yahns Ruby server user/dev discussion
 help / color / Atom feed
* Re: https://unicorn.bogomips.org accepts client certificate?
       [not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
@ 2016-03-15  8:58 ` Eric Wong
  2016-03-15  9:21   ` Shota Fukumori (sora_h)
  0 siblings, 1 reply; 7+ messages in thread
From: Eric Wong @ 2016-03-15  8:58 UTC (permalink / raw)
  To: Shota Fukumori (sora_h); +Cc: unicorn-public, yahns-public

"Shota Fukumori (sora_h)" <her@sorah.jp> wrote:
> Hi,
> 
> I found that https://unicorn.bogomips.org/ accepts client certificate.
> My browser prompts what certificate to use for a connection, even
> https://unicorn.bogomips.org/ doesn't require a client certificate.

+Cc yahns-public@yhbt.net

Likely a bug in yahns or the OpenSSL configuration of it.

I have also been running some experimental ruby-trunk or
yahns patches related to https://bugs.ruby-lang.org/issues/12126
so maybe I left something out in a deployment[1]...

Which client(s) are you using?

curl, w3m, lynx on both Debian jessie and wheezy all seem fine.

  openssl s_client -connect unicorn.bogomips.org:443 -CApath /etc/ssl/

Also seems fine.  As does the following Ruby snippet:

  require 'uri'
  require 'net/https'
  uri = URI('https://unicorn.bogomips.org/')
  req = Net::HTTP::Get.new(uri)
  res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http|
    p http.request(req)
  end

I suppose there will be problems with old clients that can't
handle SNI or newer/stronger encryption.

> I and my colleagues are surprised about browser asking it. I guess
> this is unexpected behavior, is it expected?

I've not advertised the https site for unicorn yet;
it's just an experiment at this point[2]

Given the flurry of 1.12.x releases regarding TLS issues in
yahns, it's safe to say there are likely bugs how yahns does
TLS:

  http://yhbt.net/yahns-public/20160229-yahns-1.12.2-unle@shed/t/

Fwiw, here's the OpenSSL SSLContext config I use with yahns 1.12.2

  require 'openssl'
  ctx = OpenSSL::SSL::SSLContext.new
  ctx.cert = OpenSSL::X509::Certificate.new(IO.read(
    '/etc/ssl/certs/dcvr.yhbt.net.crt'))
  ctx.extra_chain_cert = [ OpenSSL::X509::Certificate.new(IO.read(
    '/etc/ssl/certs/dcvr.yhbt.net.chain.crt')) ]
  ctx.key = OpenSSL::PKey::RSA.new(IO.read(
    '/etc/ssl/private/dcvr.yhbt.net.key'))
  ctx.set_params

I'm really not that knowledgeable when it comes to OpenSSL[3].

Is there a WEBrick or similar pure Ruby config you can mimic
the problem with?



[1] Anyways I'm on yahns 1.12.2, now, my curl check runs
    periodically and never reported any TLS-related error
    in weeks.

[2] And will remain experimental indefinitely given my
    lack-of-trust in both the CA system and the quality
    of OpenSSL itself.

[3] I'm afraid my attempt to use/read the openssl C library
    code back in the the 2000s traumatized me for good :x

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: https://unicorn.bogomips.org accepts client certificate?
  2016-03-15  8:58 ` https://unicorn.bogomips.org accepts client certificate? Eric Wong
@ 2016-03-15  9:21   ` Shota Fukumori (sora_h)
  2016-03-15  9:43     ` russm
  0 siblings, 1 reply; 7+ messages in thread
From: Shota Fukumori (sora_h) @ 2016-03-15  9:21 UTC (permalink / raw)
  To: Eric Wong; +Cc: unicorn-public, yahns-public

Confirmed at least Chrome, Safari, Firefox on OS X El Capitan, and
Microsoft Edge on Windows 10.

> I've not advertised the https site for unicorn yet;

I thought so too, but at least google is using https url for their
search result.


--
Shota Fukumori a.k.a. @sora_h http://sorah.jp/

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: https://unicorn.bogomips.org accepts client certificate?
  2016-03-15  9:21   ` Shota Fukumori (sora_h)
@ 2016-03-15  9:43     ` russm
  2016-03-15 23:20       ` Shota Fukumori (sora_h)
  0 siblings, 1 reply; 7+ messages in thread
From: russm @ 2016-03-15  9:43 UTC (permalink / raw)
  To: Shota Fukumori (sora_h); +Cc: Eric Wong, unicorn-public, yahns-public

On Tue, Mar 15, 2016 at 06:21:01PM +0900, Shota Fukumori (sora_h) wrote:
> Confirmed at least Chrome, Safari, Firefox on OS X El Capitan, and
> Microsoft Edge on Windows 10.

FWIW, I see this with Chrome 49 on OSX 10.11, but *not* Chrome 49 on
Debian 8.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: https://unicorn.bogomips.org accepts client certificate?
  2016-03-15  9:43     ` russm
@ 2016-03-15 23:20       ` Shota Fukumori (sora_h)
  2016-03-15 23:30         ` Eric Wong
  0 siblings, 1 reply; 7+ messages in thread
From: Shota Fukumori (sora_h) @ 2016-03-15 23:20 UTC (permalink / raw)
  To: russm; +Cc: Eric Wong, unicorn-public, yahns-public

To be clear, you have to have a client certificate on your certificate
manager to be prompted.
Server doesn't specify acceptable client certificate CA names, so any
client certificate is ok.

