连接:SSL_connect 返回=1 errno=0 状态=SSLv3 读取服务器证书 B:证书验证失败(OpenSSL::SSL::SSLError)

发布于 10-05 14:17 字数 903 浏览 10 评论 0原文

我在使用 SSL 验证证书时遇到了麻烦。我完全不知道证书是如何工作的,所以这首先是一个主要障碍。这是运行脚本时出现的错误:

c:/Ruby191/lib/ruby/1.9.1/net/http.rb:611:in `connect': SSL_connect returned=1 e
rrno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL
::SSL::SSLError)

这是相关代码:

client = Savon::Client.new order_svc

request = client.create_empty_cart { |soap, http|
  http.auth.ssl.cert_file = 'mycert.crt'
  http.auth.ssl.verify_mode = :none
  http.read_timeout = 90
  http.open_timeout = 90
  http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
  soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
  soap.body = {
      "wsdl:brand" => brand,
      "wsdl:parnter" => [
        {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
      ] }.to_soap_xml

      }

感谢任何帮助。

I'm having a terrible time getting SSL to verify a certificate. I'm completely ignorant on how certificates work so that's a major handicap to begin with. Here's the error I get when running the script:

c:/Ruby191/lib/ruby/1.9.1/net/http.rb:611:in `connect': SSL_connect returned=1 e
rrno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL
::SSL::SSLError)

Here's the relevant code:

client = Savon::Client.new order_svc

request = client.create_empty_cart { |soap, http|
  http.auth.ssl.cert_file = 'mycert.crt'
  http.auth.ssl.verify_mode = :none
  http.read_timeout = 90
  http.open_timeout = 90
  http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
  soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
  soap.body = {
      "wsdl:brand" => brand,
      "wsdl:parnter" => [
        {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
      ] }.to_soap_xml

      }

Any help is appreciated.

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(4

雨落□心尘2024-10-12 14:17:12

检查你的 cert.pem 和 key.pem

证书密钥应该有一个

-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIKG1DIagAAAAAAAzANBgkqhkiG9w0BAQsFADCBvDEkMCIG
....
-----END CERTIFICATE-----

你的 key.pem 应该有的

-----BEGIN PRIVATE KEY-----
CSqGSIb3DQEJARYVY2Fjb250YWN0QGVzY3JlZW4uY29tMQswCQYDVQQGEwJVUzEP
....
-----END PRIVATE KEY-----

,并且它可能有一些证书,但这对于这种情况并不重要。 (尽管它对我有用,因为如果没有额外的证书,curl 就无法工作)
我正在谈论的 Web 服务有一个良好的根 CA,但客户端身份验证密钥不受信任,因此这可能就是额外的证书使curl 工作的原因。

从您的客户端证书中获取这些内容是导致我出现问题的原因。

这对我有用。

openssl pkcs12 -in Client.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in Client.pfx -nodes -out key.pem

每个都会提示您输入导入密码
如果需要,您可以设置 pem 密码。 (你必须稍后在 ruby​​ 代码中设置)

require 'savon'
client = Savon::Client.new "https://service/Service.asmx?wsdl"
client.http.auth.ssl.cert_key_file = "key.pem"
client.http.auth.ssl.cert_file = "cert.pem"
client.http.auth.ssl.verify_mode=:peer

p client.wsdl.soap_actions

你也可以使用curl进行测试

curl -v  -E  key.pem  https://services/Service.asmx?wsdl

check your cert.pem and your key.pem

the cert key should have one

-----BEGIN CERTIFICATE-----
MIIFGDCCBACgAwIBAgIKG1DIagAAAAAAAzANBgkqhkiG9w0BAQsFADCBvDEkMCIG
....
-----END CERTIFICATE-----

your key.pem should have

-----BEGIN PRIVATE KEY-----
CSqGSIb3DQEJARYVY2Fjb250YWN0QGVzY3JlZW4uY29tMQswCQYDVQQGEwJVUzEP
....
-----END PRIVATE KEY-----

and it may have some certs in it but that doesn't matter for this case. (Although it does for me as curl doesn't work without the extra certs)
The webservice I am talking to has a good root CA, but the client auth keys are not trusted so this is probably why the extra certs make curl work.

