Comments (5)
Hey @mislav thanks for the response.
One immediate remediation I am currently using is to set the :cert_store
to an empty certificate store:
cert_store = OpenSSL::X509::Store.new
Faraday.new('...', ssl: { ca_file: 'ca.pem', cert_store: cert_store })
Or to just use a cert_store:
cert_store = OpenSSL::X509::Store.new
cert_store.add_file('ca.pem')
Faraday.new('...', ssl: { cert_store: cert_store })
However, the only adapters that currently support :cert_store
are:
httpclient
net_http
net_http_persistant
The httpclient
adapter does not add a default certificate store, and the net_http_persistant
adapter does the same thing as net_http
(although it currently supports fewer SSL config options).
I'll take a little time to see how the other HTTP libs behave when just a :ca_file
is specified, eg to see if they still trust the CA root. (The curl
command, when built with openssl support, disables the system root when I specify a CA file, but I haven't tested the other Ruby HTTP libs yet aside from net/http).
from faraday-net_http.
would you please clarify out of the 4 points above which ones are working as expected and which ones are not?
The examples are from Net::HTTP
standard library and as such these are all working as expected. I have just provided an example/reference regading "how others do it".
from faraday-net_http.
Thanks for the nice report. I get the problem; however, I have the feeling that people right now are using ca_file
to provide an extra custom certificate on top of system CA certs. Flipping the switch on this behavior would be backwards-incompatible.
How about that you can choose to disable the default cert store if you deliberately want to do CA pinning? E.g.
Faraday.new('...', ssl: { ca_file: 'ca.pem', cert_store: false })
Would that satisfy your needs?
We would need to investigate how current HTTP libs (including net/http) behave in this regard: are we able to turn off the default system certs by passing no cert store object? If you have time and will to test this, it would be great.
from faraday-net_http.
I'll take a little time to see how the other HTTP libs behave when just a :ca_file is specified, eg to see if they still trust the CA root. (The curl command, when built with openssl support, disables the system root when I specify a CA file, but I haven't tested the other Ruby HTTP libs yet aside from net/http).
Have tested situation on CRuby 2.7 & 3.0 (both with OpenSSL's 1.1.1) with Net::HTTP
.
http = Net::HTTP.new('example.com', 443) # Certificate https://crt.sh/?id=3704614715
http.use_ssl = true
http.start
-
Passing concatenation of CA and Root (https://crt.sh/?id=853428 + https://crt.sh/?id=3427370830) certs works
http.ca_file = '/tmp/example_com_chained.pem'
-
Passing just a root CA (https://crt.sh/?id=853428) cert works
http.ca_file = '/tmp/example_com_root.pem'
-
Passing just a single CA (https://crt.sh/?id=3427370830) cert doesn't work (
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate) (OpenSSL::SSL::SSLError)
)http.ca_file = '/tmp/example_com_ca.pem'
-
Passing concatenation of CA and Root (https://crt.sh/?id=853428 + https://crt.sh/?id=3427370830) certs doesn't work for a page served with different CA/Root combination (e.g., "google.com") - fails with
SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate) (OpenSSL::SSL::SSLError)
http = Net::HTTP.new('google.com', 443) http.ca_file = '/tmp/example_com_chained.pem'
from faraday-net_http.
Thanks for jumping in on this @aleksandrs-ledovskis, would you please clarify out of the 4 points above which ones are working as expected and which ones are not?
from faraday-net_http.
Related Issues (11)
- Error on send Certificate array chain in ssl HOT 6
- Conflicts with faraday-encoding HOT 1
- undefined method `idle_timeout=' for #<Net::HTTP :80 open=false> HOT 2
- Wrap Errno::EALREADY HOT 2
- Duplicate require warnings on Ruby 2.7.5 HOT 1
- Add explicit runtime dependency on faraday itself HOT 2
- Error class is different according to adapters HOT 3
- Implement `Connection#close` HOT 5
- honor Content-Type charset HOT 3
- already initialized constant warnings HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from faraday-net_http.