On Tue, Mar 15, 2016 at 6:43 PM, russm <russm-rubyforge@slofith.org> wrote:
> On Tue, Mar 15, 2016 at 06:21:01PM +0900, Shota Fukumori (sora_h) wrote:
>> Confirmed at least Chrome, Safari, Firefox on OS X El Capitan, and
>> Microsoft Edge on Windows 10.
>
> FWIW, I see this with Chrome 49 on OSX 10.11, but *not* Chrome 49 on
> Debian 8.



-- 
Shota Fukumori a.k.a. @sora_h http://sorah.jp/

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: https://unicorn.bogomips.org accepts client certificate?
  2016-03-15 23:20       ` Shota Fukumori (sora_h)
@ 2016-03-15 23:30         ` Eric Wong
  2016-03-15 23:54           ` Shota Fukumori (sora_h)
  0 siblings, 1 reply; 7+ messages in thread
From: Eric Wong @ 2016-03-15 23:30 UTC (permalink / raw)
  To: Shota Fukumori (sora_h); +Cc: russm, unicorn-public, yahns-public

"Shota Fukumori (sora_h)" <her@sorah.jp> wrote:
> To be clear, you have to have a client certificate on your certificate
> manager to be prompted.
> Server doesn't specify acceptable client certificate CA names, so any
> client certificate is ok.

Thanks for the report, I think I just fixed the problem:

  ctx.set_params # reasonable defaults for clients, apparently

However, webrick and drb both set VERIFY_NONE for servers:

  ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)

I've updated https://unicorn.bogomips.org/ with the above change,
can you confirm it works for you?  If so, I'll update the yahns
documentation.

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: https://unicorn.bogomips.org accepts client certificate?
  2016-03-15 23:30         ` Eric Wong
@ 2016-03-15 23:54           ` Shota Fukumori (sora_h)
  2016-03-16  0:34             ` [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" Eric Wong
  0 siblings, 1 reply; 7+ messages in thread
From: Shota Fukumori (sora_h) @ 2016-03-15 23:54 UTC (permalink / raw)
  To: Eric Wong; +Cc: russm, unicorn-public, yahns-public

On Wed, Mar 16, 2016 at 8:30 AM, Eric Wong <e@80x24.org> wrote:
> I've updated https://unicorn.bogomips.org/ with the above change,
> can you confirm it works for you?  If so, I'll update the yahns
> documentation.

It worked -- my browser now doesn't prompt about a certificate :)

-- 
Shota Fukumori a.k.a. @sora_h http://sorah.jp/

^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE"
  2016-03-15 23:54           ` Shota Fukumori (sora_h)
@ 2016-03-16  0:34             ` Eric Wong
  0 siblings, 0 replies; 7+ messages in thread
From: Eric Wong @ 2016-03-16  0:34 UTC (permalink / raw)
  To: yahns-public; +Cc: russm, Shota Fukumori (sora_h)

The Ruby default parameters on top of OpenSSL seem designed
for client usage.  For server usage, requiring client-side
certificate verification is uncommon for HTTPS sites.

So follow what WEBrick does for HTTPS and use SSL_VERIFY_NONE
in our documentation.

Thanks-to: Shota Fukumori (sora_h) <her@sorah.jp>
on the unicorn list:

<CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
---
 (dropping unicorn-public from Cc: since this patch is for yahns)

 Documentation/yahns_config.pod | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod
index 1b2595b..d8c6801 100644
--- a/Documentation/yahns_config.pod
+++ b/Documentation/yahns_config.pod
@@ -446,7 +446,10 @@ An example which seems to work is:
   ssl_ctx.key = OpenSSL::PKey::RSA.new(
     IO.read('/etc/ssl/private/example.key')
   )
-  ssl_ctx.set_params # use defaults provided by Ruby on top of OpenSSL
+
+  # use defaults provided by Ruby on top of OpenSSL,
+  # but disable client certificate verification as it is rare:
+  ssl_ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE)
 
   app(:rack, "/path/to/my/app/config.ru") do
     listen 443, ssl_ctx: ssl_ctx
-- 
EW

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
2016-03-15  8:58 ` https://unicorn.bogomips.org accepts client certificate? Eric Wong
2016-03-15  9:21   ` Shota Fukumori (sora_h)
2016-03-15  9:43     ` russm
2016-03-15 23:20       ` Shota Fukumori (sora_h)
2016-03-15 23:30         ` Eric Wong
2016-03-15 23:54           ` Shota Fukumori (sora_h)
2016-03-16  0:34             ` [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" Eric Wong

yahns Ruby server user/dev discussion

Archives are clonable:
	git clone --mirror https://yhbt.net/yahns-public
	git clone --mirror http://ou63pmih66umazou.onion/yahns-public

Example config snippet for mirrors

Newsgroups are available over NNTP:
	nntp://news.public-inbox.org/inbox.comp.lang.ruby.yahns
	nntp://ou63pmih66umazou.onion/inbox.comp.lang.ruby.yahns

 note: .onion URLs require Tor: https://www.torproject.org/

AGPL code for this site: git clone https://public-inbox.org/ public-inbox