Project

General

Profile

Actions

Bug #9822

closed

Ruby doesn't respect system OpenSSL configuration

Added by Envek (Andrey Novikov) over 10 years ago. Updated about 5 years ago.

Status:
Closed
Assignee:
-
Target version:
-
ruby -v:
ruby 2.2.0dev (2014-05-10 trunk 45893) [x86_64-linux]
[ruby-core:62481]

Description

Hello.

I need to work with SSL (HTTPS) with GOST encryption, but ruby doesn't connect to the servers that requires GOST algorithms to be used for encryption.

The issue is in fact, that it is required to modify system OpenSSL config to GOST work properly (see GOST engine README in OpenSSL source: https://github.com/openssl/openssl/blob/master/engines/ccgost/README.gost)

If system OpenSSL correctly configured, openssl tools works fine (e.g. openssl s_client will connect).

But even the system with OpenSSL configured ruby would not connect to the GOST HTTPS servers.

Solution

After some googling I've found post from people who have patched PHP to work with GOST HTTPS, and I've tried to make the similar patch for Ruby. There is also info, that other software like curl also needs such a patching. (Post (in russian): http://habrahabr.ru/post/189352/)

And it works!

Patch is attached to this issue. I've tested it with 2.1.1 and today trunk in Ubuntu Linux 12.04 and Mac OS X 10.9 (both with RVM).

How to test

Upgrade and configure your OpenSSL (you need version 1.0.0 or above), instructions for configuring and testing can be found in links above.

Try to execute attached ssl_example.rb script (it effectively downloads root page of https://ssl-gost.envek.name/ site, that I've configured for this, be aware that usual browsers won't be able to connect to it and only Firefox will display useful error message)

You should get some text with SSL connection info to STDOUT if it works and exception otherwise.

Another server for test: https://service.rosminzdrav.ru/

Workarounds

For HTTPS with GOST I've written a little gem that wrapping openssl s_client utility: https://github.com/Envek/httpi-adapter-openssl_gost


Files

respect_system_openssl_settings.patch (430 Bytes) respect_system_openssl_settings.patch Patch that fixes this bug Envek (Andrey Novikov), 05/09/2014 08:21 PM
ssl_example.rb (558 Bytes) ssl_example.rb Test script Envek (Andrey Novikov), 05/09/2014 08:21 PM

Updated by zzak (zzak _) over 10 years ago

  • Status changed from Open to Assigned

Updated by Envek (Andrey Novikov) over 10 years ago

Can anyone review this? Patch is very simple (one line!).

Also, there is related issue: https://bugs.ruby-lang.org/issues/9830

Updated by zzak (zzak _) over 10 years ago

  • Target version set to 2.2.0
Actions #4

Updated by zzak (zzak _) about 9 years ago

  • Assignee changed from MartinBosslet (Martin Bosslet) to 7150

Updated by wolfer (Sergey Fedosov) almost 8 years ago

much needed patch, I often used gost-crypt

Updated by jeremyevans0 (Jeremy Evans) about 5 years ago

I submitted a pull request to ruby-openssl to use OPENSSL_config: https://github.com/ruby/openssl/pull/267

Updated by jeremyevans0 (Jeremy Evans) about 5 years ago

  • Status changed from Assigned to Closed

After some research by @ioquatix (Samuel Williams), OpenSSL 1.1.0+ should now work correctly and we should not need this setting. If this doesn't work for you with OpenSSL 1.1.0+, or you would like like Ruby to support older versions of OpenSSL with this feature, please reopen the pull request: https://github.com/ruby/openssl/pull/267

Actions

Also available in: Atom PDF

Like0
Like0Like0Like0Like0Like0Like0Like0