Net::HTTPS client certificate authentication

Discussion in 'Ruby' started by azathoth, Nov 14, 2006.

  1. azathoth

    azathoth Guest

    Hi,

    I'm trying to authenticate with an apache web server using client
    certificate authentication, here is the code snippet:

    http = Net::HTTP.new(appliance.hostname,
    Net::HTTP.https_default_port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE

    File.open("/tmp/controller.pem") do |cert_file|
    key_data = cert_file.read
    http.cert = OpenSSL::X509::Certificate.new(key_data)
    #http.key = OpenSSL::pKey::RSA.new(key_data, nil)
    logger.info key_data
    end

    req = Net::HTTP::post.new('/policy/upload_and_apply')
    req.set_form_data({
    'filename'=>@baseline.name,
    'baseline'=>@baseline.baseline,
    'description'=>@baseline.description}, ';')

    result = http.start {|http| http.request(req)}

    If I use the line http.key = I get an exception with the error:

    Neither PUB key nor PRIV key:: nested asn1 error

    without it I get the error:

    SSL_read:: ssl handshake failure

    On the apache side it shows this:

    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_kernel.c(1745): OpenSSL:
    Write: SSLv3 read client certificate B
    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_kernel.c(1764): OpenSSL:
    Exit: error in SSLv3 read client certificate B
    [Tue Nov 14 16:31:39 2006] [error] Re-negotiation handshake failed: Not
    accepted by client!?
    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_io.c(1483): [client
    192.168.0.203] read from buffered SSL brigade, mode 0, 8192 bytes
    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_io.c(1542): [client
    192.168.0.203] buffered SSL brigade now exhausted; removing filter

    (There's lots more, this seems like the most pertinent bit).

    The same certificate works fine when supplied in Firefox but not from
    my ruby code.
    Any ideas?

    Cheers,
    John
     
    azathoth, Nov 14, 2006
    #1
    1. Advertising

  2. azathoth

    snacktime Guest

    >
    > The same certificate works fine when supplied in Firefox but not from
    > my ruby code.
    > Any ideas?


    Doesn't sound like the private key is actually in controller.pem.

    Chris
     
    snacktime, Nov 14, 2006
    #2
    1. Advertising

  3. azathoth

    azathoth Guest

    If Firefox can successfully authenticate with the certificate but Ruby
    cannot, surely not having a private key in the certificate makes no
    difference.

    Or is the Ruby HTTPS module not capable of using the same
    authentication method?

    snacktime wrote:

    > >
    > > The same certificate works fine when supplied in Firefox but not from
    > > my ruby code.
    > > Any ideas?

    >
    > Doesn't sound like the private key is actually in controller.pem.
    >
    > Chris
     
    azathoth, Nov 15, 2006
    #3
  4. azathoth

    snacktime Guest

    On 11/15/06, azathoth <> wrote:
    > If Firefox can successfully authenticate with the certificate but Ruby
    > cannot, surely not having a private key in the certificate makes no
    > difference.


    That's not quite how it works. The certificate contains the public
    key, the private key is separate, and both are required for client
    authentication. When you export a certificate from firefox it exports
    a PKCS12 envelope that contains both the certificate and the private
    key.

    Chris
     
    snacktime, Nov 15, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Zorba
    Replies:
    0
    Views:
    981
    Zorba
    Jun 4, 2004
  2. Subra Mallampalli
    Replies:
    0
    Views:
    454
    Subra Mallampalli
    Oct 2, 2003
  3. Subra Mallampalli
    Replies:
    0
    Views:
    476
    Subra Mallampalli
    Oct 2, 2003
  4. Mfenetre
    Replies:
    11
    Views:
    1,762
    Joe Kaplan \(MVP - ADSI\)
    Oct 12, 2005
  5. William (the Better one)
    Replies:
    1
    Views:
    200
    Roger Pack
    Jul 27, 2010
Loading...

Share This Page