* Re: https://unicorn.bogomips.org accepts client certificate? [not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com> @ 2016-03-15 8:58 ` Eric Wong 2016-03-15 9:21 ` Shota Fukumori (sora_h) 0 siblings, 1 reply; 7+ messages in thread From: Eric Wong @ 2016-03-15 8:58 UTC (permalink / raw) To: Shota Fukumori (sora_h); +Cc: unicorn-public, yahns-public "Shota Fukumori (sora_h)" <her@sorah.jp> wrote: > Hi, > > I found that https://unicorn.bogomips.org/ accepts client certificate. > My browser prompts what certificate to use for a connection, even > https://unicorn.bogomips.org/ doesn't require a client certificate. +Cc yahns-public@yhbt.net Likely a bug in yahns or the OpenSSL configuration of it. I have also been running some experimental ruby-trunk or yahns patches related to https://bugs.ruby-lang.org/issues/12126 so maybe I left something out in a deployment[1]... Which client(s) are you using? curl, w3m, lynx on both Debian jessie and wheezy all seem fine. openssl s_client -connect unicorn.bogomips.org:443 -CApath /etc/ssl/ Also seems fine. As does the following Ruby snippet: require 'uri' require 'net/https' uri = URI('https://unicorn.bogomips.org/') req = Net::HTTP::Get.new(uri) res = Net::HTTP.start(uri.hostname, uri.port, use_ssl: true) do |http| p http.request(req) end I suppose there will be problems with old clients that can't handle SNI or newer/stronger encryption. > I and my colleagues are surprised about browser asking it. I guess > this is unexpected behavior, is it expected? I've not advertised the https site for unicorn yet; it's just an experiment at this point[2] Given the flurry of 1.12.x releases regarding TLS issues in yahns, it's safe to say there are likely bugs how yahns does TLS: http://yhbt.net/yahns-public/20160229-yahns-1.12.2-unle@shed/t/ Fwiw, here's the OpenSSL SSLContext config I use with yahns 1.12.2 require 'openssl' ctx = OpenSSL::SSL::SSLContext.new ctx.cert = OpenSSL::X509::Certificate.new(IO.read( '/etc/ssl/certs/dcvr.yhbt.net.crt')) ctx.extra_chain_cert = [ OpenSSL::X509::Certificate.new(IO.read( '/etc/ssl/certs/dcvr.yhbt.net.chain.crt')) ] ctx.key = OpenSSL::PKey::RSA.new(IO.read( '/etc/ssl/private/dcvr.yhbt.net.key')) ctx.set_params I'm really not that knowledgeable when it comes to OpenSSL[3]. Is there a WEBrick or similar pure Ruby config you can mimic the problem with? [1] Anyways I'm on yahns 1.12.2, now, my curl check runs periodically and never reported any TLS-related error in weeks. [2] And will remain experimental indefinitely given my lack-of-trust in both the CA system and the quality of OpenSSL itself. [3] I'm afraid my attempt to use/read the openssl C library code back in the the 2000s traumatized me for good :x ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: https://unicorn.bogomips.org accepts client certificate? 2016-03-15 8:58 ` https://unicorn.bogomips.org accepts client certificate? Eric Wong @ 2016-03-15 9:21 ` Shota Fukumori (sora_h) 2016-03-15 9:43 ` russm 0 siblings, 1 reply; 7+ messages in thread From: Shota Fukumori (sora_h) @ 2016-03-15 9:21 UTC (permalink / raw) To: Eric Wong; +Cc: unicorn-public, yahns-public Confirmed at least Chrome, Safari, Firefox on OS X El Capitan, and Microsoft Edge on Windows 10. > I've not advertised the https site for unicorn yet; I thought so too, but at least google is using https url for their search result. -- Shota Fukumori a.k.a. @sora_h http://sorah.jp/ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: https://unicorn.bogomips.org accepts client certificate? 2016-03-15 9:21 ` Shota Fukumori (sora_h) @ 2016-03-15 9:43 ` russm 2016-03-15 23:20 ` Shota Fukumori (sora_h) 0 siblings, 1 reply; 7+ messages in thread From: russm @ 2016-03-15 9:43 UTC (permalink / raw) To: Shota Fukumori (sora_h); +Cc: Eric Wong, unicorn-public, yahns-public On Tue, Mar 15, 2016 at 06:21:01PM +0900, Shota Fukumori (sora_h) wrote: > Confirmed at least Chrome, Safari, Firefox on OS X El Capitan, and > Microsoft Edge on Windows 10. FWIW, I see this with Chrome 49 on OSX 10.11, but *not* Chrome 49 on Debian 8. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: https://unicorn.bogomips.org accepts client certificate? 