Bug #9822
closedRuby doesn't respect system OpenSSL configuration
Description
Hello.
I need to work with SSL (HTTPS) with GOST encryption, but ruby doesn't connect to the servers that requires GOST algorithms to be used for encryption.
The issue is in fact, that it is required to modify system OpenSSL config to GOST work properly (see GOST engine README in OpenSSL source: https://github.com/openssl/openssl/blob/master/engines/ccgost/README.gost)
If system OpenSSL correctly configured, openssl tools works fine (e.g. openssl s_client
will connect).
But even the system with OpenSSL configured ruby would not connect to the GOST HTTPS servers.
Solution
After some googling I've found post from people who have patched PHP to work with GOST HTTPS, and I've tried to make the similar patch for Ruby. There is also info, that other software like curl also needs such a patching. (Post (in russian): http://habrahabr.ru/post/189352/)
And it works!
Patch is attached to this issue. I've tested it with 2.1.1 and today trunk in Ubuntu Linux 12.04 and Mac OS X 10.9 (both with RVM).
How to test
Upgrade and configure your OpenSSL (you need version 1.0.0 or above), instructions for configuring and testing can be found in links above.
Try to execute attached ssl_example.rb
script (it effectively downloads root page of https://ssl-gost.envek.name/ site, that I've configured for this, be aware that usual browsers won't be able to connect to it and only Firefox will display useful error message)
You should get some text with SSL connection info to STDOUT if it works and exception otherwise.
Another server for test: https://service.rosminzdrav.ru/
Workarounds
For HTTPS with GOST I've written a little gem that wrapping openssl s_client
utility: https://github.com/Envek/httpi-adapter-openssl_gost
Files
Updated by zzak (zzak _) over 10 years ago
- Status changed from Open to Assigned
Updated by Envek (Andrey Novikov) over 10 years ago
Can anyone review this? Patch is very simple (one line!).
Also, there is related issue: https://bugs.ruby-lang.org/issues/9830
Updated by zzak (zzak _) over 10 years ago
- Target version set to 2.2.0
Updated by zzak (zzak _) about 9 years ago
- Assignee changed from MartinBosslet (Martin Bosslet) to 7150
Updated by wolfer (Sergey Fedosov) almost 8 years ago
much needed patch, I often used gost-crypt
Updated by jeremyevans0 (Jeremy Evans) about 5 years ago
I submitted a pull request to ruby-openssl to use OPENSSL_config
: https://github.com/ruby/openssl/pull/267
Updated by jeremyevans0 (Jeremy Evans) about 5 years ago
- Status changed from Assigned to Closed
After some research by @ioquatix (Samuel Williams), OpenSSL 1.1.0+ should now work correctly and we should not need this setting. If this doesn't work for you with OpenSSL 1.1.0+, or you would like like Ruby to support older versions of OpenSSL with this feature, please reopen the pull request: https://github.com/ruby/openssl/pull/267