HTTPClient problem with SSL and ruby 1.8.7

[Philippe Philos]

Hello,

I cannot get the 'https://www.rsa.com' when accessing with SSL as in the
sample on this page (http://dev.ctor.org/doc/httpclient/).


The sample is :

uri='https://www.rsa.com'
client = HTTPClient.new()
client.get(uri).content

And I get the frame :

at depth 3 - 20: unable to get local issuer certificate
gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:247:in
`connect': SSL_connect returned=1 errno=0 state=SSLv3 read server
certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from gems/httpclient-2.1.5.2/lib/httpclient/session.rb:247:in
`ssl_connect'
from gems/httpclient-2.1.5.2/lib/httpclient/session.rb:639:in
`connect'
from gems/httpclient-2.1.5.2/lib/httpclient/timeout.rb:128:in
`timeout'
from
gems/1.8/gems/httpclient-2.1.5.2/lib/httpclient/session.rb:631:in
`connect'
from gems/httpclient-2.1.5.2/lib/httpclient/session.rb:522:in
`query'
from gems/httpclient-2.1.5.2/lib/httpclient/session.rb:147:in
`query'
from gems/httpclient-2.1.5.2/lib/httpclient.rb:953:in
`do_get_block'
from gems/httpclient-2.1.5.2/lib/httpclient.rb:765:in
`do_request'
from gems/httpclient-2.1.5.2/lib/httpclient.rb:848:in
`protect_keep_alive_disconnected'
from gems/httpclient-2.1.5.2/lib/httpclient.rb:764:in
`do_request'
from gems/httpclient-2.1.5.2/lib/httpclient.rb:666:in `request'
from gems/httpclient-2.1.5.2/lib/httpclient.rb:591:in `get'

So I get the certificate by Export from IE6 on a WINXP box and try with
this sample on Linux box:

uri='https://www.rsa.com'
ca='./RSACorporateCA.cer'
client = HTTPClient.new()
client.ssl_config.set_trust_ca(ca)
client.get(uri).content

with the same result and the same frame.


I try also on another url ('https://login.yahoo.com/config/login?') and
it fails
but it works if i add the good certificate
('EquifaxSecureCertificateAuthorith.cer')


So i try to access the rsa site with wget 1.11.4 and it works without
giving any certificate only for TLSv1 or SSLv3 protocol ('wget
--secure-protocol=TLSv1 https://www.rsa.com'). It doesn't work with
SSLv1 and SSLv2.

So i check the protocol exchange with Wireshark an see those exchange
with a success in wget :
https SSL Client Hello
https TLSv1 Server Hello
https TLSv1 Client key exchange ...
https TLSv1 Change Cipher Spec
https TLSv1 Application Data
...

With the Ruby sample i have :
https SSLv2 Client Hello
https TLSv1 Server Hello
https TLSv1 Alert Level Fatal

So it seems that the sample with the Ruby openssl library send a 'Client
Hello' message in SSLv2 protocol which doesn't work with wget.

So i try to adjust the sample by setting SSL options with

client.ssl_config.options=OpenSSL::SSL::OP_NO_SSLv2

but it fails with the same frame error.


My old environnement is :

ruby 1.8.7 (2008-05-31 patchlevel 0) [i686-linux]
httpclient-2.1.5.2
OpenSSL 0.9.7a Feb 19 2003
Linux 2.6.5-1.358 #1 Sat May 8 09:04:50 EDT 2004 i686 i686 i386
GNU/Linux



So the question is : What i am doing wrong ?


Regards.

 

[NAKAMURA, Hiroshi]

Hi,

I cannot get the 'https://www.rsa.com'when accessing with SSL as in the

Thanks for this blow-by-blow report. I found this article by RSS
search.
Would you please file a ticket for this topic on github?
http://github.com/nahi/httpclient

I investigated a little and it seems certificate path building
problem.
- net/https + ubuntu's trust anchor works. (/etc/pki/cacerts)
- HTTPClient + ubuntu's trust anchor works. (/etc/pki/cacerts)
- net/https + HTTPClient's trust anchor FAILS.
- HTTPClient + HTTPClient's trust anchor FAILS.

HTTPClient's trust anchor is exported from JRE6. This can be a cause
of this problem. I'll look into it further.
For now, please set another trust anchor as a workaround.

Regards,
// NaHi

 

[NAKAMURA, Hiroshi]

Hi again,

HTTPClient's trust anchor is exported from JRE6. This can be a cause
of this problem. I'll look into it further.

From http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=3D6717199

"I believe RSA Technologies (http://www.rsa.com) now owns the Valicert
Class 3 CA Certificate. We have a more formal process for
incorporating root certificates into the JDK, and it is usually
initiated by the CA vendor and involves agreements with the CA vendor.
At this time we don't have plans to incorporate this root certificate
into the JDK.

I would suggest contacting RSA and letting them know that you would
like to see this certificate in the JDK."

Sigh. So it's the expected result.

For now, please set your trust anchor by yourself. For example, it
should work on Ubuntu system.

client.ssl_config.set_trust_ca("/etc/ssl/certs")

Regards,
// NaHi

 

[Philippe Philos]

From http://bugs.sun.com/bugdatabase/view_bug.do?bug_id=6717199

"I believe RSA Technologies (http://www.rsa.com) now owns the Valicert
Class 3 CA Certificate. We have a more formal process for
incorporating root certificates into the JDK, and it is usually
initiated by the CA vendor and involves agreements with the CA vendor.
At this time we don't have plans to incorporate this root certificate
into the JDK.

For now, please set your trust anchor by yourself. For example, it
should work on Ubuntu system.

client.ssl_config.set_trust_ca("/etc/ssl/certs")

Hi,

Thank you for your reponse.

I try it with client.ssl_config.set_trust_ca('/usr/share/ssl/cert.pem')
on my old FC2 (Fedora 2) Linux box and it works fine.

Regards.