getting those out of your client certificate was what caused me the problems.

here is what worked for me.

openssl pkcs12 -in Client.pfx -clcerts -nokeys -out cert.pem
openssl pkcs12 -in Client.pfx -nodes -out key.pem

each will prompt you for the Import password
and you can set a pem password if you want. (you would have to set that in the ruby code later)

require 'savon'
client = Savon::Client.new "https://service/Service.asmx?wsdl"
client.http.auth.ssl.cert_key_file = "key.pem"
client.http.auth.ssl.cert_file = "cert.pem"
client.http.auth.ssl.verify_mode=:peer

p client.wsdl.soap_actions

you can also test with curl

curl -v  -E  key.pem  https://services/Service.asmx?wsdl
若有似无的小暗淡2024-10-12 14:17:12

您需要提供证书附带的私钥文件。

http.auth.ssl.cert_key_file = "mycert.pem"

如果您的私钥文件已加密,您还需要提供密码:

http.auth.ssl.cert_key_password = "foobar"

You need to provide the private key file that goes along with your certificate.

http.auth.ssl.cert_key_file = "mycert.pem"

If your private key file is encrypted, you'll need to supply the password too:

http.auth.ssl.cert_key_password = "foobar"
拒绝两难2024-10-12 14:17:12

http.auth.ssl.verify_mode = :none 放入 client.request 块中对我来说不起作用。

我必须使用:

client = Savon::Client.new do |wsdl, http|
  http.auth.ssl.verify_mode = :none
  wsdl.document = #YOUR_WSDL_URL_HERE
end

使用 Savon 0.9.9 和 Ruby 1.9.3-p125

Putting the http.auth.ssl.verify_mode = :none inside the client.request block does not work for me.

I had to use:

client = Savon::Client.new do |wsdl, http|
  http.auth.ssl.verify_mode = :none
  wsdl.document = #YOUR_WSDL_URL_HERE
end

Using Savon 0.9.9 and Ruby 1.9.3-p125

鹤舞2024-10-12 14:17:12

注意:我正在较低级别的环境中进行测试自动化
没有正确签名的证书并且经常会抛出
由于域签名不匹配而导致的错误。对于问题在
另一方面,绕过签名是一个看似合理的解决方案,但它不是一个
用于生产级开发的解决方案。

我的问题是我正在尝试验证自签名证书。我所要做的就是输入以下代码并省略与验证证书有关的任何内容。

我必须对遇到相同问题的 SOAP 和 REST 调用执行此操作。

使用 Savon 的 SOAP

client = Savon::Client.new order_svc

request = client.create_empty_cart { |soap, http|
  http.auth.ssl.verify_mode = :none
  http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
  soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
  soap.body = {
      "wsdl:brand" => brand,
      "wsdl:parnter" => [
        {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
      ] }.to_soap_xml

      }

使用 HTTPClient 的 REST

client = HTTPClient.new
client.ssl_config.verify_mode=(OpenSSL::SSL::VERIFY_NONE)
resp = client.get(Methods)

Note: I was working with test automation in lower level environments
that did not have properly signed certificates and would often throw
errors due to domain signatures not matching. For the problem at
hand, bypassing signatures was a plausible solution but it is not a
solution to be used for production level development.

My problem is that I am trying to validate a self-signed certificate. All I had to do was put the following code and omit anything to do with validating certificates.

I had to do this for both my SOAP and REST calls that were both experiencing the same issue.

SOAP using Savon

client = Savon::Client.new order_svc

request = client.create_empty_cart { |soap, http|
  http.auth.ssl.verify_mode = :none
  http.headers = { "Content-Length" => "0", "Connection" => "Keep-Alive" }
  soap.namespaces["xmlns:open"] = "http://schemas.datacontract.org/2004/07/Namespace"
  soap.body = {
      "wsdl:brand" => brand,
      "wsdl:parnter" => [
        {"open:catalogName" => catalogName, "open:partnerId" => partnerId }
      ] }.to_soap_xml

      }

REST using HTTPClient

client = HTTPClient.new
client.ssl_config.verify_mode=(OpenSSL::SSL::VERIFY_NONE)
resp = client.get(Methods)
~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文