yahns Ruby server user/dev discussion
 help / color / mirror / code / Atom feed
From: Eric Wong <e@80x24.org>
To: "Shota Fukumori (sora_h)" <her@sorah.jp>
Cc: unicorn-public@bogomips.org, yahns-public@yhbt.net
Subject: Re: https://unicorn.bogomips.org accepts client certificate?
Date: Tue, 15 Mar 2016 08:58:51 +0000	[thread overview]
Message-ID: <20160315085851.GA505@dcvr.yhbt.net> (raw)
In-Reply-To: <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>

"Shota Fukumori (sora_h)" <her@sorah.jp> wrote:
> Hi,
> 
> I found that https://unicorn.bogomips.org/ accepts client certificate.
> My browser prompts what certificate to use for a connection, even
> https://unicorn.bogomips.org/ doesn't require a client certificate.

+Cc yahns-public@yhbt.net

Likely a bug in yahns or the OpenSSL configuration of it.

I have also been running some experimental ruby-trunk or
yahns patches related to https://bugs.ruby-lang.org/issues/12126
so maybe I left something out in a deployment[1]...

Which client(s) are you using?

curl, w3m, lynx on both Debian jessie and wheezy all seem fine.

  openssl s_client -connect unicorn.bogomips.org:443 -CApath /etc/ssl/

Also seems fine.  As does the following Ruby snippet:

  require 'uri'
  require 'net/https'
  uri = URI('https://unicorn.bogomips.org/')
  req = Net::HTTP::Get.new(uri)
  res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
    p http.request(req)
  end

I suppose there will be problems with old clients that can't
handle SNI or newer/stronger encryption.

> I and my colleagues are surprised about browser asking it. I guess
> this is unexpected behavior, is it expected?

I've not advertised the https site for unicorn yet;
it's just an experiment at this point[2]

Given the flurry of 1.12.x releases regarding TLS issues in
yahns, it's safe to say there are likely bugs how yahns does
TLS:

  http://yhbt.net/yahns-public/20160229-yahns-1.12.2-unle@shed/t/

Fwiw, here's the OpenSSL SSLContext config I use with yahns 1.12.2

  require 'openssl'
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.cert = OpenSSL::X509::Certificate.new(IO.read(
    '/etc/ssl/certs/dcvr.yhbt.net.crt'))
  ctx.extra_chain_cert = [ OpenSSL::X509::Certificate.new(IO.read(
    '/etc/ssl/certs/dcvr.yhbt.net.chain.crt')) ]
  ctx.key = OpenSSL::PKey::RSA.new(IO.read(
    '/etc/ssl/private/dcvr.yhbt.net.key'))
  ctx.set_params

I'm really not that knowledgeable when it comes to OpenSSL[3].

Is there a WEBrick or similar pure Ruby config you can mimic
the problem with?



[1] Anyways I'm on yahns 1.12.2, now, my curl check runs
    periodically and never reported any TLS-related error
    in weeks.

[2] And will remain experimental indefinitely given my
    lack-of-trust in both the CA system and the quality
    of OpenSSL itself.

[3] I'm afraid my attempt to use/read the openssl C library
    code back in the the 2000s traumatized me for good :x

       reply	other threads:[~2016-03-15  8:58 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
2016-03-15  8:58 ` Eric Wong [this message]
2016-03-15  9:21   ` https://unicorn.bogomips.org accepts client certificate? Shota Fukumori (sora_h)
2016-03-15  9:43     ` russm
2016-03-15 23:20       ` Shota Fukumori (sora_h)
2016-03-15 23:30         ` Eric Wong
2016-03-15 23:54           ` Shota Fukumori (sora_h)
2016-03-16  0:34             ` [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" Eric Wong

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://yhbt.net/yahns/README

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20160315085851.GA505@dcvr.yhbt.net \
    --to=e@80x24.org \
    --cc=her@sorah.jp \
    --cc=unicorn-public@bogomips.org \
    --cc=yahns-public@yhbt.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
Code repositories for project(s) associated with this public inbox

	https://yhbt.net/yahns.git/

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).