Estoy tratando de averiguar dónde Ruby espera encontrar su lista de CA de openssl. Mi entorno es:
- Mac OS 10.7.5
- OpenSSL de homebrew
- Rbenv de homebrew
- Ruby 1.9.3, instalado usando rbenv y CONFIGURE_OPTS="- with-openssl-dir = 'brew --prefix openssl '"
Confirmación de que mi Ruby está usando homebrew OpenSSL (nota: /Users/me
es una versión redactada del directorio de usuarios en todos los ejemplos a continuación):
$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
Para probar, he escrito el siguiente script:
#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'
Si especifico manualmente la ruta a mi SSL_CERT_FILE, funciona:
$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb
success!
Si no, se rompe:
$ ./test_ssl.rb
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
from ./test_ssl.rb:6:in '<main>'
Como nota aparte, ya estoy consciente de que pude verificar manualmente varias rutas para el archivo CA desde mi script. Sin embargo, el script es una prueba de operaciones net / http similares en Ruby gem "faraday" en mi sistema. No quiero piratear la gema de Faraday para solucionar este problema.
Así que usé dtruss para buscar comandos de estadísticas y ver si alguno de ellos ha intentado buscar archivos en CA:
$ sudo dtruss -f -t stat64 ./test_ssl.rb
PID/THRD SYSCALL(args) = return
96741/0x6b4be4: stat64("/usr/lib/dtrace/libdtrace_dyld.dylib$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
/usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
", 0x7FFF6A9BE810, 0x7FFF6A9BF700) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libSystem.B.dylib#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'
", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcache.dylib$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb
success!
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcommonCrypto.dylib$ ./test_ssl.rb
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
from ./test_ssl.rb:6:in '<main>'
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcompiler_rt.dylib$ sudo dtruss -f -t stat64 ./test_ssl.rb
PID/THRD SYSCALL(args) = return
96741/0x6b4be4: stat64("/usr/lib/dtrace/libdtrace_dyld.dylib%pre%", 0x7FFF6A9BE810, 0x7FFF6A9BF700) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libSystem.B.dylib%pre%", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcache.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcommonCrypto.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcompiler_rt.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0) = -1 Err#2
96741/0x6b4be4: stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0) = 0 0
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0
96741/0x6b4be4: stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0) = -1 Err#2
96741/0x6b4be4: stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0) = 0 0
96741/0x6b4be4: stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0) = 0 0
¡Ninguna de las estadísticas de archivos se parece a una búsqueda de archivos de CA! ¿Estoy usando dtruss correctamente? ¿Hay alguna otra manera para que averigüe dónde se debe colocar el archivo de certificados de CA?