Bug #9053
closedSSL Issue with Ruby 2.0.0
Description
=begin
Steps to reproduce:
ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'
results in:
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
block in connect'
from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/timeout.rb:52:in timeout' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in
connect'
from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:862:in do_start' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:851:in
start'
from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:582:in start' from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:477:in
get_response'
from /Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:454:in get' from -e:1:in
'
But I expected no output from the program.
Running the same code with Ruby 1.8.7 or 1.9.3 causes no problems. I was able to reproduce this issue with OS X 10.8.5 as well as with 10.9. Interestingly OS X 10.9's system ruby ((({ruby 2.0.0p247 (2013-06-27 revision 41674) [universal.x86_64-darwin13]}))) does not have the issue. I appended the output of (({otool -L})) to look for the used OpenSSL lib. Apple's ruby obviously uses Apples own OpenSSL lib. 1.9.3 and 2.0.0 use the same OpenSSL lib, but only 2.0.0 fails on my test.
ruby-head ((({ruby 2.1.0dev (2013-10-24 trunk 43413) [x86_64-darwin13.0.0]}))) is also affected.
Just FYI: I initially reported the issue to RVM[0], but it appears to be not really RVM related.
[0] https://github.com/wayneeseguin/rvm/issues/2315
[1] Output of otool for various tested Rubies:
((1.9.3-p448))
$ find ~/.rvm/rubies/ruby-1.9.3-p448 -name openssl.bundle | xargs otool -L
/Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/ruby/1.9.1/x86_64-darwin13.0.0/openssl.bundle:
/Users/basti/.rvm/rubies/ruby-1.9.3-p448/lib/libruby.1.9.1.dylib (compatibility version 1.9.1, current version 1.9.1)
/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
((2.0.0-p247))
$ find ~/.rvm/rubies/ruby-2.0.0-p247 -name openssl.bundle | xargs otool -L
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/x86_64-darwin13.0.0/openssl.bundle:
/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libz.1.dylib (compatibility version 1.0.0, current version 1.2.5)
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
((2.0.0-p247 System Ruby))
$ find /usr/lib/ruby/2.0.0/ -name openssl.bundle | xargs otool -L
/usr/lib/ruby/2.0.0//universal-darwin13/openssl.bundle:
/System/Library/Frameworks/Ruby.framework/Versions/2.0/usr/lib/libruby.2.0.0.dylib (compatibility version 2.0.0, current version 2.0.0)
/usr/lib/libssl.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
/usr/lib/libcrypto.0.9.8.dylib (compatibility version 0.9.8, current version 50.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1197.1.1)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
=end
Updated by drbrain (Eric Hodel) about 11 years ago
- Category set to ext/openssl
- Status changed from Open to Rejected
- Assignee set to drbrain (Eric Hodel)
You need to install certificates when using non-platform OpenSSL on OS X. Your certificates should be installed here:
ruby -ropenssl -e 'puts OpenSSL::X509::DEFAULT_CERT_FILE'
There are instructions on how to install them for RVM:
Updated by mpapis (Michal Papis) about 11 years ago
=begin
as per the RVM ticket
rvm osx-ssl-certs update all
was used, I do not think this one is missing certificates, any steps to help debug it?
=end
Updated by drbrain (Eric Hodel) about 11 years ago
- Status changed from Rejected to Assigned
- Assignee changed from drbrain (Eric Hodel) to MartinBosslet (Martin Bosslet)
Ah, I missed that.
Maybe Martin knows, I have assigned the issue to him.
Updated by chittoor (Rajesh Malepati) about 11 years ago
tisba (Sebastian Cohnen) wrote:
=begin
Steps to reproduce:ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'
results in:
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Your certificate chain is incomplete.
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.
Updated by tisba (Sebastian Cohnen) about 11 years ago
chittoor (Rajesh Malepati) wrote:
tisba (Sebastian Cohnen) wrote:
=begin
Steps to reproduce:ruby -rnet/http -e 'Net::HTTP.get(URI("https://stormforger.com"));'
results in:
/Users/basti/.rvm/rubies/ruby-2.0.0-p247/lib/ruby/2.0.0/net/http.rb:918:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
Your certificate chain is incomplete.
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.
Okay thanks, I'll take a look.
But this doesn't really explain, why only Ruby 2.0 is affected, or does it?
Updated by chittoor (Rajesh Malepati) about 11 years ago
tisba (Sebastian Cohnen) wrote:
chittoor (Rajesh Malepati) wrote:
Your certificate chain is incomplete.
