Ruby/SSL:sslv3 alert handshake failure - ruby

Please note I have reviewed as many of the articles on here about this issue and the sample/example code I am showing is one of a dozen variations I have tried based on my reading. So please don't RTFM or the like.
I am writing a simple ruby script to log in/logout of a web app. Unfortunately it is https, and in my attempts it seems like ssl is a much harder "easy programming" scenario than I thought.
I am running this script on a stock Kali installation. I am justing Ruby 1.9.1. The error I am getting is:
/usr/lib/ruby/1.9.1/net/http.rb:799:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert handshake failure (OpenSSL::SSL::SSLError)
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
from ./capture_ids.rb:27:in `block in <main>'
from ./capture_ids.rb:18:in `each'
from ./capture_ids.rb:18:in `<main>'
Here is my ruby script:
#!/usr/bin/env ruby
require 'net/http'
require 'net/https'
require 'openssl'
puts OpenSSL::OPENSSL_VERSION
puts "SSL_CERT_FILE: %s" % OpenSSL::X509::DEFAULT_CERT_FILE
puts "SSL_CERT_DIR: %s" % OpenSSL::X509::DEFAULT_CERT_DIR
login_str = "https://192.168.0.251/~login_handler?UserName=foo&Password=bar"
logout_str = "https://192.168.0.251/~logout_handler?session_id="
seqids = Array.new
puts "Starting capture..."
puts "Staring loop..."
for num in 0..2 do
puts "doing iteration #{num}"
uri = URI.parse(login_str)
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = true
# https.cert_store = OpenSSL::X509::Store.new
# https.cert_store.set_default_paths
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
req = Net::HTTP::Post.new(uri.path)
https.start {
res = https.request(req)
}
# puts "*********** Here is the response ***************"
# puts res
# puts "*********** End of response ********************"
start_pt = res.index("name=")
end_pt = res.index(" src=")
seq_id = res.slice(start_pt, end_pt)
puts "Sequence id is " + seq_id
seqids << seq_id
uri = URI.parse(logout_str)
https = Net::HTTP::new(uri.host, uri.port)
https.use_ssl = true
# https.cert_store = OpenSSL::X509::Store.new
# https.cert_store.set_default_paths
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
req = Net::HTTP::Get.new(uri.path)
https.start {
https.request(req)
}
end
My SSL dir/certs are:
SSL_CERT_FILE: /usr/lib/ssl/cert.pem
SSL_CERT_DIR: /usr/lib/ssl/certs
And yes I have confirmed things are there. I also have tried to download new cert files and ca files and use them and put them in there.
What magic ju ju beads do I have to shake?

Related

Ruby https with ca certification does not work while it worked with curl

In ruby, I try to do a ssl connection to a nginx server I setup locally, with an auto-signed certificate. My code is :
require "net/http"
require "net/https"
require "openssl"
require "uri"
require "pp"
request = Net::HTTP::Get.new("/")
response = Net::HTTP.start(
"localhost",
443,
{
:use_ssl => true,
:key => OpenSSL::PKey::RSA.new(File.read("/home/gg/crt/client.key")),
:cert => OpenSSL::X509::Certificate.new(File.read("/home/gg/crt/client.crt")),
:ca_file => "/home/gg/crt/ca.pem",
:verify_mode => OpenSSL::SSL::VERIFY_PEER,
:verify_depth => 5,
}
) do |http|
http.request(request)
end
puts response.inspect
puts response.body
When I run it it return
/home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=error: certificate verify failed (OpenSSL::SSL::SSLError)
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in `block in connect'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/timeout.rb:74:in `timeout'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:923:in `connect'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:863:in `do_start'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:852:in `start'
from /home/gg/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/net/http.rb:583:in `start'
from testso.rb:8:in `<main>'
But I have the correct result if I run it with curl:
curl https://localhost --key crt/client.key --cert crt/client.crt --cacert crt/ca.pem
What am i doing wrong?
To possibly help others, here is a working solution with Ruby 2.0, for an HTTP GET.
require "net/http"
uri = URI.parse('https://your_url.com')
http = Net::HTTP.new(uri.host, uri.port)
OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ssl_version]=nil
http.use_ssl = true
http.ca_path='/etc/pki/tls/certs/'
http.ca_file='/etc/pki/tls/certs/YOUR_CERT_CHAIN_FILE'
http.cert = OpenSSL::X509::Certificate.new(File.read("YOUR_CERT)_FILE"))
http.key = OpenSSL::PKey::RSA.new(File.read("YOUR_KEY_FILE"))
#SSLv3 is cracked, and often not allowed
http.ssl_version = :TLSv1_2
#### This is IMPORTANT
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
#Crete the GET request
request = Net::HTTP::Get.new(uri.request_uri)
#Add Headers, if needed
request.add_field 'X_REMOTE_USER', 'USER_NAME'
request.add_field 'Accept', '*'
#Get Response
response = http.request(request)
#Review Response
puts response.body
I feel dumb but figured out the problem.
When generating the different certificates I left some fields blank.
It seems that openssl detected this certificate as "looking" autosigned.
Thus if we use OpenSSL::SSL::VERIFY_PEER the connection fails
So to be sure that the certificate is well generated using the CA you can do :
openssl verify -CAfile ca.crt server.crt
(and same command with client.crt)
if we get
error 18 at 0 depth lookup:self signed certificate
OK
The certificate is detected as autosigned and it fails
if we get
Signature ok
It should work

