From: Eric Wong <e@80x24.org>
To: "Shota Fukumori (sora_h)" <her@sorah.jp>
Cc: unicorn-public@bogomips.org, yahns-public@yhbt.net
Subject: Re: https://unicorn.bogomips.org accepts client certificate?
Date: Tue, 15 Mar 2016 08:58:51 +0000 [thread overview]
Message-ID: <20160315085851.GA505@dcvr.yhbt.net> (raw)
In-Reply-To: <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
"Shota Fukumori (sora_h)" <her@sorah.jp> wrote:
> Hi,
>
> I found that https://unicorn.bogomips.org/ accepts client certificate.
> My browser prompts what certificate to use for a connection, even
> https://unicorn.bogomips.org/ doesn't require a client certificate.
+Cc yahns-public@yhbt.net
Likely a bug in yahns or the OpenSSL configuration of it.
I have also been running some experimental ruby-trunk or
yahns patches related to https://bugs.ruby-lang.org/issues/12126
so maybe I left something out in a deployment[1]...
Which client(s) are you using?
curl, w3m, lynx on both Debian jessie and wheezy all seem fine.
openssl s_client -connect unicorn.bogomips.org:443 -CApath /etc/ssl/
Also seems fine. As does the following Ruby snippet:
require 'uri'
require 'net/https'
uri = URI('https://unicorn.bogomips.org/')
req = Net::HTTP::Get.new(uri)
res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
p http.request(req)
end
I suppose there will be problems with old clients that can't
handle SNI or newer/stronger encryption.
> I and my colleagues are surprised about browser asking it. I guess
> this is unexpected behavior, is it expected?
I've not advertised the https site for unicorn yet;
it's just an experiment at this point[2]
Given the flurry of 1.12.x releases regarding TLS issues in
yahns, it's safe to say there are likely bugs how yahns does
TLS:
http://yhbt.net/yahns-public/20160229-yahns-1.12.2-unle@shed/t/
Fwiw, here's the OpenSSL SSLContext config I use with yahns 1.12.2
require 'openssl'
ctx = OpenSSL::SSL::SSLContext.new
ctx.cert = OpenSSL::X509::Certificate.new(IO.read(
'/etc/ssl/certs/dcvr.yhbt.net.crt'))
ctx.extra_chain_cert = [ OpenSSL::X509::Certificate.new(IO.read(
'/etc/ssl/certs/dcvr.yhbt.net.chain.crt')) ]
ctx.key = OpenSSL::PKey::RSA.new(IO.read(
'/etc/ssl/private/dcvr.yhbt.net.key'))
ctx.set_params
I'm really not that knowledgeable when it comes to OpenSSL[3].
Is there a WEBrick or similar pure Ruby config you can mimic
the problem with?
[1] Anyways I'm on yahns 1.12.2, now, my curl check runs
periodically and never reported any TLS-related error
in weeks.
[2] And will remain experimental indefinitely given my
lack-of-trust in both the CA system and the quality
of OpenSSL itself.
[3] I'm afraid my attempt to use/read the openssl C library
code back in the the 2000s traumatized me for good :x
next parent reply other threads:[~2016-03-15 8:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
2016-03-15 8:58 ` Eric Wong [this message]
2016-03-15 9:21 ` https://unicorn.bogomips.org accepts client certificate? Shota Fukumori (sora_h)
2016-03-15 9:43 ` russm
2016-03-15 23:20 ` Shota Fukumori (sora_h)
2016-03-15 23:30 ` Eric Wong
2016-03-15 23:54 ` Shota Fukumori (sora_h)
2016-03-16 0:34 ` [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" Eric Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://yhbt.net/yahns/README
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160315085851.GA505@dcvr.yhbt.net \
--to=e@80x24.org \
--cc=her@sorah.jp \
--cc=unicorn-public@bogomips.org \
--cc=yahns-public@yhbt.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://yhbt.net/yahns.git/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).