Ruby SSL Client - ruby

I've got a SSL Echo Server working fine when I tested with
gnutls-cli --starttls --port 9002 --insecure localhost
My SSL Echo server is as below:
#!/usr/bin/ruby
require 'socket';
require 'openssl';
certfile = 'privkey.pem';
host = "127.0.0.1"
port = 9002;
server = TCPServer.new( host, port );
# Establish an SSL context
sslContext = OpenSSL::SSL::SSLContext.new
sslContext.cert = OpenSSL::X509::Certificate.new(File.open( "myssl.cert.cert" ))
sslContext.key = OpenSSL::PKey::RSA.new(File.open( "myssl.cert.key" ))
# Create SSL server
sslServer = OpenSSL::SSL::SSLServer.new( server, sslContext );
# Don't expect an immidate SSL handshake upon connection.
sslServer.start_immediately = false;
sslSocket = sslServer.accept;
sslSocket.puts( "Toast.." );
# Server loop
while line = sslSocket.gets
line.chomp!;
if "STARTTLS" == line
# Starting TLS
sslSocket.accept;
end
sslSocket.puts( "Got '#{line}'" );
end
sslSocket.close;
My Client is however, not working (which I borrow somewhere in StackOverflow) as below:
#!/usr/bin/env ruby
require "socket"
require "thread"
require "openssl"
host = "127.0.0.1"
port = 9002
socket = TCPSocket.new(host, port)
expectedCert = OpenSSL::X509::Certificate.new(File.open("myssl.cert.cert"))
ssl = OpenSSL::SSL::SSLSocket.new(socket)
ssl.sync_close = true
ssl.connect
if ssl.peer_cert.to_s != expectedCert.to_s
stderrr.puts "Unexpected certificate"
exit(1)
end
Thread.new {
begin
while lineIn = ssl.gets
lineIn = lineIn.chomp
$stdout.puts lineIn
end
rescue
$stderr.puts "Error in input loop: " + $!
end
}
while (lineOut = $stdin.gets)
lineOut = lineOut.chomp
ssl.puts lineOut
end
Error I've got.
./sslclient.rb:13:in `connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (OpenSSL::SSL::SSLError)
from ./sslclient.rb:13:in `<main>'
Why is there a error in ssl.connect? Did I miss anything?

On the server side you start with plain text, send a welcome message and expect a starttls command - only then you upgrade to TLS. But on the client side you immediatly try to upgrade to TLS after the TCP connect, e.g. without reading the server hello and without sending the starttls command.

Related

TCPSocket connection reset by peer

require 'socket'
socket = TCPSocket.open('stream-api.betfair.com', '443')
while line = socket.gets
puts line.chop
end
socket.close
I should receive something like {"op":"connection","connectionId":"002-230915140112-174"}
but I receive Connection reset by peer which
means the remote end would have sent a reset packet (RST) to kill the connection without an orderly shutdown (close). In that case you know it was the peer(client).
betfair included a nodejs example and also csharp/java examples
Any help is much appreciated. Thanks!
First thing, you should replace the string '443' by an integer :
TCPSocket.open('stream-api.betfair.com', 443)
Anyway, it seems to be related with the SSL negociation : the following Stackoverflow post gives a quick idea about what would work : How to establish a SSL enabled TCP/IP Connection in Ruby. Using this method, I works.
require 'socket'
require 'openssl'
host = 'stream-api.betfair.com'
port = 443
socket = TCPSocket.open(host,port)
ssl_context = OpenSSL::SSL::SSLContext.new()
ssl_context.ssl_version = :SSLv23
ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
ssl_socket.sync_close = true
ssl_socket.connect
while line = ssl_socket.gets
p line
end
ssl_socket.close
Result :
"{\"op\":\"connection\",\"connectionId\":\"001-151118094105-259478\"}\r\n"
Dealing with SSL/TLS protected connection is sometime quite verbose with Ruby. In the example you gave, in NodeJS, the hint is the first line :
var tls = require('tls');