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.Okay thanks, I'll take a look.
But this doesn't really explain, why only Ruby 2.0 is affected, or does it?
Are you sure it's just Ruby 2.0? openssl doesn't attempt to download missing certificates.
Browsers on the other hand, look at 'Authority Information Access' extension in the certificate to download additional certificates.
Updated by mpapis (Michal Papis) about 11 years ago
I think it can be closed as per https://github.com/wayneeseguin/rvm/issues/2315#issuecomment-27198136 - adding the missing certificate fixes the problem
Updated by davispuh (Dāvis Mosāns) about 11 years ago
=begin
I've same problem on Windows 8 using Ruby 2.0.0-p247 (x86) from ((<RubyInstaller|URL:http://rubyinstaller.org/downloads>)), no RVM
=end
Updated by davispuh (Dāvis Mosāns) about 11 years ago
=begin
On Linux it works fine, but on Windows:
N:\Projects>ruby -rnet/http -e 'Net::HTTP.get(URI("https://google.com"));'
P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError) from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in
block in connect'
from P:/Ruby200/lib/ruby/2.0.0/timeout.rb:52:in timeout' from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:918:in
connect'
from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:862:in do_start' from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:851:in
start'
from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:582:in start' from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:477:in
get_response'
from P:/Ruby200/lib/ruby/2.0.0/net/http.rb:454:in get' from -e:1:in
'
=end
Updated by MartinBosslet (Martin Bosslet) about 11 years ago
Thanks everyone for contributing, I'm sorry I couldn't look into it any sooner. Special thanks to Rajesh for finding the issue!
@Sebastian: Adding the missing certificate in the chain fixed the issue for you?
@Dāvis: What does
openssl version -a
print for you? At the very end, there should be an entry similar to
OPENSSLDIR: "/etc/pki/tls"
What directory does the command display? Does it exist, and if yes, what files are in there?
Updated by luislavena (Luis Lavena) about 11 years ago
=begin
@davispuh (Dāvis Mosāns): OpenSSL in Windows do not come with support for Windows certificate storage, so it cannot connect to HTTPS servers without a valid certificate bundle.
You need to use ((|SSL_CERT_FILE|)) environment variable and set to the path to a curl CA cert bundle.
As for RubyGems, I recommend updating to the latest version of the version you're using (e.g. 2.1.10 for 2.1.x, 2.0.13 for 2.0.x and 1.8.28 for 1.8.x)
You can follow the installation instructions here:
http://rubygems.rubyforge.org/rubygems-update/UPGRADING_rdoc.html
=end
Updated by tisba (Sebastian Cohnen) almost 11 years ago
MartinBosslet (Martin Bosslet) wrote:
Thanks everyone for contributing, I'm sorry I couldn't look into it any sooner. Special thanks to Rajesh for finding the issue!
@Sebastian: Adding the missing certificate in the chain fixed the issue for you?
Yes, I added the intermediate certificate to be served as well and this fixed the issue for me.
Updated by tisba (Sebastian Cohnen) almost 11 years ago
chittoor (Rajesh Malepati) wrote:
tisba (Sebastian Cohnen) wrote:
chittoor (Rajesh Malepati) wrote:
Your certificate chain is incomplete.
Serve "StartCom Class 1 Primary Intermediate Server CA" certificate along with your server certificate.Okay thanks, I'll take a look.
But this doesn't really explain, why only Ruby 2.0 is affected, or does it?
Are you sure it's just Ruby 2.0? openssl doesn't attempt to download missing certificates.
Browsers on the other hand, look at 'Authority Information Access' extension in the certificate to download additional certificates.
I just removed the intermediate certificate again from the server to test it again. I noticed that Ruby 1.9.3 (and 1.8.7) does not seem to verify the SSL certificate by default (OpenSSL::SSL::VERIFY_NONE). This code fails for all Rubies (1.8.7, 1.9.3 and 2.0.0) with the missing intermediate certificate:
require "net/http"
http = Net::HTTP.new("stormforger.com", 443)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
request = Net::HTTP::Get.new("/")
response = http.request(request)
results in:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
Updated by zzak (zzak _) about 9 years ago
- Assignee changed from MartinBosslet (Martin Bosslet) to 7150
Updated by rhenium (Kazuki Yamaguchi) over 8 years ago
- Status changed from Assigned to Third Party's Issue
- Backport deleted (
1.9.3: UNKNOWN, 2.0.0: UNKNOWN)
Closing as the issue was resolved.