bosslet)</i></li></ul><p>Ah, I missed that.</p>
<p>Maybe Martin knows, I have assigned the issue to him.</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=426282013-10-26T22:37:51Zchittoor (Rajesh Malepati)
<ul></ul><p>tisba (Sebastian Cohnen) wrote:</p>
<blockquote>
<p>=begin<br>
Steps to reproduce:</p>
<p>ruby -rnet/http -e 'Net::HTTP.get(URI("<a href="https://stormforger.com" class="external">https://stormforger.com</a>"));'</p>
<p>results in:</p>
<p>/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)</p>
</blockquote>
<p>Your certificate chain is incomplete.<br>
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=426432013-10-28T16:56:12Ztisba (Sebastian Cohnen)ruby-lang@tisba.de
<ul></ul><p>chittoor (Rajesh Malepati) wrote:</p>
<blockquote>
<p>tisba (Sebastian Cohnen) wrote:</p>
<blockquote>
<p>=begin<br>
Steps to reproduce:</p>
<p>ruby -rnet/http -e 'Net::HTTP.get(URI("<a href="https://stormforger.com" class="external">https://stormforger.com</a>"));'</p>
<p>results in:</p>
<p>/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)</p>
</blockquote>
<p>Your certificate chain is incomplete.<br>
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.</p>
</blockquote>
<p>Okay thanks, I'll take a look.</p>
<p>But this doesn't really explain, why only Ruby 2.0 is affected, or does it?</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=426452013-10-29T03:07:11Zchittoor (Rajesh Malepati)
<ul></ul><p>tisba (Sebastian Cohnen) wrote:</p>
<blockquote>
<p>chittoor (Rajesh Malepati) wrote:</p>
<blockquote>
<p>Your certificate chain is incomplete.<br>
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.</p>
</blockquote>
<p>Okay thanks, I'll take a look.</p>
<p>But this doesn't really explain, why only Ruby 2.0 is affected, or does it?</p>
</blockquote>
<p>Are you sure it's just Ruby 2.0? openssl doesn't attempt to download missing certificates.<br>
Browsers on the other hand, look at 'Authority Information Access' extension in the certificate to download additional certificates.</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427172013-11-02T08:46:25Zmpapis (Michal Papis)mpapis@gmail.com
<ul></ul><p>I think it can be closed as per <a href="https://github.com/wayneeseguin/rvm/issues/2315#issuecomment-27198136" class="external">https://github.com/wayneeseguin/rvm/issues/2315#issuecomment-27198136</a> - adding the missing certificate fixes the problem</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427182013-11-02T09:19:31Zdavispuh (Dāvis Mosāns)
<ul></ul><p>=begin<br>
I've same problem on Windows 8 using Ruby 2.0.0-p247 (x86) from ((<RubyInstaller|URL:<a href="http://rubyinstaller.org/downloads%3E" class="external">http://rubyinstaller.org/downloads></a>)), no RVM<br>
=end</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427192013-11-02T09:24:37Zdavispuh (Dāvis Mosāns)
<ul></ul><p>=begin<br>
On Linux it works fine, but on Windows:</p>
<p>N:\Projects>ruby -rnet/http -e 'Net::HTTP.get(URI("<a href="https://google.com" class="external">https://google.com</a>"));'<br>
P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in <code>connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in </code>block in connect'<br>
from P:/Ruby200/lib/ruby/2.0.0/timeout.rb:52:in <code>timeout' from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in </code>connect'<br>
from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:862:in <code>do_start' from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:851:in </code>start'<br>
from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:582:in <code>start' from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:477:in </code>get_response'<br>
from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:454:in <code>get' from -e:1:in </code>'<br>
=end</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427352013-11-04T09:47:50ZMartinBosslet (Martin Bosslet)Martin.Bosslet@gmail.com
