I'm trying to set up Akephalos for use with Capybara. I ran into this
message when trying to visit the page I am trying to test:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated (NativeException)
(druby://127.0.0.1:35580) org/jruby/RubyKernel.java:2042:in `send'
(druby://127.0.0.1:35580) org/jruby/RubyKernel.java:1417:in `loop'
(druby://127.0.0.1:35580) org/jruby/RubyProc.java:268:in `call'
(druby://127.0.0.1:35580) org/jruby/RubyProc.java:232:in `call'
I wonder if it has anything to do with the fact that we are using a
self-signed certificate. This is what my env.rb file looks like:
# Capybara configuration (using Akephalos)
require 'capybara'
require 'capybara/dsl'
require 'capybara/cucumber'
require 'akephalos'
Capybara.javascript_driver = :akephalos
Capybara.default_driver = :akephalos
Capybara.register_driver :akephalos do |app|
# available options:
# :ie6, :ie7, :ie8, :firefox_3, :firefox_3_6
Capybara::Driver::Akephalos.new(app, :browser => :firefox_3_6)
end
World(Capybara)
Yes, if the server is using a self-signed certificate, this can cause a warning/error such as 'peer not authenticated'.
The proper way around this problem is to specifically add the self-signed certificate to the trusted root store.
The wrong way around this problem is to turn off certificate verification.
I don't know the product you are using well enough to tell you how to do either of these things.
Related
Is there a way to prevent Thin from accepting requests using SSLv3?
I cannot find any resources on how to deal with Poodle for a Thin server running with SSL. I don't want to move thin behind nginx if I don't have to so any resources would be helpful. I took a look at the source code but couldn't find a way to monkey patch it, can't even find a reference to it.
Thin uses eventmachine, so the solution involves making eventmachine not use SSLv2 or v3.
This discussion has some insights on a generic patch
https://github.com/eventmachine/eventmachine/issues/359
Another option is to build eventmachine with a patch to disable
(https://github.com/eventmachine/eventmachine/wiki/Building-EventMachine)
and then a patch of
--- a/ext/ssl.cpp
+++ b/ext/ssl.cpp
## -145,7 +145,7 ## SslContext_t::SslContext_t (bool is_server, const string &privkeyfile, const str
}
bIsServer = is_server;
- pCtx = SSL_CTX_new (is_server ? SSLv23_server_method() : SSLv23_client_method());
+ pCtx = SSL_CTX_new (is_server ? TLSv1_server_method() : TLSv1_client_method());
if (!pCtx)
throw std::runtime_error ("no SSL context");
I haven't been able to get it fully tested, but this command should fail:
openssl s_client -connect 127.0.0.1:3000 -ssl3
When I update my Rails gems I find this errors (only in production, in development environment working good):
Curl::Err::SSLCACertificateError
Seems that is an SSL Certificate Authority Error, but why only in production is not working? And what can I do to resolve the problem?
My curb gems is v.0.8.3 with rails 3.2.8
(the mayor update was the rake, that now is v.10.0.2, but I don't know if this influence the good working of the curb gem).
FYI, this is the code that raise the error:
loginData = { :login => "myuser", :password => "mypass" }
loginJson = ActiveSupport::JSON.encode(loginData)
req = Curl::Easy.http_post("https://mysite.com", loginJson
) do |curl|
curl.headers['Content-type'] = 'application/json'
end
It sounds like you're using a self-signed SSL certificate on the server, which is fine. I do the same thing for internal services. You'll just want to make your client aware of the custom SSL certificate as well, that way it knows that it can be trusted.
Something like this should do the trick:
req = Curl::Easy.http_post("https://mysite.com", loginJson) do |curl|
curl.headers['Content-type'] = 'application/json'
curl.cacert = "/path/to/ca.crt"
curl.cert = "/path/to/cert.pem"
end
Of course, you'll probably want to extract these string constants into a config file.
I find an alternative solution, when I request a "curl" I put this additional propriety:
curl.ssl_verify_peer = false
I don't know if in term of security is the best solution, but for the moment it works...
