Certificate verification not working correctly?

[Rolle]

Hi,

if using client authentication with ssl certificates there seems a problem when verifying the
servers ssl CA certificates (using httpclient).
The root CA certficate is set like
http.auth.ssl.ca_cert_file='db_root_ca_7.pem'
But in httpclient.rb it is set to client_ca (in httpclient adapater):
client.ssl_config.client_ca = ssl.ca_cert if ssl.ca_cert_file

When i correct this to
client.ssl_config.set_trust_ca(ssl.ca_cert_file) if ssl.ca_cert_file
it works as expected and the CA file is used to verify the servers certificate.

Regards,
Roland

[mjdavies]

Hi Rolle

I'm having a bit of a time getting this working too

http://www.ruby-forum.com/topic/1490195#992494

If I get any answers, I'll let you know

Can you post up your entire code?

[Rolle]

Hi, try

request.auth.ssl.ca_cert_file = "certfile"

instead of

request.auth.ssl.cert_file = "certfile"

[mjdavies]

In order to get ssl auth working with :peer set and only using a ca_cert_file was to use Rolle's fix, and also remove the ? at the end of line 70

setup_ssl_auth request.auth.ssl if request.auth.ssl?

becomes

setup_ssl_auth request.auth.ssl if request.auth.ssl

[ft51]

When using ruby 1.9.2, net/https and a ca_cert_file the following prevented the 'certificate verify failed' error:

class HTTPI::Auth::SSL
  def present?
    (verify_mode == :none) || (cert && cert_key) || ca_cert_file
  # added this                                   ^^^^^^^^^^^^^^^
  rescue TypeError, Errno::ENOENT
    false
  end
end

[mvastola]

@ft51's change works to fix the problem for me. +1

[rubiii]

released v0.9.6 which should fix this issue.

[robertgrimm]

Even with v0.9.6, I had to use the two fixes mentioned by mjdavies and Rolle in order to get this to work.

That is, use: client.ssl_config.set_trust_ca(ssl.ca_cert_file) if ssl.ca_cert_file and setup_ssl_auth request.auth.ssl if request.auth.ssl