Net::HTTPS client certificate authentication

Discussion in 'Ruby' started by azathoth, Nov 14, 2006.

  1. azathoth

    azathoth Guest

    Hi,

    I'm trying to authenticate with an apache web server using client
    certificate authentication, here is the code snippet:

    http = Net::HTTP.new(appliance.hostname,
    Net::HTTP.https_default_port)
    http.use_ssl = true
    http.verify_mode = OpenSSL::SSL::VERIFY_NONE

    File.open("/tmp/controller.pem") do |cert_file|
    key_data = cert_file.read
    http.cert = OpenSSL::X509::Certificate.new(key_data)
    #http.key = OpenSSL::pKey::RSA.new(key_data, nil)
    logger.info key_data
    end

    req = Net::HTTP::post.new('/policy/upload_and_apply')
    req.set_form_data({
    'filename'=>@baseline.name,
    'baseline'=>@baseline.baseline,
    'description'=>@baseline.description}, ';')

    result = http.start {|http| http.request(req)}

    If I use the line http.key = I get an exception with the error:

    Neither PUB key nor PRIV key:: nested asn1 error

    without it I get the error:

    SSL_read:: ssl handshake failure

    On the apache side it shows this:

    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_kernel.c(1745): OpenSSL:
    Write: SSLv3 read client certificate B
    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_kernel.c(1764): OpenSSL:
    Exit: error in SSLv3 read client certificate B
    [Tue Nov 14 16:31:39 2006] [error] Re-negotiation handshake failed: Not
    accepted by client!?
    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_io.c(1483): [client
    192.168.0.203] read from buffered SSL brigade, mode 0, 8192 bytes
    [Tue Nov 14 16:31:39 2006] [debug] ssl_engine_io.c(1542): [client
    192.168.0.203] buffered SSL brigade now exhausted; removing filter

    (There's lots more, this seems like the most pertinent bit).

    The same certificate works fine when supplied in Firefox but not from
    my ruby code.
    Any ideas?

    Cheers,
    John
     
    azathoth, Nov 14, 2006
    #1
    1. Advertisements

  2. azathoth

    snacktime Guest

    Doesn't sound like the private key is actually in controller.pem.

    Chris
     
    snacktime, Nov 14, 2006
    #2
    1. Advertisements

  3. azathoth

    azathoth Guest

    If Firefox can successfully authenticate with the certificate but Ruby
    cannot, surely not having a private key in the certificate makes no
    difference.

    Or is the Ruby HTTPS module not capable of using the same
    authentication method?
     
    azathoth, Nov 15, 2006
    #3
  4. azathoth

    snacktime Guest

    That's not quite how it works. The certificate contains the public
    key, the private key is separate, and both are required for client
    authentication. When you export a certificate from firefox it exports
    a PKCS12 envelope that contains both the certificate and the private
    key.

    Chris
     
    snacktime, Nov 15, 2006
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.