Net::HTTP 支持服务器名称指示吗?

发布于 2024-10-12 02:28:30 字数 801 浏览 6 评论 0原文

我正在尝试让 Ruby 的 Net::HTTP 实现与 SNI 一起使用。

mail.google.com 和 gmail.com 都位于同一 IP 地址上,因此通过 SSL 连接时,Google 服务器需要知道要使用哪个证书。默认情况下,它返回 mail.google.com 证书,如果您尝试实现 WebFinger,这会是一个问题。

WebFinger 要求您检索 https://gmail.com/.well-known/host-meta 来获取 LRDD 信息,但是,出于安全原因,验证 SSL 证书信息至关重要。

由于在本例中 Google 提供默认的 mail.google.com 证书,因此 SSL post_connection_check 失败。这里正确的解决方案是为 Net::HTTP 启用服务器名称指示,但我不清楚如何使其与 OpenSSL 的 Ruby 绑定一起使用。还有其他人有想法吗?

您应该能够通过运行看到问题:

require 'open-uri'
open('https://gmail.com/.well-known/host-meta') { |f| f.read }

我还创建了一个要点,使用早期版本的curl和OpenSSL展示了问题:

https://gist.github.com/7936ef38787092a22897

I'm trying to get Ruby's Net::HTTP implementation to work with SNI.

Both mail.google.com and gmail.com live on the same IP address, so when connecting via SSL, the Google server needs to know which certificate to use. By default, it returns the mail.google.com certificate, which is a problem if you're trying to implement WebFinger.

WebFinger requires you to retrieve https://gmail.com/.well-known/host-meta to get the LRDD information, however, for security reasons, it's critical to verify the SSL certificate information.

Since Google serves up the default mail.google.com certificate in this case, the SSL post_connection_check fails. The correct solution here would be to enable Server Name Indication for Net::HTTP, but it's not clear to me how to get that working with the Ruby bindings for OpenSSL. Anyone else have an idea?

You should be able to see the problem by running:

require 'open-uri'
open('https://gmail.com/.well-known/host-meta') { |f| f.read }

I've also created a gist that exhibits the problem using an earlier version of curl and OpenSSL:

https://gist.github.com/7936ef38787092a22897

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(2

银河中√捞星星 2024-10-19 02:28:30

对于 SNI 支持,您需要较新的 OpenSSL 版本(带有 --enable-tlsext 的 0.9.8f 或 0.9.8j 或更高版本)并调用 OpenSSL::SSL::SSLSocket#hostname = ' SSLSocket#connect 之前的主机名'Net::HTTPS 尚不支持 SNI,而 open-uri 也不支持。

查看 httpclient 开发存储库应该支持 SNI。

如果您需要尽快发布 gem real,请告诉我。 ..

For SNI support, you need a newer OpenSSL release (0.9.8f with --enable-tlsext or 0.9.8j or later) and call OpenSSL::SSL::SSLSocket#hostname = 'hostname' before SSLSocket#connect. Net::HTTPS does not support SNI yet, and open-uri doesn't.

Checking out httpclient development repository should support SNI.

Let me know if you need released gem real soon now...

—━☆沉默づ 2024-10-19 02:28:30

Ruby 2.0 将解决 TLS SNI(服务器名称指示)问题:

来自 net/http..

#        ...
#           s.session = @ssl_session if @ssl_session
#           # Server Name Indication (SNI) RFC 3546
#           s.hostname = @address if s.respond_to? :hostname=
#           Timeout.timeout(@open_timeout, Net::OpenTimeout) { s.connect }
#           if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
#             s.post_connection_check(@address)
#           end
#           ...

为了使其在 1.9.2(或更高版本)中工作
对 net/http 应用类似的补丁

#         ...
# BEGIN:  SNI PATCH http://bugs.ruby-lang.org/issues/4351
#          s.hostname = @address if s.respond_to? :hostname=
# END:   SNI PATCH http://bugs.ruby-lang.org/issues/4351
#          timeout(@open_timeout) { s.connect }
#          if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
#            s.post_connection_check(@address)
#          end
#        ...

另请参阅:
http://bugs.ruby-lang.org/issues/4351
http://en.wikipedia.org/wiki/Server_Name_Induction

Ruby 2.0 will address the TLS SNI (Server Name Indication) issue:

from net/http..

#        ...
#           s.session = @ssl_session if @ssl_session
#           # Server Name Indication (SNI) RFC 3546
#           s.hostname = @address if s.respond_to? :hostname=
#           Timeout.timeout(@open_timeout, Net::OpenTimeout) { s.connect }
#           if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
#             s.post_connection_check(@address)
#           end
#           ...

To make this work in 1.9.2 (or higher )
apply similar patch to net/http

#         ...
# BEGIN:  SNI PATCH http://bugs.ruby-lang.org/issues/4351
#          s.hostname = @address if s.respond_to? :hostname=
# END:   SNI PATCH http://bugs.ruby-lang.org/issues/4351
#          timeout(@open_timeout) { s.connect }
#          if @ssl_context.verify_mode != OpenSSL::SSL::VERIFY_NONE
#            s.post_connection_check(@address)
#          end
#        ...

see also:
http://bugs.ruby-lang.org/issues/4351
http://en.wikipedia.org/wiki/Server_Name_Indication

~没有更多了~
我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
原文