How to pass in values and headers via Ruby basic authentication?

I'm trying to pass in certain values and headers via Ruby but not sure how to do it. What I have so far:
uri = URI.parse('http://jira.test.local/rest/zapi/latest/execution')
req = Net::HTTP::Get.new(uri)
req.basic_auth 'userid', 'password'
res = Net::HTTP.start(uri.hostname, uri.port) {|http| http.request(req)}
puts res.body
values = "{\n \"issueId\": 32640,\n \"versionId\": \"11163\",\n \"cycleId\": \"5\",\n \"projectId\": 10460\n,\n \"status\": \"1\"}"
headers = {:content_type => "application/json"}
Net::HTTP.start(uri.hostname, uri.port) do | http |
response = http.post(req, values)
puts response.body
end
I'm getting this error right now:
{"status":{"1":{"id":1,"color":"#75B000","description":"Test was executed and passed successfully.","name":"PASS"},"2":{"id":2,"color":"#CC3300","description":"Test was executed and failed.","name":"FAIL"},"3":{"id":3,"color":"#F2B000","description":"Test execution is a work-in-progress.","name":"WIP"},"4":{"id":4,"color":"#6693B0","description":"The test execution of this test was blocked for some reason.","name":"BLOCKED"},"-1":{"id":-1,"color":"#A0A0A0","description":"The test has not yet been executed.","name":"UNEXECUTED"}},"executions":[],"currentlySelectedExecutionId":""}
undefined method `empty?' for #<Net::HTTP::Get GET> (NoMethodError)
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http/generic_request.rb:27:in `initialize'
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http/request.rb:14:in `initialize'
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:1390:in `new'
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:1390:in `send_entity'
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:1179:in `post'
./features/step_definitions/zapi_farooq.rb:32:in `block (2 levels) in <top (required)>'
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:852:in `start'
/Users/fyousuf/.rvm/rubies/ruby-2.0.0-p481/lib/ruby/2.0.0/net/http.rb:582:in `start'
./features/step_definitions/zapi_farooq.rb:31:in `/^I test zapi update$/'
features/zapi_farooq.feature:4:in `* I test zapi update'
The first line of the output is good, it's giving me the proper outpul from the res.body, but after that is the error.
Summary: I want to go to the uri, authenticate with creds and post with the values provided and with the proper headers (all using Ruby).
I'm trying to create a new execution as per this API: http://docs.getzephyr.apiary.io/#executionresourceapis (Create a new Execution)
Playing around I got it to work with:
values = "{\n \"status\": 2\n}"
headers = {:content_type => "application/json"}
response = RestClient::Resource.new 'http://jira.test.local/rest/zapi/latest/execution/343/execute', 'username', 'password'
response.put values, headers
puts response
puts response.body
Gives output of:
http://jira.test.local/rest/zapi/latest/execution/343/execute
<html xmlns="http://www.w3.org/1999/xhtml"><head></head><body></body></html>
Also it changes the value of the issue in Jira (intended goal).
I just used RestClient b/c the original docs (http://docs.getzephyr.apiary.io/#executionresourceapis) were using it and got some help here too: https://github.com/rest-client/rest-client

