Onde está Ruby procurando por ssl_cert_file? -- acos campo com ruby campo com openssl camp apple Relacionado O problema

where is Ruby looking for SSL_CERT_FILE?


7
vote

problema

português

Eu estou tentando descobrir onde Ruby espera encontrar sua lista de CA OpenSSL. Meu ambiente é:

  • Mac OS 10.7.5
  • openssl do homebrew
  • rbenv de homebrew
  • Ruby 1.9.3, instalado usando rbenv e configure_opts = "- com-openssl-dir =` brew --prefix openssl`

Confirmação de que meu Ruby está usando o Homebrew OpenSSL (Nota: ABCDEFGHIJKLMNABCDEFGHIJKLMN1 é uma versão redigida do diretório do usuário em todos os exemplos abaixo):

  $ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:         /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)         /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)         /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)         /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)    

Para testar, escrevi o seguinte script:

  #!/usr/bin/env ruby require 'net/https' https = Net::HTTP.new('encrypted.google.com', 443) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER https.request_get('/') puts 'success!'    

Se eu especificar manualmente o caminho para o meu ssl_cert_file, ele funciona:

  $ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb  success!    

Se não, quebra:

  $ ./test_ssl.rb  /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in `timeout'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in `timeout'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in `do_start'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in `start'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in `request'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in `request_get'         from ./test_ssl.rb:6:in `<main>'    

Como de lado, já estou ciente de que poderia verificar manualmente vários caminhos para o arquivo CA do meu script. No entanto, o script é um teste de operações semelhantes líquidas / http dentro do Ruby Gem "Faraday" no meu sistema. Eu não quero cortar a jóia do Faraday para contornar esse problema.

Então eu usei dtruss para procurar por comandos de estatísticas e ver se algum deles é tentado CA File Lookups:

  $ sudo dtruss -f -t stat64 ./test_ssl.rb         PID/THRD  SYSCALL(args)                  = return 96741/0x6b4be4:  stat64("/usr/lib/dtrace/libdtrace_dyld.dylib", 0x7FFF6A9BE810, 0x7FFF6A9BF700)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/libSystem.B.dylib", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0)          = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcache.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcommonCrypto.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcompiler_rt.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcopyfile.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libdispatch.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libdnsinfo.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)            = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libdyld.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libkeymgr.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/liblaunch.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libmacho.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libmathCommon.A.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libquarantine.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libremovefile.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_blocks.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_c.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_dnssd.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_info.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_kernel.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_network.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_notify.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_sandbox.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libunc.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libunwind.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libxpc.dylib", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/AppleInternal", 0x7FFF6A9BEFF8, 0x0)                 = -1 Err#2 96741/0x6b4be4:  stat64("/usr/lib/libstdc++.6.dylib", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0)          = 0 0 96741/0x6b4be4:  stat64("/usr/lib/libc++abi.dylib", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0)            = 0 0    

Nenhuma das estatísticas do arquivo parece uma pesquisa de arquivo CA! Estou usando dtruss corretamente? Existe alguma outra maneira para eu descobrir onde o arquivo de certificados do CA deve ser colocado?

english

I am trying to find out where Ruby expects to find its openssl CA list. My environment is:

  • Mac OS 10.7.5
  • OpenSSL from homebrew
  • Rbenv from homebrew
  • Ruby 1.9.3, installed using rbenv and CONFIGURE_OPTS="--with-openssl-dir=`brew --prefix openssl`"

Confirmation that my Ruby is using homebrew OpenSSL (note: /Users/me is a redacted version of the user directory in all examples below):

$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:         /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)         /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)         /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)         /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0) 

To test, I have written the following script:

#!/usr/bin/env ruby require 'net/https' https = Net::HTTP.new('encrypted.google.com', 443) https.use_ssl = true https.verify_mode = OpenSSL::SSL::VERIFY_PEER https.request_get('/') puts 'success!' 

If I manually specify the path to my SSL_CERT_FILE, it works:

$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb  success! 

If not, it breaks:

$ ./test_ssl.rb  /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in `timeout'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in `timeout'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in `connect'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in `do_start'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in `start'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in `request'         from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in `request_get'         from ./test_ssl.rb:6:in `<main>' 

As an aside, I am already aware that I could manually check various paths for the CA file from my script. However the script is a test of similar net/http operations within Ruby gem "faraday" on my system. I do not want to hack the faraday gem to work around this problem.

So I used dtruss to look for stat commands and see if any of them are attempted CA file lookups:

$ sudo dtruss -f -t stat64 ./test_ssl.rb         PID/THRD  SYSCALL(args)                  = return 96741/0x6b4be4:  stat64("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0x7FFF6A9BE810, 0x7FFF6A9BF700)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/libSystem.B.dylib\0", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0)          = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcache.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcommonCrypto.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcompiler_rt.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libcopyfile.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libdispatch.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libdnsinfo.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)            = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libdyld.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libkeymgr.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/liblaunch.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libmacho.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libmathCommon.A.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libquarantine.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libremovefile.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_blocks.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_c.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_dnssd.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_info.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_kernel.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_network.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_notify.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_sandbox.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libunc.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libunwind.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0 96741/0x6b4be4:  stat64("/usr/lib/system/libxpc.dylib\0", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0 96741/0x6b4be4:  stat64("/AppleInternal\0", 0x7FFF6A9BEFF8, 0x0)                 = -1 Err#2 96741/0x6b4be4:  stat64("/usr/lib/libstdc++.6.dylib\0", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0)          = 0 0 96741/0x6b4be4:  stat64("/usr/lib/libc++abi.dylib\0", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0)            = 0 0 

None of the file stats look like a CA file lookup! Am I using dtruss correctly? Is there some other way for me to find out where the CA certificates file should be placed?