<ul></ul><p>Thanks everyone for contributing, I'm sorry I couldn't look into it any sooner. Special thanks to Rajesh for finding the issue!</p>
<p>@Sebastian: Adding the missing certificate in the chain fixed the issue for you?</p>
<p>@Dāvis: What does</p>
<p>openssl version -a</p>
<p>print for you? At the very end, there should be an entry similar to</p>
<p>OPENSSLDIR: "/etc/pki/tls"</p>
<p>What directory does the command display? Does it exist, and if yes, what files are in there?</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427362013-11-04T11:42:41Zluislavena (Luis Lavena)luislavena@gmail.com
<ul></ul><p>=begin<br>
<a class="user active user-mention" href="https://redmine.ruby-lang.org/users/7260">@davispuh (Dāvis Mosāns)</a>: OpenSSL in Windows do not come with support for Windows certificate storage, so it cannot connect to HTTPS servers without a valid certificate bundle.</p>
<p>You need to use ((|SSL_CERT_FILE|)) environment variable and set to the path to a curl CA cert bundle.</p>
<p>As for RubyGems, I recommend updating to the latest version of the version you're using (e.g. 2.1.10 for 2.1.x, 2.0.13 for 2.0.x and 1.8.28 for 1.8.x)</p>
<p>You can follow the installation instructions here:</p>
<p><a href="http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html" class="external">http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html</a></p>
<p>=end</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427532013-11-05T17:40:50Ztisba (Sebastian Cohnen)ruby-lang@tisba.de
<ul></ul><p>MartinBosslet (Martin Bosslet) wrote:</p>
<blockquote>
<p>Thanks everyone for contributing, I'm sorry I couldn't look into it any sooner. Special thanks to Rajesh for finding the issue!</p>
<p>@Sebastian: Adding the missing certificate in the chain fixed the issue for you?</p>
</blockquote>
<p>Yes, I added the intermediate certificate to be served as well and this fixed the issue for me.</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=427542013-11-05T17:54:30Ztisba (Sebastian Cohnen)ruby-lang@tisba.de
<ul></ul><p>chittoor (Rajesh Malepati) wrote:</p>
<blockquote>
<p>tisba (Sebastian Cohnen) wrote:</p>
<blockquote>
<p>chittoor (Rajesh Malepati) wrote:</p>
<blockquote>
<p>Your certificate chain is incomplete.<br>
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.</p>
</blockquote>
<p>Okay thanks, I'll take a look.</p>
<p>But this doesn't really explain, why only Ruby 2.0 is affected, or does it?</p>
</blockquote>
<p>Are you sure it's just Ruby 2.0? openssl doesn't attempt to download missing certificates.<br>
Browsers on the other hand, look at 'Authority Information Access' extension in the certificate to download additional certificates.</p>
</blockquote>
<p>I just removed the intermediate certificate again from the server to test it again. I noticed that Ruby 1.9.3 (and 1.8.7) does not seem to verify the SSL certificate by default (OpenSSL::SSL::VERIFY_NONE). This code fails for all Rubies (1.8.7, 1.9.3 and 2.0.0) with the missing intermediate certificate:</p>
<p>require "net/http"<br>
http = Net::HTTP.new("stormforger.com", 443)<br>
http.use_ssl = true<br>
http.verify_mode = OpenSSL::SSL::VERIFY_PEER<br>
request = Net::HTTP::Get.new("/")<br>
response = http.request(request)</p>
<p>results in:</p>
<p>OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed</p> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=541262015-09-13T03:11:10Zzzak (zzak _)
<ul><li><strong>Assignee</strong> changed from <i>MartinBosslet (Martin Bosslet)</i> to <i>7150</i></li></ul> Ruby master - Bug #9053: SSL Issue with Ruby 2.0.0https://redmine.ruby-lang.org/issues/9053?journal_id=594502016-07-02T04:39:50Zrhenium (Kazuki Yamaguchi)k@rhe.jp
<ul><li><strong>Status</strong> changed from <i>Assigned</i> to <i>Third Party's Issue</i></li><li><strong>Backport</strong> deleted (<del><i>1.9.3: UNKNOWN, 2.0.0: UNKNOWN</i></del>)</li></ul><p>Closing as the issue was resolved.</p>