How do I turn off certificate verification in a gem like jiraSOAP. the verification is inbuilt, but I really don't need that verification since the server & client are my properties. It should be doable to tweak the gem to stop this verification.
https://github.com/Marketcircle/jiraSOAP/blob/master/lib/jiraSOAP.rb
This cert verification error is stopping me moving on to my project. I have tried other solutions from forums, to upgrade my /etc/ssl/cert, adding OpenSSL::SSL::VERIFY_PEER = OpenSSL::SSL::VERIFY_NONE to my project. But none of them worked.
require 'jiraSOAP'
jira = JIRA::JIRAService.new "https://server/rpc/soap/jirasoapservice-v2?wsdl"
jira.login username, password
/usr/local/rvm/rubies/ruby-1.9.3-p125/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
I was able to solve it modifying the Handsoap gem to ignore cert check only for my host.
File to modify in the gems path -
handsoap-1.1.8/lib/handsoap/http/drivers/net_http_driver.rb
Modify after this new http client -
http_client = Net::HTTP.new(url.host, url.port)
Add this -
#Added these new lines below
if url.host == "server" #ignore cert check only for this host
http_client.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
Rails: 3.0.5
Ruby: 1.9.2
apn_on_rails: 0.5.1
Suddenly started receiving Exception: "sslv3 alert certificate revoked" from apn_on_rails gem. However the notifications are still sent out to devices and the certificates are valid until 2013.
To Reproduce:
rails console.
create notification to one of existing devices.
not1 = APN::Notification.create(:device_id => devices[0].id, :sound => true, :badge => 1, :alert => "Testing")
Execute APN::App.send_notifications. (Note: APN::Notification.send_notifications is not at all sending any notifications and in turn calls APN::App.send_notifications)
Expected Output: Notification to be sent to device. No Exception thrown.
Actual Output: Notification sent to device. Exception thrown. Full stack trace of exception below:
ruby-1.9.2-p0 > APN::App.send_notifications
SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:59:in `connect'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:59:in `open'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/libs/connection.rb:23:in `open_for_delivery'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb:48:in `send_notifications_for_cert'
from /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb:36:in `send_notifications'
As the stack trace indicates - the issue was within /gems/apn_on_rails-0.5.1/lib/apn_on_rails/app/models/apn/app.rb
In App.rb, in method self.send_notifications method:
def self.send_notifications
apps = APN::App.all
apps.each do |app|
app.send_notifications
end
if !configatron.apn.cert.blank?
global_cert = File.read(configatron.apn.cert)
send_notifications_for_cert(global_cert, nil)
end
end
Note: (if !configatron.apn.cert.blank?) The code checks for global certificate, whether you have defined this or not, it will check for "config/apple_push_develpment_certification.pem" and send notification with this certificate.
In my case, i had this file "config/apple_push_develpment_certification.pem" and i also add two different certificates for my iPhone and iPad apps defined by two configatron variables. Hence i encountered the certificate revoked issue and also my notifications were sent to devices.
To fix this:
define "configatron.apn.cert" to point to your new certificate in development.rb and production.rb files
I have a rake task that pulls and parses JSON data over an SSL connection from an external API.
I use a gem that wraps this external API and have no problems running locally, but the task fails when run on heroku with #<Curl::Err::SSLCaertBadFile: Curl::Err::SSLCaertBadFile>
I installed the piggyback SSL add-on, hoping it might fix it, but no dice.
Any ideas?
UPDATE
I managed to fix it by disabling ssl verification on the curl request previously set by the following two fields:
request.ssl_verify_peer
request.ssl_verify_host
I don't know enough about SSL to know exactly why the error was caused by these settings in a heroku environment or what the implications of disabling this are, aside from reduced security.
It is a bad idea to disable certificate checking. See http://www.rubyinside.com/how-to-cure-nethttps-risky-default-https-behavior-4010.html, http://jamesgolick.com/2011/2/15/verify-none..html and associated references for more on that topic.
The issue is that your HTTP client doesn't know where to find the CA certificates bundle on heroku.
You don't mention what client you are using, but here is an example for using net/https on heroku:
require "net/https"
require "uri"
root_ca_path = "/etc/ssl/certs"
url = URI.parse "https://example.com"
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == "https")
if (File.directory?(root_ca_path) && http.use_ssl?)
http.ca_path = root_ca_path
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
end
request = Net::HTTP::Get.new(url.path)
response = http.request(request)
Here is an example using Faraday:
Faraday.new "https://example.com", ssl: { ca_path: "/etc/ssl/certs" }
Good luck.