¿dónde está Ruby buscando SSL_CERT_FILE?

7

Estoy tratando de averiguar dónde Ruby espera encontrar su lista de CA de openssl. Mi entorno es:

Confirmación de que mi Ruby está usando homebrew OpenSSL (nota: /Users/me es una versión redactada del directorio de usuarios en todos los ejemplos a continuación):

$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
        /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)

Para probar, he escrito el siguiente script:

#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'

Si especifico manualmente la ruta a mi SSL_CERT_FILE, funciona:

$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb 
success!

Si no, se rompe:

$ ./test_ssl.rb 
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
        from ./test_ssl.rb:6:in '<main>'

Como nota aparte, ya estoy consciente de que pude verificar manualmente varias rutas para el archivo CA desde mi script. Sin embargo, el script es una prueba de operaciones net / http similares en Ruby gem "faraday" en mi sistema. No quiero piratear la gema de Faraday para solucionar este problema.

Así que usé dtruss para buscar comandos de estadísticas y ver si alguno de ellos ha intentado buscar archivos en CA:

$ sudo dtruss -f -t stat64 ./test_ssl.rb
        PID/THRD  SYSCALL(args)                  = return
96741/0x6b4be4:  stat64("/usr/lib/dtrace/libdtrace_dyld.dylib
$ otool -L /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/x86_64-darwin11.4.2/openssl.bundle:
        /usr/local/opt/openssl/lib/libssl.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/local/opt/openssl/lib/libcrypto.1.0.0.dylib (compatibility version 1.0.0, current version 1.0.0)
        /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 159.1.0)
        /usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
", 0x7FFF6A9BE810, 0x7FFF6A9BF700) = 0 0 96741/0x6b4be4: stat64("/usr/lib/libSystem.B.dylib
#!/usr/bin/env ruby
require 'net/https'
https = Net::HTTP.new('encrypted.google.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
https.request_get('/')
puts 'success!'
", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcache.dylib
$ SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem ./test_ssl.rb 
success!
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcommonCrypto.dylib
$ ./test_ssl.rb 
/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'block in connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:54:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/timeout.rb:99:in 'timeout'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:799:in 'connect'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:755:in 'do_start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:744:in 'start'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1284:in 'request'
        from /Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/1.9.1/net/http.rb:1195:in 'request_get'
        from ./test_ssl.rb:6:in '<main>'
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcompiler_rt.dylib
$ sudo dtruss -f -t stat64 ./test_ssl.rb
        PID/THRD  SYSCALL(args)                  = return
96741/0x6b4be4:  stat64("/usr/lib/dtrace/libdtrace_dyld.dylib%pre%", 0x7FFF6A9BE810, 0x7FFF6A9BF700)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/libSystem.B.dylib%pre%", 0x7FFF6A9BE650, 0x7FFF6A9BF4D0)          = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcache.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcommonCrypto.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcompiler_rt.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)            = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                 = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)           = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)               = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)              = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)             = 0 0
96741/0x6b4be4:  stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0)                = 0 0
96741/0x6b4be4:  stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0)                 = -1 Err#2
96741/0x6b4be4:  stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0)          = 0 0
96741/0x6b4be4:  stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0)            = 0 0
", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libcopyfile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libdispatch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libdnsinfo.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libdyld.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libkeymgr.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/liblaunch.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libmacho.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libmathCommon.A.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libquarantine.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libremovefile.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_blocks.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_c.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_dnssd.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_info.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_kernel.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_network.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_notify.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libsystem_sandbox.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libunc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libunwind.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/system/libxpc.dylib%pre%", 0x7FFF6A9BE350, 0x7FFF6A9BF1D0) = 0 0 96741/0x6b4be4: stat64("/AppleInternal%pre%", 0x7FFF6A9BEFF8, 0x0) = -1 Err#2 96741/0x6b4be4: stat64("/usr/lib/libstdc++.6.dylib%pre%", 0x7FFF6A9BE640, 0x7FFF6A9BF4C0) = 0 0 96741/0x6b4be4: stat64("/usr/lib/libc++abi.dylib%pre%", 0x7FFF6A9BE550, 0x7FFF6A9BF3D0) = 0 0

¡Ninguna de las estadísticas de archivos se parece a una búsqueda de archivos de CA! ¿Estoy usando dtruss correctamente? ¿Hay alguna otra manera para que averigüe dónde se debe colocar el archivo de certificados de CA?

    
pregunta EdwardTeach 28.12.2012 - 00:19

2 respuestas

2

Experimenté el mismo problema en Ubuntu. Parece que ya no hay un compilado por defecto (si lo hubiera hecho, en teoría también podría haber sido el trabajo de los distribuidores).

Opté por establecer la ruta en apache config (mi aplicación de rieles está controlada por el pasajero).

  

SetEnv SSL_CERT_DIR / usr / share / ca-certificate / mozilla

Ahora funciona.

También hay un SSL_CERT_FILE para un solo certificado.

Tienes que ajustar las rutas.

Solo revisa las páginas principales, y esta página. Incluso la línea 4 de aquí lo dice: enlace

También podría haber configurado la ruta en todo el sistema en / etc / environment y reiniciar el sistema.

    
respondido por el Peter 04.01.2013 - 17:35
0

Aunque no entiendo dónde Ruby espera para encontrarlo, es posible que desee probar y agregar

export SSL_CERT_FILE=/Users/me/.rbenv/versions/1.9.3-p194/lib/ruby/site_ruby/1.9.1/rubygems/ssl_certs/ca-bundle.pem

a ~/.bash_profile para que funcione con las herramientas de la línea de comandos (tenga en cuenta que 'exportar' delante de SSL_CERT_FILE, en los sistemas Windows (fuera de tema, lo sé) esto sería 'set')

    
respondido por el murb 05.03.2013 - 15:53

Lea otras preguntas en las etiquetas