2016-03-15 9:43 ` russm @ 2016-03-15 23:20 ` Shota Fukumori (sora_h) 2016-03-15 23:30 ` Eric Wong 0 siblings, 1 reply; 7+ messages in thread From: Shota Fukumori (sora_h) @ 2016-03-15 23:20 UTC (permalink / raw) To: russm; +Cc: Eric Wong, unicorn-public, yahns-public To be clear, you have to have a client certificate on your certificate manager to be prompted. Server doesn't specify acceptable client certificate CA names, so any client certificate is ok. On Tue, Mar 15, 2016 at 6:43 PM, russm <russm-rubyforge@slofith.org> wrote: > On Tue, Mar 15, 2016 at 06:21:01PM +0900, Shota Fukumori (sora_h) wrote: >> Confirmed at least Chrome, Safari, Firefox on OS X El Capitan, and >> Microsoft Edge on Windows 10. > > FWIW, I see this with Chrome 49 on OSX 10.11, but *not* Chrome 49 on > Debian 8. -- Shota Fukumori a.k.a. @sora_h http://sorah.jp/ ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: https://unicorn.bogomips.org accepts client certificate? 2016-03-15 23:20 ` Shota Fukumori (sora_h) @ 2016-03-15 23:30 ` Eric Wong 2016-03-15 23:54 ` Shota Fukumori (sora_h) 0 siblings, 1 reply; 7+ messages in thread From: Eric Wong @ 2016-03-15 23:30 UTC (permalink / raw) To: Shota Fukumori (sora_h); +Cc: russm, unicorn-public, yahns-public "Shota Fukumori (sora_h)" <her@sorah.jp> wrote: > To be clear, you have to have a client certificate on your certificate > manager to be prompted. > Server doesn't specify acceptable client certificate CA names, so any > client certificate is ok. Thanks for the report, I think I just fixed the problem: ctx.set_params # reasonable defaults for clients, apparently However, webrick and drb both set VERIFY_NONE for servers: ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE) I've updated https://unicorn.bogomips.org/ with the above change, can you confirm it works for you? If so, I'll update the yahns documentation. ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: https://unicorn.bogomips.org accepts client certificate? 2016-03-15 23:30 ` Eric Wong @ 2016-03-15 23:54 ` Shota Fukumori (sora_h) 2016-03-16 0:34 ` [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" Eric Wong 0 siblings, 1 reply; 7+ messages in thread From: Shota Fukumori (sora_h) @ 2016-03-15 23:54 UTC (permalink / raw) To: Eric Wong; +Cc: russm, unicorn-public, yahns-public On Wed, Mar 16, 2016 at 8:30 AM, Eric Wong <e@80x24.org> wrote: > I've updated https://unicorn.bogomips.org/ with the above change, > can you confirm it works for you? If so, I'll update the yahns > documentation. It worked -- my browser now doesn't prompt about a certificate :) -- Shota Fukumori a.k.a. @sora_h http://sorah.jp/ ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" 2016-03-15 23:54 ` Shota Fukumori (sora_h) @ 2016-03-16 0:34 ` Eric Wong 0 siblings, 0 replies; 7+ messages in thread From: Eric Wong @ 2016-03-16 0:34 UTC (permalink / raw) To: yahns-public; +Cc: russm, Shota Fukumori (sora_h) The Ruby default parameters on top of OpenSSL seem designed for client usage. For server usage, requiring client-side certificate verification is uncommon for HTTPS sites. So follow what WEBrick does for HTTPS and use SSL_VERIFY_NONE in our documentation. Thanks-to: Shota Fukumori (sora_h) <her@sorah.jp> on the unicorn list: <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com> --- (dropping unicorn-public from Cc: since this patch is for yahns) Documentation/yahns_config.pod | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/Documentation/yahns_config.pod b/Documentation/yahns_config.pod index 1b2595b..d8c6801 100644 --- a/Documentation/yahns_config.pod +++ b/Documentation/yahns_config.pod @@ -446,7 +446,10 @@ An example which seems to work is: ssl_ctx.key = OpenSSL::PKey::RSA.new( IO.read('/etc/ssl/private/example.key') ) - ssl_ctx.set_params # use defaults provided by Ruby on top of OpenSSL + + # use defaults provided by Ruby on top of OpenSSL, + # but disable client certificate verification as it is rare: + ssl_ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_NONE) app(:rack, "/path/to/my/app/config.ru") do listen 443, ssl_ctx: ssl_ctx -- EW ^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2016-03-16 0:34 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <CA+wiQwuE=ya6F4s4k3GCTUppk7mbBOYOVwVXhTsX2SP8mgdmNQ@mail.gmail.com>
2016-03-15 8:58 ` https://unicorn.bogomips.org accepts client certificate? Eric Wong
2016-03-15 9:21 ` Shota Fukumori (sora_h)
2016-03-15 9:43 ` russm
2016-03-15 23:20 ` Shota Fukumori (sora_h)
2016-03-15 23:30 ` Eric Wong
2016-03-15 23:54 ` Shota Fukumori (sora_h)
2016-03-16 0:34 ` [PATCH] doc: recommend "verify_mode: OpenSSL::SSL::VERIFY_NONE" Eric Wong
Code repositories for project(s) associated with this public inbox https://yhbt.net/yahns.git/ This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).