dh key too small (Net::LDAP::Error), Ruby - ruby

I am attempting to pull information from an ldap database. When I do I get the following error.
/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/connection.rb:64:in `open_connection': SSL_connect returned=1 errno=0 state=error: dh key too small (Net::LDAP::Error)
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/connection.rb:699:in `socket'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1311:in `new_connection'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1288:in `use_connection'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:771:in `block in search'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap/instrumentation.rb:19:in `instrument'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:770:in `search'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1195:in `search_root_dse'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:1261:in `paged_searches_supported?'
from /home/jphamlett/.rbenv/versions/2.3.3/lib/ruby/gems/2.3.0/gems/net-ldap-0.15.0/lib/net/ldap.rb:763:in `search'
from ldap.rb:15:in `<main>'
Here is my code
require 'net/ldap'
ldap = Net::LDAP.new :host => "ldap.umn.edu", # your LDAP host name or IP goes here,
:port => "636", # your LDAP host port goes here,
:encryption => :simple_tls,
tls_options: { verify_mode: OpenSSL::SSL::VERIFY_NONE },
:base => "o=University of Minnesota,c=US", # the base of your AD tree goes here,
:auth => {
:method => :simple,
:username => "", # a user w/sufficient privileges to read from AD goes here,
:password => "" # the user's password goes here
}
search_filter = Net::LDAP::Filter.eq("uid", "hamle010")
ldap.search(:filter => search_filter, :return_result => false) { |item|
puts item
}
I have tried changing the auth from simple to anonymous, because this ldap supports it supposedly. I have also tried using start_tls instead of simple_tls.
I had this working one time. I have not changed the code at all and a minute later it stated failing again. I am very sure the ldap server is running.
How do I resolve this issue?

Related

Ruby Webrick server not able to verify client certificate

I am running a sinatra based web application using Webrick. I was able to setup TLS using my self-signed server certificates and webrick starts in TLS mode, but I am not able to make a connection to server using client certificate (cert based authentication).
Server logs says "ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1 errno=0 state=error: certificate verify failed"
But the same certificates (both server and client) are working with apache server.
def self.run!
server_options = {
:Host => '0.0.0.0',
:Port => 33443,
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
:SSLVerifyDepth => 3,
:SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
:SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
:SSLClientCA => OpenSSL::X509::Certificate.new(File.open('/Users/cai.cer').read)
}
Rack::Handler::WEBrick.run self, server_options do |server|
[:INT, :TERM].each { |sig| trap(sig) { server.stop } }
server.threaded = settings.threaded if server.respond_to? :threaded=
set :running, true
end
end

This issue was fixed by providing the cacert file as :SSLCACertificateFile in server options instead of :SSLClientCA.
server_options = {
:Host => '0.0.0.0',
:Port => 443,
:SSLEnable => true,
:SSLVerifyClient => OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT | OpenSSL::SSL::VERIFY_PEER,
:SSLVerifyDepth => 4,
:SSLCertificate => OpenSSL::X509::Certificate.new(File.open('/Users/cert.pem').read),
:SSLPrivateKey => OpenSSL::PKey::RSA.new(File.open('/Users/key.pem').read),
:SSLCACertificateFile => '/Users/cai.cer'
}

SSL_connect returned=1 errno=0 state=unknown state: unknown protocol

After reading through many posts I couldn't find a solution to my problem. I've made a test connection with www.smtper.net which was successful. My error.log only tells me the error:
OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=unknown state: unknown protocol
app/controllers/passwords_controller.rb:11:in `create'
Maybe it has something to do with my nginx settings?
Issue
I'm trying to configure my smtp via mailgun (or gmail) but without success.
My configuration in developement.rb looks like:
config.action_mailer.default_url_options = { :host => "xxxxx:8765" }
config.action_mailer.delivery_method = :smtp
config.action_mailer.perform_deliveries = true
config.action_mailer.smtp_settings = {
:address => "smtp.gmail.com",
:port => 587,
:domain => "mail.google.com",
:user_name => "xxx#gmail.com",
:password => "xxxxxx",
:authentication => :plain,
:enable_starttls_auto => true
}
And the error is thrown at the action create, line 11:
AccountMailer.password_reset_email(#account).deliver
I have installed OpenSSL 1.0.1f on my development server
TRACE
/root/.rbenv/versions/2.5.1/lib/ruby/2.5.0/net/protocol.rb:44:in `connect_nonblock'
/root/.rbenv/versions/2.5.1/lib/ruby/2.5.0/net/protocol.rb:44:in `ssl_socket_connect'
/root/.rbenv/versions/2.5.1/lib/ruby/2.5.0/net/smtp.rb:584:in `tlsconnect'
/root/.rbenv/versions/2.5.1/lib/ruby/2.5.0/net/smtp.rb:552:in `do_start'
/root/.rbenv/versions/2.5.1/lib/ruby/2.5.0/net/smtp.rb:518:in `start'
mail (2.7.0) lib/mail/network/delivery_methods/smtp.rb:109:in `start_smtp_session'
mail (2.7.0) lib/mail/network/delivery_methods/smtp.rb:100:in `deliver!'
mail (2.7.0) lib/mail/message.rb:2160:in `do_delivery'
mail (2.7.0) lib/mail/message.rb:260:in `block in deliver'
actionmailer (4.2.8) lib/action_mailer/base.rb:543:in `block in deliver_mail'
activesupport (4.2.8) lib/active_support/notifications.rb:164:in `block in instrument'
activesupport (4.2.8) lib/active_support/notifications/instrumenter.rb:20:in `instrument'
activesupport (4.2.8) lib/active_support/notifications.rb:164:in `instrument'
actionmailer (4.2.8) lib/action_mailer/base.rb:541:in `deliver_mail'
mail (2.7.0) lib/mail/message.rb:260:in `deliver'
actionmailer (4.2.8) lib/action_mailer/message_delivery.rb:85:in `deliver_now'
actionmailer (4.2.8) lib/action_mailer/message_delivery.rb:105:in `deliver'
app/controllers/passwords_controller.rb:11:in `create'