ruby - zlib header error when uncompressing tar.gz

I wanted to write a ruby program to unpackage tar.gz files, and I ran into some issues. After reading the documentation on the ruby-doc site, Zlib::GzipReader and Zlib::Inflate. Then I found this Module someone wrote on GitHub, and that didn't work either. So, using the examples from the Ruby page for Zlib::GzipReader, I these were able to run successfully.
irb(main):027:0* File.open('zlib_inflate.tar.gz') do |f|
irb(main):028:1* gz = Zlib::GzipReader.new(f)
irb(main):029:1> print gz.read
irb(main):030:1> gz.close
irb(main):031:1> end
#
#
#
irb(main):023:0* Zlib::GzipReader.open('zlib_inflate.tar.gz') { |gz|
irb(main):024:1* print gz.read
irb(main):025:1> }
Then, when trying to use the Zlib::Inflate options, I kept running into incorrect header check errors.
irb(main):047:0* zstream = Zlib::Inflate.new
=> #<Zlib::Inflate:0x00000002b15790 #dictionaries={}>
irb(main):048:0> buf = zstream.inflate('zlib_inflate.tar.gz')
Zlib::DataError: incorrect header check
from (irb):48:in `inflate'
from (irb):48
from C:/ruby/Ruby200p353/Ruby200-x64/bin/irb:12:in `<main>'
#
#
#
irb(main):049:0> cf = File.open("zlib_inflate.tar.gz")
=> #<File:zlib_inflate.tar.gz>
irb(main):050:0> ucf = File.open("ruby_inflate.rb", "w+")
=> #<File:ruby_inflate.rb>
irb(main):051:0> zi = Zlib::Inflate.new(Zlib::MAX_WBITS)
=> #<Zlib::Inflate:0x00000002c097f0 #dictionaries={}>
irb(main):052:0> ucf << zi.inflate(cf.read)
Zlib::DataError: incorrect header check
from (irb):52:in `inflate'
from (irb):52
from C:/ruby/Ruby200p353/Ruby200-x64/bin/irb:12:in `<main>'
#
#
#
irb(main):057:0* File.open("zlib_inflate.tar.gz") {|cf|
irb(main):058:1* zi = Zlib::Inflate.new
irb(main):059:1> File.open("zlib_inflate.rb", "w+") {|ucf|
irb(main):060:2* ucf << zi.inflate(cf.read)
irb(main):061:2> }
irb(main):062:1> zi.close
irb(main):063:1> }
Zlib::DataError: incorrect header check
from (irb):60:in `inflate'
from (irb):60:in `block (2 levels) in irb_binding'
from (irb):59:in `open'
from (irb):59:in `block in irb_binding'
from (irb):57:in `open'
from (irb):57
from C:/ruby/Ruby200p353/Ruby200-x64/bin/irb:12:in `<main>'
How would I go about taking a tar.gz file, and extract the contents so the files are not null? I did read this other post about Ruby Zlib from here, but that did not work for me as well. What am I doing wrong?

