使用 https 连接到具有由我创建的 CA 签名的证书的服务器
我有一个测试环境,它使用 Ruby 通过 https 连接驱动服务器。由于最新版本的 Ruby 拒绝使用无效证书连接到 https 服务器(请参阅 我之前的问题)并且我想开始使用较新版本的 Ruby,我正在尝试设置一个有效的证书。
我已经创建了一个要使用的 CA 证书(有多个服务器正在测试,因此这似乎是更简单的方法),并已成功使用它来签署已安装在服务器上并正在使用的新证书。我已将 CA 证书添加到浏览器存储中,它(浏览器)现在将毫无怨言地连接到服务器。所以我相信我的证书是有效的并且设置正确。
我知道 Ruby 不使用与浏览器相同的存储。我已使用此处提供的 CA 文件来测试与其他(公共)服务器的连接(使用 Net::HTTP#ca_file= 方法设置),这也有效。
我无法开始工作的是 Ruby 使用我的证书连接到我的服务器。我尝试了各种方法将其指向我的证书(包括将我的证书添加到上面链接的文件中),但它总是给出相同的错误:
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)
我需要做什么才能说服 Ruby 接受我的证书并连接到我的服务器?
我使用的代码是:
require 'net/https'
uri = URI.parse("https://hostname/index.html")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = "My CA cert file"
request = Net::HTTP::Get.new(uri.path)
response = http.request(request)
我假设这是错误的。我想知道的是,我应该如何使用我的CA证书?
I have a test environment that uses Ruby to drive a server over an https connection. Since the latest versions of Ruby refuse to connect to an https server with an invalid certificate (see this earlier question of mine) and I would like to start using a newer version of Ruby, I am trying to set up a valid certificate.
I have created a CA certificate to use (there are multiple servers being tested so this seems the easier way), and have successfully used it to sign a new certificate which has been installed on a server and is being used. I have added the CA certificate to the browser store and it (the browser) will now connect to the server without complaint. So I am confident my certificates are valid and set up correctly.
I know that Ruby does not use the same store as the browser. I have used the CA file available here to test connecting to other (public) servers (set using the Net::HTTP#ca_file= method) and this also works.
What I cannot get to work is Ruby connecting to my server using my certificate. I have tried various ways of pointing it at my certificate (including adding my certificate to the file linked above) and it always gives the same error:
SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)
What do I have to do to convince Ruby to accept my certificate and connect to my server?
The code I am using is:
require 'net/https'
uri = URI.parse("https://hostname/index.html")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.ca_file = "My CA cert file"
request = Net::HTTP::Get.new(uri.path)
response = http.request(request)
I'm assuming this is wrong somehow. What I want to know is, what should I do to use my CA certificate?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
我假设您的 Tomcat 不喜欢 Ruby 尝试协商的协议版本。 Ruby 默认使用 SSLv23,但我听说过其他情况基于 Java 的 Web 服务器的问题。您收到的错误消息表明在建立连接并尝试读取服务器响应时握手失败。尝试添加
or
,看看是否有帮助。
如果这还不能解决问题,那么了解服务器拒绝连接尝试的原因将非常有趣。尝试使用
-Djavax.net.debug=ssl运行您的 Tomcat,并请发布相关部分(连接信息、异常堆栈跟踪)以了解尝试失败的原因。I assume that your Tomcat doesn't like the protocol version that Ruby tries to negotiate. Ruby uses SSLv23 by default, but I've heard other cases where this was a problem for Java-based web servers. The error message you are getting indicates that the handshake fails while setting up the connection and trying to read the server's response. Try adding either
or
and see if that already helps.
If this does not fix the problem yet, it would be very interesting to see why your server rejects the connection attempt. Try running your Tomcat with
-Djavax.net.debug=ssland please post the relevant parts (connection information, exception stacktrace) as to why the attempt fails.我正在使用 ruby 1.9.3,在使用 nokogiri 解析一些安全 url 时遇到了同样的错误。
emboss 提供的上述答案是正确的,但请确保生成的 ssl 错误是上面提到的错误。我也遵循了同样的做法,并找到了如下所述的解决方案。
现在,响应已为传递给 url 中的代码的安全 url 解析了正确的 html。
I am using ruby 1.9.3 and faced the same error while using nokogiri to parse some secure urls.
The above answer provided by emboss is correct but make sure the ssl error generated is this one that is mentioned above. I have followed the same and found a solution like this mentioned below.
now the response is having the correct html parsed for the secured url that is passed to the codes in the url .
确保您的证书文件采用 PEM 格式,而不是 CRT(因此 Ruby 1.9.3 中的 Net::HTTP 文档 说)。
更新 看起来文档不是最新的,Ruby 1.9.3 将接受任何类型的证书。
Make sure that the your certificate file is in PEM format, not CRT (so the documentation for Net::HTTP in Ruby 1.9.3 says).
Update it looks like the documentation is not up to date, Ruby 1.9.3 will accept any kind of certificate.