What happens if you try this settings and get rid of everything else you currently have:
# /config/environments/development.rb
# Gmail configuration
config.action_mailer.raise_delivery_errors = true
config.action_mailer.delivery_method = :smtp
config.action_mailer.smtp_settings = {
address: 'smtp.gmail.com',
port: 587,
domain: 'example.com',
user_name: ENV['EMAIL_USER'],
password: ENV['EMAIL_PASS'],
authentication: 'plain',
enable_starttls_auto: true
}
I'm not sure you need to monkey with smtper.net but perhaps see this, even though it's very old, it probably should still work:
http://blog.napcs.com/2013/07/21/rails_ssl_simple_wa/
You'll need to set those environment variables as you obviously should never want to commit credentials in your git repo.
But also see these posts as you may need to do some other things for gmail
(Ruby) Getting Net::SMTP working with Gmail...?
Rails 4, how to correctly configure smtp settings (gmail)

Binding to LDAP with multiple certs. in ruby

I'm using https://github.com/ruby-ldap/ruby-net-ldap gem to connect/bind to LDAP
treebase = "ou=xxxxxx,dc=xxxxx,dc=xx"
credentials = {
:username => "myusername,ou=xxxxxx,dc=xxxxx,dc=xx",
:password => "password"
}
encryption = {
:method => :simple_tls,
:tls_options => { :ca_path => "folder/Chain/pem_folder"}
}
# pem_folder = folder that contains multiple pem files
ldap = Net::LDAP.new :host => "hostname.example.com",
:port => 636,
:encryption => encryption,
:base => treebase,
:auth => credentials
ldap.bind
The above code results in
ruby-2.2.2/gems/net-ldap-0.12.1/lib/net/ldap/connection.rb:47:in open_connection': SSL_connect returned=1 errno=0 state=error: certificate verify failed (Net::LDAP::Error)
I have a feeling it has something to do with the multiple certs but not sure.

What worked for me was
Make sure you are connected to VPN if needed to be on the network
follow the instruction here specially the part about rehashing with c_rehash
my username was also missing uid= before which was causing failed binding
Stackoverflow also helped but I used Figaro Gem instead

SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed MAC

I'm attempting to use the SoundCloud SDK for user authentication. My first route after a user clicks "sign in":
get "/login" do
client = Soundcloud.new(:client_id => 'MY_ID',
:client_secret => 'MY_SECRET',
:redirect_uri => 'http://localhost:9393/signed_in')
redirect client.authorize_url()
end
I then have the next route where they are redirected:
get "/signed_in" do
client = Soundcloud.new(:client_id => '16d6ada1a0cfc5009f7d59d203a13b2f',
:client_secret => '845df7d44dc4e359fedc8ed5944d29a5',
:redirect_uri => 'http://localhost:9393/signed_in')
code = params[:code]
access_token = client.exchange_token(:code => code)
end
I can succesfully hit the redirect url and a code is passed back, but I receieve the following error from Sinatra:
OpenSSL::SSL::SSLError at /signed_in
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
I've read these popular articles:
http://railsapps.github.io/openssl-certificate-verify-failed.html
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
amongst many others
When I type:
rvm osx-ssl-certs status all
my result is
Certificates for /usr/local/etc/openssl/cert.pem: Up to date.
I'm currently using ruby 2.1.1 on Mac 10.6.8. I've gone thru about 20 stack overflow questions on this topic and I'm unable to move past this issue.

Download http://curl.haxx.se/ca/ca-bundle.crt
Copy certificate into /usr/local/etc/openssl/certs/
Make omniauth.rb look like this:
options = {
scope: "email",
:prompt => "select_account",
access_type: 'offline',
:client_options => {
:ssl => {
:ca_file => "/usr/local/etc/openssl/certs/ca-bundle.crt",
:ca_path => "/usr/local/etc/openssl/certs"
}
}
}
Rails.application.config.middleware.use OmniAuth::Builder do
provider :google_oauth2, Rails.application.secrets.client_id, Rails.application.secrets.client_secret, options
end

There is a gem to fix this issue, try adding gem 'certified', '~> 1.0'to your Gemfile.

Ruby: Does NET::LDAP plus start_tls support certificate validation?

I am reading documents regarding NET::LDAP with TLS. But I could not find any mentioning regarding enforcing certificate validation with start_tls. The sample code is attached below.
ldap = Net::LDAP.new :host => params["host"],
:base => params["base_dn"],
:encryption => :start_tls,
:port => params["port"],
:auth => { :username => params["bind_dn"],
:password => params["bind_pw"],
:method => :simple
}
The document here "http://net-ldap.rubyforge.org/Net/LDAP.html#method-i-encryption" mentions there is no SSL certificate validation for simple_tls. But there is no information regarding start_tls.

no, I checked the latest 0.6.1 version, this functionality is still missing.
simple_tls is actually LDAPS which usually on port 636.

Resources