SSL Client Certificate error on Mac OS X 10.6.4

  • Thread starter George Alatrash
  • Start date
G

George Alatrash

Client Certificate error on Mac OS X 10.6.4

--------------------------------------------------------------------------------
I've been trying to connect to a web service over https where the
service requires the client to be authenticated using a server signed
certificate (note the server's certificate is signed from a trusted root
certification authority).

The code below shows a sample that I used to test the communication
(with some tweak to hide my own details). The code works OK on Windows
and Linux (kernel 2.6.x) systems, but fails on Mac OS X 10.6.4 with
(Timeout::Error). When I traced the wire messages I found the error is
due to encryption - the server responds with Encrypted Alert =
decryption_failed(21) which, acording to SSL/TLS proocol RFC2246
http://www.ietf.org/rfc/rfc2246.txt, is:
A TLSCiphertext decrypted in an invalid way: either it wasn`t an
even multiple of the block length or its padding values, when
checked, weren`t correct. This message is always fatal.

Does anyone know the cause of this error or how to fix it? Is this an
error in the core Net:HTTPS and SSL core Ruby libraries specific to Mac
OS X?

Code:
cer_file = File.dirname(__FILE__) + '/cert.pem'
key_file = File.dirname(__FILE__) + '/key.pem'

cert = File.read(cer_file)
key = File.read(key_file)

uri = URI.parse("https://myservice.com/servicestatus")
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = 5
http.read_timeout = 5

http.use_ssl = (uri.scheme == "https")
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.cert = OpenSSL::X509::Certificate.new(cert)
http.key = OpenSSL::PKey::RSA.new(key)

http.verify_callback = Proc.new {
puts "===> in verify_callback -- #{Time.now}"
true
}

request = Net::HTTP::Post.new(uri.request_uri)

request.body =
'<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:wsdl="http://myservice.com/ws/protocol"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<wsdl:NodesListRequest>
<AppID>MyAPP</AppID>
<Timestamp>2010-01-01T00:00:00</Timestamp>
</wsdl:NodesListRequest>
</env:Body>
</env:Envelope>'

resp = http.request(request)
puts "response => #{resp.inspect}"

Note the same code (and same certificate and key files) works on Windows
and Linux but not Mac OSX.
I tried on the Mac with Ruby 1.8.6 and 1.8.7.
 
S

Stanislav Bozhkov

Hi George,

Have you found a solution for this problem? I'm struggling with this for
2 days already.

10x in advance for any help.

Stan.
 
G

George Alatrash

Hi Stan,

After posting this by about a week or so, everything started working as
if has never been. The only thing I did was installing an OS X update
Friday afternoon then Monday morning I discovered it was working. Since
then I forgot about this issue.

George
 
S

Stanislav Bozhkov

Hm, I'm fighting with this now! Mac OS X 10.6.6

I'll hope to disappear here too :D

Anyway, 10x for your time!
 
G

George Alatrash

Stan, here is a sample standalone file that might be helpful to you is
testing. You have to put your own certificate and key files where
specified and substitute the URL string. Try with both VERIFY_PEER and
VERIFY_NONE. Here is the code which I hope might be useful to you

Code:
#!/usr/bin/env ruby
require "uri"
require "net/https"

cer_file = File.dirname(__FILE__) + '/cer.pem'
key_file = File.dirname(__FILE__) + '/key.pem'
url_str = 'https://www.myservice.com/service_path/service_method'

pem = File.read(cer_file)
key = File.read(key_file)

uri = URI.parse(url_str)
http = Net::HTTP.new(uri.host, uri.port)
http.open_timeout = 3
http.read_timeout = 5

http.use_ssl = (uri.scheme == "https")  # enable SSL/TLS
http.verify_mode = OpenSSL::SSL::VERIFY_PEER #also try VERIFY_NONE
http.cert = OpenSSL::X509::Certificate.new(pem)
http.key = OpenSSL::PKey::RSA.new(key)

http.verify_callback = Proc.new {
puts "===> in verify_callback -- #{Time.now}"
true
}
request = Net::HTTP::Post.new(uri.request_uri)

request.body =
'<?xml version="1.0" encoding="UTF-8"?>
<env:Envelope xmlns:wsdl="http://tempuri.com/"
xmlns:env="http://schemas.xmlsoap.org/soap/envelope/">
<env:Body>
<wsdl:TransactionRequest>
<Var1>MyName</Var1>
<VarTimestamp>2000-01-01T00:00:00</VarTimestamp>
</wsdl:TransactionRequest>
</env:Body>
</env:Envelope>'

#request.headers["Content-Type"] = "text/xml"
resp = http.request(request)
puts "response => #{resp.inspect}"

BTW, I tested this code on Windows 7, Mac OS X 10.6.4/5/6, and Linux
virtual machine and it worked on all of them.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,871
Messages
2,569,919
Members
46,172
Latest member
JamisonPat

Latest Threads

Top