socket conneted using localhost but not 127.0.0.1

i have the following code
require 'socket'
def connect(socket)
while line = socket.gets # Read lines from socket
puts line # and print them
end
socket.close # close socket when done
end
def serve(server)
loop do
client = server.accept # Wait for a client to connect
client.puts "Hello !"
client.puts "Time is #{Time.now}"
client.close
end
end
if ARGV[0] == "-s"
ip_port = ARGV[1]
server = TCPServer.new ip_port
serve(server)
elsif ARGV.length == 2
ip_address = ARGV[0]
ip_port = ARGV[1]
puts ip_address
puts ip_port
socket = TCPSocket.new ip_address , ip_port
connect(socket)
else
puts "PLease enter an IP address and IP port"
end
The code above is a basic server and client. use the -s flag to tell the program to act like a server.
This code works when I use localhost as a address but does not work when I use 127.0.0.1 as the address. I receive a No connection could be made because the target machine actively refused it. - connect(2) error when i use 127.0.0.1. was wondering if anyone knows what the problem is.
I don't think there's anything wrong with the code itself, this looks like more of an issue due to firewall settings or perhaps something else on the machine.
You could always try opening the port and then attempting to telnet into it from a different terminal telnet 127.0.0.1 port. You can also use netstat -atun to check if the port is indeed open and to which address it is bound (0.0.0.0 means accessible by all IP addresses).

SSL Error on HTTP POST (Unknown Protocol)

Trying to connect to Imgur API via SSL gives me an error. Here's the code and the error:
API_URI = URI.parse('https://api.imgur.com')
API_PUBLIC_KEY = 'Client-ID --'
ENDPOINTS = {
:image => '/3/image',
:gallery => '/3/gallery'
}
# Public: Upload an image
#
# args - The image path for the image to upload
#
def upload(image_path)
http = Net::HTTP.new(API_URI.host)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
params = {'image' => File.open(image_path)}
request = Net::HTTP::Post.new(API_URI.request_uri)
request.set_form_data(params)
request.add_field('Authorization', API_PUBLIC_KEY)
response = http.request(request)
puts response.body
end
And the error:
`connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (OpenSSL::SSL::SSLError)
I know VERIFY_NODE is not good practice but I just want to test the connection for now.
Ruby version: 1.9.2
Specifying the port when creating the HTTP client fixed this problem.
http = Net::HTTP.new(API_URI.host, API_URI.port)
or
http = Net::HTTP.new(API_URI.host, 443)
For me it was because I had started the server as a http (tcp://) servers instead of https (ssl://).
i.e.
bundle exec puma config.ru -b 'tcp://0.0.0.0:3456?key=/path/to/key.key&cert=/path/to/cert.crt'
instead of:
bundle exec puma config.ru -b 'ssl://0.0.0.0:3456?key=/path/to/key.key&cert=/path/to/cert.crt'

How to establish a SSL enabled TCP/IP Connection in Ruby

I need to establish a TCP connection with my server which has a SSL enabled port, that I need to access.
I need to send a XML file and get the response from the server.
Before the SSL was enabled, I was able to get the data from the server using the below mentioned code.
require 'socket'
myXML = 'test_xml'
host = 'myhost.com'
port = 12482
socket = TCPSocket.open(host,port) # Connect to server
socket.send(myXML, 0)
response = socket.recvfrom(port)
puts response
socket.close
Now I have a 'certi.pfx' with which I need to establish a connection, Send my_xml data and get the response. How can this be done.
I would also like to know if I have the 'pem' and 'key' file, how can I establish a connection, Send my_xml data and get the response.
Please help.
require 'socket'
require 'openssl'
myXML = 'my_sample_data'
host = 'my_host.com'
port = my_port
socket = TCPSocket.open(host,port)
ssl_context = OpenSSL::SSL::SSLContext.new()
ssl_context.cert = OpenSSL::X509::Certificate.new(File.open("certificate.crt"))
ssl_context.key = OpenSSL::PKey::RSA.new(File.open("certificate.key"))
ssl_context.ssl_version = :SSLv23
ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
ssl_socket.sync_close = true
ssl_socket.connect
ssl_socket.puts(myXML)
while line = ssl_socket.gets
p line
end
ssl_socket.close
Like this:
sock = TCPSocket.new('hostname', 443)
ctx = OpenSSL::SSL::SSLContext.new
ctx.set_params(verify_mode: OpenSSL::SSL::VERIFY_PEER)
#socket = OpenSSL::SSL::SSLSocket.new(sock, ctx).tap do |socket|
socket.sync_close = true
socket.connect
end

