调用 URI 时如何验证 SSL 连接?
我正在开发一个使用 CAS 进行身份验证的 Web 应用程序(单点登录解决方案:http://www.ja-sig.org/wiki/display/CAS/Home)。
出于安全原因,我需要做两件事:
- CAS 和我的应用程序之间的通信需要安全
- 我的应用程序需要接受来自 CAS 的认证,以便我可以保证 CAS 响应是真正的 CAS 服务器
这就是到目前为止,我得到的结果是:
uri = URI.parse("https://www.google.com/accounts")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = (uri.scheme == 'https')
https.verify_mode = (OpenSSL::SSL::VERIFY_PEER)
raw_res = https.start do |conn|
conn.get("#{uri.path}?#{uri.query}")
end
这在 Mac OS X 中工作得很好。当我尝试访问不安全的 URI 时,它会引发异常,而当我尝试访问安全的 URI 时,它会正常允许我,就像预期的那样。
当我在 Linux 服务器上部署应用程序时,问题就出现了。我在 Ubuntu 和 Red Hat 上都尝试过。与我尝试访问的 URI 无关,它总是会引发此异常:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
from /usr/local/lib/ruby/1.8/net/http.rb:553:in `do_start'
from /usr/local/lib/ruby/1.8/net/http.rb:542:in `start'
from (irb):7
我认为这与我安装的 OpenSSL 软件包有关,但我不能确定。这是我安装的 OpenSSL 软件包:
openssl.x86_64 0.9.8e-12.el5 installed
openssl-devel.x86_64 0.9.8e-12.el5 installed
我也尝试使用 HTTParty,但它只是忽略 SSL 证书。
我希望有人可以帮助我,或者告诉我有一种可以按照我需要的方式工作的宝石。
谢谢。
I am developing a web application that is authenticated using CAS (A single-sign-on solution: http://www.ja-sig.org/wiki/display/CAS/Home).
For security reasons, I need two things to work:
- The communication between CAS and my application needs to be secure
- My application needs to accept the certification coming from CAS, so that I can guarantee that the CAS responding is the real CAS server
This is what I got so far:
uri = URI.parse("https://www.google.com/accounts")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = (uri.scheme == 'https')
https.verify_mode = (OpenSSL::SSL::VERIFY_PEER)
raw_res = https.start do |conn|
conn.get("#{uri.path}?#{uri.query}")
end
This works just great in Mac OS X. When I try to reach an insecure URI, it raises an exception, and when I try to reach a secure URI, it allows me normally, just like expected.
The problem starts when I deploy my application on my Linux server. I tried in both Ubuntu and Red Hat. Independent of what URI I try to reach, it always raises this exception:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
from /usr/local/lib/ruby/1.8/net/http.rb:553:in `do_start'
from /usr/local/lib/ruby/1.8/net/http.rb:542:in `start'
from (irb):7
I think this have something to do with my installed OpenSSL package, but I can't be sure. This are my installed OpenSSL packages:
openssl.x86_64 0.9.8e-12.el5 installed
openssl-devel.x86_64 0.9.8e-12.el5 installed
I tried using HTTParty as well, but it just ignores the SSL certificate.
I hope someone can help me, or tell me about a gem that works the way I need.
Thanks.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我敢打赌证书颁发机构文件中存在差异。尝试将
https.ca_file设置为另一个 pem 文件,就像这个,并确保您的证书的 CA 位于该列表中。或者,也许其中一台或两台机器的时钟都是错误的。 (通过此页面)
I would bet that there's a difference in the Certificate Authorities file. Try setting
https.ca_fileto another pem file, like maybe this one, and ensure that your cert's CA is in that list.Or, perhaps one or both of the machines' clocks are wrong. (via this page)
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.verify_mode = OpenSSL::SSL::VERIFY_NONE