OpenSSL trouble with Ruby 1.9.3

I am having a semi-serious problem with OpenSSL 1.0.1 + Ruby 1.9.3 on Ubuntu 12.04.
All rubies are installed with rvm
require 'uri'
require 'net/http'
require 'net/https'
endpoint = "https://secure.mmoagateway.com/api/transact.php"
RUBY_184_POST_HEADERS = { "Content-Type" => "application/x-www-form-urlencoded" }
body = "orderid=ae5dd847d9f31209cbffeeea076ed966&orderdescription=Active+Merchant+Remote+Test+Purchase&ccnumber=4111111111111111&ccexp=0913&cvv=123&company=Widgets+Inc&address1=1234+My+Street&address2=Apt+1&city=Ottawa&state=ON&zip=K1C2N6&country=CA&phone=%28555%29555-5555&firstname=&lastname=&email=&amount=1.00&type=auth&username=demo&password=password"
headers = {}
endpoint = endpoint.is_a?(URI) ? endpoint : URI.parse(endpoint)
http = Net::HTTP.new(endpoint.host, endpoint.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
http.set_debug_output(STDOUT)
result = http.post(endpoint.request_uri, body, RUBY_184_POST_HEADERS.merge(headers))
puts(result)
On Ubuntu 12.04 + Ruby 1.9.3 + Openss 1.0.1 I get the following output:
% ruby test.rb
opening connection to secure.mmoagateway.com...
opened
Conn close because of connect error Connection reset by peer - SSL_connect
/usr/lib/ruby/1.9.1/net/http.rb:799:in `connect': Connection reset by peer - SSL_connect (Errno::ECONNRESET)
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `block in connect'
from /usr/lib/ruby/1.9.1/timeout.rb:54:in `timeout'
from /usr/lib/ruby/1.9.1/timeout.rb:99:in `timeout'
from /usr/lib/ruby/1.9.1/net/http.rb:799:in `connect'
from /usr/lib/ruby/1.9.1/net/http.rb:755:in `do_start'
from /usr/lib/ruby/1.9.1/net/http.rb:744:in `start'
from /usr/lib/ruby/1.9.1/net/http.rb:1284:in `request'
from /usr/lib/ruby/1.9.1/net/http.rb:1307:in `send_entity'
from /usr/lib/ruby/1.9.1/net/http.rb:1096:in `post'
from test.rb:17:in `<main>'
With Ruby 1.8.7 I get the correct output:
$ ruby test.rb
opening connection to secure.mmoagateway.com...
opened
<- "POST /api/transact.php HTTP/1.1\r\nAccept: */*\r\nContent-Type: application/x-www-form-urlencoded\r\nConnection: close\r\nContent-Length: 347\r\nHost: secure.mmoagateway.com\r\n\r\n"
<- "orderid=ae5dd847d9f31209cbffeeea076ed966&orderdescription=Active+Merchant+Remote+Test+Purchase&ccnumber=4111111111111111&ccexp=0913&cvv=123&company=Widgets+Inc&address1=1234+My+Street&address2=Apt+1&city=Ottawa&state=ON&zip=K1C2N6&country=CA&phone=%28555%29555-5555&firstname=&lastname=&email=&amount=1.00&type=auth&username=demo&password=password"
-> "HTTP/1.1 200 OK\r\n"
-> "Date: Wed, 04 Jul 2012 01:26:35 GMT\r\n"
-> "Server: Apache\r\n"
-> "Content-Length: 240\r\n"
-> "Connection: close\r\n"
-> "Content-Type: text/html\r\n"
-> "\r\n"
reading 240 bytes...
-> "response=1&responsetext=SUCCESS&authcode=123456&transactionid=1648894346&avsresponse=N&cvvresponse=N&orderid=ae5dd847d9f31209cbffeeea076ed966&type=auth&response_code=100&merchant_defined_field_6=&merchant_defined_field_7=&customer_vault_id="
read 240 bytes
Conn close
#<Net::HTTPOK:0xb74175c8>
response=1&responsetext=SUCCESS&authcode=123456&transactionid=1648894346&avsresponse=N&cvvresponse=N&orderid=ae5dd847d9f31209cbffeeea076ed966&type=auth&response_code=100&merchant_defined_field_6=&merchant_defined_field_7=&customer_vault_id=
I have the same issue in arch with 1.9.3 and 1.0.1.
If I install 1.0.0e from oneiric on my 12.04 system it also works fine with ruby 1.9.3
I think this may be related to ubuntu bug here: https://bugs.launchpad.net/ubuntu/+source/openssl/+bug/965371
Although I downloaded the packages from Debian where they said it was fixed and had no luck.
Has anyone else experienced a similar problem?
I had the same problem connecting to an authorization gateway. In the end I was able to connect by forcing sslv3
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true if #is_https
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if #is_https
http.ssl_version = :SSLv3
I have the same problem... here is information, that rvm pkg install openssl and rvm reinstall 1.9.3-p194 --with-openssl-dir=~/.rvm/usr solves the problem, but it doesn't help me

How to validate SSL certificate chain in ruby with net/http

How can I verify the certificates of a site like https://processing.ukash.com/ in ruby with net/http?
https = Net::HTTP.new('processing.ukash.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
Works so far, but how do I verify that it's the right cert now? I saved the certificate from within firefox, but the resulting .pem file has many certificates in it and net/http doesn't seem to like it.
From my code snippets collection:
#!/usr/bin/env ruby
# How to:
# =======
# Use Ruby's net/https library, to verify a SSL certificate.
# ==========================================================
# - Without verification the following code will lead to:
# warning: peer certificate won't be verified in this SSL session
#
# #------------------begin example-----------------------------
# require 'net/http'
# require 'net/https'
# require 'uri'
#
# url = URI.parse 'https://myname:mypass#mail.google.com/'
# http = Net::HTTP.new(url.host, url.port)
# http.use_ssl = (url.scheme == 'https')
# request = Net::HTTP::Get.new(url.path)
# request.basic_auth url.user, url.password
# response = http.request(request)
# #-------------------end example------------------------------
#
# To verify the ssl cert cosider adapting the following.
# Status: Untested
# =======
#
# References:
# ===========
# [1] http://mimori.org/%7Eh/tdiary/20080301.html#p03
# [2] http://redcorundum.blogspot.com/2008/03/ssl-certificates-and-nethttps.html
#
require 'net/http'
require 'net/https'
require 'uri'
RootCA = '/etc/ssl/certs'
url = URI.parse 'https://myname:mypass#mail.google.com/'
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == 'https')
if (File.directory?(RootCA) && http.use_ssl?)
http.ca_path = RootCA
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
else
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
request = Net::HTTP::Get.new(url.path)
request.basic_auth url.user, url.password
response = http.request(request)
Hope this helps?
For the sake of completeness and for my future me, this is a small gem I made out of this: https://github.com/jarthod/ssl-test

Resources