Trying to create a simple Ruby server over SSL

I am trying to create a simple SSL client and server in Ruby. But I'm getting a cryptic error message and the documentation is of no help.
Here is my server code:
#!/usr/bin/ruby
require "gserver"
require "openssl"
listeningPort = Integer(ARGV[0])
class Server < GServer
def initialize(listeningPort)
#sslContext = OpenSSL::SSL::SSLContext.new
#sslContext.cert = OpenSSL::X509::Certificate.new(File.open("MyCert.pem"))
super(listeningPort, "0.0.0.0")
end
def serve(io)
begin
ssl = OpenSSL::SSL::SSLSocket.new(io, #sslContext)
ssl.sync_close = true
ssl.connect
while (lineIn = ssl.gets)
lineIn = lineIn.chomp
$stdout.puts "=> " + lineIn
lineOut = "You said: " + lineIn
$stdout.puts "<= " + lineOut
ssl.puts lineOut
end
rescue
$stderr.puts $!
end
end
end
server = Server.new(listeningPort)
server.start
server.join
The client code is similar:
#!/usr/bin/ruby
require "socket"
require "thread"
require "openssl"
host = ARGV[0]
port = Integer(ARGV[1])
socket = TCPSocket.new(host, port)
sslContext = OpenSSL::SSL::SSLContext.new
sslContext.cert = OpenSSL::X509::Certificate.new(File.open("MyCert.pem"))
ssl = OpenSSL::SSL::SSLSocket.new(socket, sslContext)
ssl.sync_close = true
ssl.connect
puts ssl.peer_cert # this is nil
Thread.new {
begin
while lineIn = ssl.gets
lineIn = lineIn.chomp
$stdout.puts lineIn
end
rescue
$stderr.puts "Error in input loop: " + $!
end
}
while (lineOut = $stdin.gets)
lineOut = lineOut.chomp
ssl.puts lineOut
end
When I connect, I get this error on both the server and the client:
in `connect': SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol (OpenSSL::SSL::SSLError)
The problem could be that it doesn't trust the certificate (self-signed). I'm not sure how to tell the client to trust that certificate. Above, I have put the server's cert in the context, but that was just a shot in the dark. I'm not even sure my certificate is in an acceptable format (it is in base64 with the cert and the private key in the file). The documentation is very scant and there doesn't seem to be much on the web in this area either.
Any ideas?
I figured it out, thanks to that link to some decent documentation.
For one thing, SSLSocket.connect() is only meant to be called on the client.
But the main problem is that I'm trying to take a GServer socket and upgrade it to SSL. Instead, I should use OpenSSL::SSL::SSLServer.
Also, I separated my certificate and private key into two files.
Here is the working server:
#!/usr/bin/ruby
require "socket"
require "openssl"
require "thread"
listeningPort = Integer(ARGV[0])
server = TCPServer.new(listeningPort)
sslContext = OpenSSL::SSL::SSLContext.new
sslContext.cert = OpenSSL::X509::Certificate.new(File.open("cert.pem"))
sslContext.key = OpenSSL::PKey::RSA.new(File.open("priv.pem"))
sslServer = OpenSSL::SSL::SSLServer.new(server, sslContext)
puts "Listening on port #{listeningPort}"
loop do
connection = sslServer.accept
Thread.new {
begin
while (lineIn = connection.gets)
lineIn = lineIn.chomp
$stdout.puts "=> " + lineIn
lineOut = "You said: " + lineIn
$stdout.puts "<= " + lineOut
connection.puts lineOut
end
rescue
$stderr.puts $!
end
}
end
And client:
#!/usr/bin/ruby
require "socket"
require "thread"
require "openssl"
host = ARGV[0]
port = Integer(ARGV[1])
socket = TCPSocket.new(host, port)
expectedCert = OpenSSL::X509::Certificate.new(File.open("cert.pem"))
ssl = OpenSSL::SSL::SSLSocket.new(socket)
ssl.sync_close = true
ssl.connect
if ssl.peer_cert.to_s != expectedCert.to_s
stderrr.puts "Unexpected certificate"
exit(1)
end
Thread.new {
begin
while lineIn = ssl.gets
lineIn = lineIn.chomp
$stdout.puts lineIn
end
rescue
$stderr.puts "Error in input loop: " + $!
end
}
while (lineOut = $stdin.gets)
lineOut = lineOut.chomp
ssl.puts lineOut
end
if you need to provide intermediate certificates, set sslContext.extra_chain_cert with them.
If use have letsencrypt certificates, use your fullchain.pem for sslContext.cert, privkey.pem for sslContext.key and ["chain.pem"] for sslContext.extra_chain_cert. Doing so, you can also test the connection to the server from your browser, with full chain verification.
Note: this complements the author's answer https://stackoverflow.com/a/5873796/533510 , but it was rejected by user #joe , because he understands that this is not a complement for the question. If you agree to him, try using this answer as solution to the question!

Resources