Ruby Webrick server not able to verify client certificate - ruby

I am running a sinatra based web application using Webrick. I was able to setup TLS using my self-signed server certificates and webrick starts in TLS mode, but I am not able to make a connection to server using client certificate (cert based authentication).
Server logs says "ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: certificate verify failed"
But the same certificates (both server and client) are working with apache server.
def self.run!
server_options = {
:Host => '0.0.0.0',
:Port => 33443,
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
:SSLVerifyDepth => 3,
:SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
:SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
:SSLClientCA => OpenSSL::X509::Certificate.new(File.open('/Users/cai.cer').read)
}
Rack::Handler::WEBrick.run self, server_options do |server|
[:INT, :TERM].each { |sig| trap(sig) { server.stop } }
server.threaded = settings.threaded if server.respond_to? :threaded=
set :running, true
end
end

This issue was fixed by providing the cacert file as :SSLCACertificateFile in server options instead of :SSLClientCA.
server_options = {
:Host => '0.0.0.0',
:Port => 443,
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
:SSLVerifyDepth => 4,
:SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
:SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
:SSLCACertificateFile => '/Users/cai.cer'
}

Related

Connect to a SOAP API with savon and specify Domain

With SoapUI, I am successfully connecting to a SOAP API with details such as:
Initial WSDL: http://11.11.1.11:7303/FOO/BAR/BAZ
Username: foo
Password: bar
Domain: example
But I am not sure how to do this with Savon. I am trying this (not quite understanding if ntlm is the correct setting here):
savon_defaults = {
:wsdl => "http://11.11.1.11:7303/FOO/BAR/BAZ",
:ntlm => ["foo", "bar", "example"],
:log_level => :debug,
:pretty_print_xml => true,
:log => true
}
#client = Savon.client(savon_defaults)
#client.call(:foo, :message => {:bar => "baz"})
The above outputs:
D, [2020-05-18T21:21:14.853929 #7156] DEBUG -- : HTTPI /peer GET request to 11.11.1.11 (httpclient)
Savon::HTTPError: HTTP error (401)
Any ideas?

dh key too small (Net::LDAP::Error), Ruby

I am attempting to pull information from an ldap database. When I do I get the following error.
/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/connection.rb:64:in `open_connection': SSL_connect returned=1 errno=0 state=error: dh key too small (Net::LDAP::Error)
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/connection.rb:699:in `socket'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1311:in `new_connection'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1288:in `use_connection'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:771:in `block in search'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:770:in `search'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1195:in `search_root_dse'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1261:in `paged_searches_supported?'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:763:in `search'
from ldap.rb:15:in `<main>'
Here is my code
require 'net/ldap'
ldap = Net::LDAP.new :host => "ldap.umn.edu", # your LDAP host name or IP goes here,
:port => "636", # your LDAP host port goes here,
:encryption => :simple_tls,
tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
:base => "o=University of Minnesota,c=US", # the base of your AD tree goes here,
:auth => {
:method => :simple,
:username => "", # a user w/sufficient privileges to read from AD goes here,
:password => "" # the user's password goes here
}
search_filter = Net::LDAP::Filter.eq("uid", "hamle010")
ldap.search(:filter => search_filter, :return_result => false) { |item|
puts item
}
I have tried changing the auth from simple to anonymous, because this ldap supports it supposedly. I have also tried using start_tls instead of simple_tls.
I had this working one time. I have not changed the code at all and a minute later it stated failing again. I am very sure the ldap server is running.
How do I resolve this issue?

Binding to LDAP with multiple certs. in ruby

I'm using https://github.com/ruby-ldap/ruby-net-ldap gem to connect/bind to LDAP
treebase = "ou=xxxxxx,dc=xxxxx,dc=xx"
credentials = {
:username => "myusername,ou=xxxxxx,dc=xxxxx,dc=xx",
:password => "password"
}
encryption = {
:method => :simple_tls,
:tls_options => { :ca_path => "folder/Chain/pem_folder"}
}
# pem_folder = folder that contains multiple pem files
ldap = Net::LDAP.new :host => "hostname.example.com",
:port => 636,
:encryption => encryption,
:base => treebase,
:auth => credentials
ldap.bind
The above code results in
ruby-2.2.2/gems/net-ldap-0.12.1/lib/net/ldap/connection.rb:47:in open_connection': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Net::LDAP::Error)
I have a feeling it has something to do with the multiple certs but not sure.
What worked for me was
Make sure you are connected to VPN if needed to be on the network
follow the instruction here specially the part about rehashing with c_rehash
my username was also missing uid= before which was causing failed binding
Stackoverflow also helped but I used Figaro Gem instead

Getting email to work on openshift ruby application

I can't seem to get email for password recovery using devise to work on my openshift app. I'm using Rails 4.0.2 and Ruby 1.9.3. I've tried the following in production.rb :
config.action_mailer.default_url_options = { :host => 'mydomain.com' }
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
:port => 25,
:address => 'smtp.mailgun.org',
:user_name => 'postmaster#domain.com',
:password => '[password]',
:domain => 'mydomain.com.mailgun.domain',
:authentication => :plain,
}
I've also done settings required for google use and both worked fine in development on local. Also tried ports 465, 587, as described here. Sending mail unfortunately still isn't performed on production. The app just throws an error with nothing in the logs.

Send emails with Padrino in Heroku

I'm trying to send emails via sendmail in Padrino. I did the configuration specified here (Configuration and Quick Usage)
But I always get the following error in the server log (on Heroku or localhost):
app[web.1]: sh: Illegal option -
app[web.1]: Errno::EPIPE - Broken pipe:
I installed the mail gem and I'm using Padrino 0.10.7
I'm using this, to send the email:
post :create do
email(:from => "tony#reyes.com", :to => "john#smith.com", :subject => "Welcome!", :body=>"Body")
end
That's practically all I have...
You should be using one of the parter addons for sending mail with Heroku.
A good option is Sendgrid
heroku addons:add sendgrid:starter --app=your_app_name
Then in your Padrino app in app.rb inside your App class:
set :delivery_method, :smtp => {
:address => "smtp.sendgrid.net",
:port => 587,
:domain => 'heroku.com',
:user_name => ENV['SENDGRID_USERNAME'],
:password => ENV['SENDGRID_PASSWORD'],
:authentication => :plain,
:enable_starttls_auto => true
}
You could substitute these for settings for another external SMTP server, or look at Mandrill for transactional emails.
I suspect the Errno::EPIPE error you were seeing was that it could not connect to a valid SMTP server, so your controller code should be fine as it is.
Pat is right, you don't need an add-on, just configure your app.rb like stef suggests and you're good to go. So, for example, we use gmail and our config looks something like this:
set :delivery_method, :smtp => {
:address => "smtp.domain.com",
:port => 587,
:domain => 'rails.domain.com',
:user_name => "rails#domain.com",
:password => "super-secret",
:authentication => "plain",
:enable_starttls_auto => true,
:openssl_verify_mode => OpenSSL::SSL::VERIFY_NONE
}

Resources