        
         
         

Lista de respostas

2
 
vote

Eu experimentei o mesmo problema no Ubuntu. Parece que não há mais ser compilado em default (se alguma vez tivesse, em teoria, também poderia ter sido o trabalho dos distribuidores).

Eu optei por definir o caminho no Apache Config (meu aplicativo Rails é controlado pelo passageiro).

.

SETENV SSL_CERT_DIR / USR / SHARE / CA-Certificados / Mozilla

agora funciona.

Há também um SSL_Cert_File para um único certificado.

Você tem que ajustar os caminhos.

Basta verificar as páginas principais e esta página. Até mesmo a linha 4 aqui diz isso: https://github.com /google/signet/blob/master/lib/signet/ssl_config.rb

Eu também poderia ter definido o Sistema de Caminho em / etc / Environment e reiniciei o sistema.

 

I experienced the same problem under Ubuntu. There seems no longer to be a compiled in default (if it ever had, in theory it could also have been the distributors' work).

I opted to set the path in apache config (my rails app is controlled by passenger).

SetEnv SSL_CERT_DIR /usr/share/ca-certificates/mozilla

It now works.

There is also an SSL_CERT_FILE for a single certificate.

You have to adjust the paths.

Just check the main pages, and this page. Even line 4 over here says so: https://github.com/google/signet/blob/master/lib/signet/ssl_config.rb

I could also have set the path system-wide in /etc/environment and restarted the system.

 
 
 
 
0
 
vote

Embora eu não descubra onde o ruby ​​ espera para encontrá-lo, você pode querer tentar adicionar

  export SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem    

Para ~/.bash_profile para funcionar com as ferramentas de linha de comando (observe a 'exportação' na frente do SSL_Cert_File, no Windows Systems (Off Topic, eu sei) isso seria 'set') < / p >.

 

Although I don't figure out where ruby expects to find it, you may want to try and add

export SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem 

to ~/.bash_profile to make it work with the command line tools (note the 'export' in front of SSL_CERT_FILE, on Windows systems (off topic, I know) this would be 'set')

 
 
 
 

Perguntas relacionadas

7  Onde está Ruby procurando por ssl_cert_file?  ( Where is ruby looking for ssl cert file ) 
Eu estou tentando descobrir onde Ruby espera encontrar sua lista de CA OpenSSL. Meu ambiente é: Mac OS 10.7.5 openssl do homebrew rbenv de homebrew R...

2  Quais alternativas para openssl eu tenho que calcular um hash SHA-256?  ( Which alternatives to openssl do i have to calculate a sha 256 hash ) 
Como calcular sha-2 Hash Em um arquivo para gerar um Resultado de 256 bits (SHA-256)? Nos velhos tempos, usamos o openssl ferramenta. Ouvi dizer que...

1  Atualizando OpenSSL sem vinculação e soluções alternativas  ( Upgrading openssl without linking and workarounds ) 
Estou confuso com todas as postagens, perguntas, respostas, soltando symlink, ligação, bug heartbleed, etc ... que existem em atualizar o seu openssl em um ...

128  Como atualizar o OpenSSL no OS X?  ( How to upgrade openssl in os x ) 
hoje o Heartbleed OpenSSL Explorit foi anunciado na natureza, que permite que um invasor detecta e roube as chaves do servidor privado (permitindo que eles ...

3  Usando Automator ou AppleScript para criptografar / descriptografar com OpenSSL  ( Using automator or applescript to encrypt decrypt with openssl ) 
Eu gostaria de saber como usar o Automator ou o AppleScript para criar uma gota que comprima / descompactar (tar.gz) e criptografar / descriptografar com arqu...

10  À luz da vulnerabilidade do Freak TLS, como posso desativar as roupas cifras inseguras manualmente no Safari?  ( In the light of the freak tls vulnerability how may i disable insecure cipher s ) 
Um grupo de pesquisa chamado smack lançou uma vulnerabilidade conhecida como aberração que pode ser usada para o homem-in-the-meio (Mitm) ataque. A vulnerab...

1  Ruby 2.0.0 não é instalado por causa do openSSL  ( Ruby 2 0 0 fails to install because of openssl ) 
Não consigo instalar o Ruby da origem, na configuração ( ./ configure ) afirma Ignore OpenSSL broken by Apple. Please use another openssl. (e.g. using `con...

8  Ruby 2.0.0 Instalar via RVM: Erros ao redor OpenSSL  ( Ruby 2 0 0 install via rvm errors surrounding openssl ) 
Usando: Mountain Lion 10.8.2 , RVM 1.18.15 Ter problemas com, aparentemente , openssl ao tentar instalar o Ruby 2.0.0 via RVM: $ rvm install 2.0.0 ...

0  Como compilar PHP com openssl no OS X 10.9?  ( How to compile php with openssl on os x 10 9 ) 
Então, eu estou tentando compilar PHP 5.6.10 da fonte enfrentou o seguinte problema: Undefined symbols for architecture x86_64: "_PKCS5_PBKDF2_HMAC", r...

3  Ruby 1.9.3's Infamous OS X OpenSSL Segfault em http.rb: 799  ( Ruby 1 9 3s infamous os x openssl segfault in http rb799 ) 
[post encurtado e atualizado com uma resposta.] Ruby 1.9.3 compilado no OS X 10.7.4 com os Macports falha nos meus aplicativos de trilhos ao usar SSL em htt...




© 2022 pergunte.org All Rights Reserved. Casa de perguntas e respostas todos os direitos reservados


Licensed under cc by-sa 3.0 with attribution required.