Ruby Net::HTTPS SSL handshake error - ruby

I have the following code
uri = URI.parse( 'https://my.fancy.uri/with/some/path.ext' )
https = Net::HTTP.new( uri.host, uri.port )
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
store = OpenSSL::X509::Store.new
store.add_file( File.join( Rails.root, 'config', 'crt', 'correct_ca.crt' ) )
https.cert_store = store
request = Net::HTTP::Post.new( uri.request_uri )
request.set_form_data post_data
request.basic_auth( 'HTTP_USER', 'HTTP_PASS' )
response = https.request( request )
which generates an error: OpenSSL::SSL::SSLError: SSL_read:: ssl handshake failure
and I'm totally stumped.

Apparently Ruby wasn't checking all ssl versions durring the handshake. I don't know much about it, but adding:
https.ssl_version = :TLSv1
solved the problem.

Related

OpenSSL::SSL::SSLError: Ruby client's server ca certificate does not work while it worked with curl

I got certificate from customer to connect with their VPN, but it does not work with ruby code while it worked with curl command. Curl command is as follows:
curl --cacert cert.cer -d '{"acb": 123 }' -H 'Content-Type: application/json' 'https://demo.com'
In ruby, I am trying to do the following to connect the client APIs provided to us for transactions.
require 'net/http'
require 'json'
require 'uri'
full_url = "https://demo.com"
uri = URI.parse(full_url)
data = { "acb": 123 }
headers = { 'Content-Type' => "application/json" }
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
raw = File.read("path_to_the_certificate")
http.cert = OpenSSL::X509::Certificate.new(raw)
request = Net::HTTP::Post.new(uri.request_uri, headers)
request.body = data.to_json
response = http.request(request)
puts response.code
puts response.body
We also tried to pass our server's certificate as follows, but that doesn't work either
http.ca_path='/etc/pki/tls/certs'
http.ca_file='/etc/pki/tls/certs/cert.cer'
http.cert = OpenSSL::X509::Certificate.new(File.read("/path/client.crt"))
http.key = OpenSSL::PKey::RSA.new(File.read("/path/client.key"))
Getting the following error while
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get local issuer certificate))
I think the issue with their self-signed certificate. It fails verification.
However, you can manually disable it with
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
verify_mode[RW]
Sets the flags for server the certification verification at beginning of SSL/TLS session.
OpenSSL::SSL::VERIFY_NONE or OpenSSL::SSL::VERIFY_PEER are acceptable.
from https://ruby-doc.org/stdlib-2.7.0/libdoc/net/http/rdoc/Net/HTTP.html
I tried to replicate it locally and it worked with this fix.
It should be that the vpn certificate is self-signed, you need to specify your own cacert, so you specify cacert file as the file used by the curl above, not the cacert file that comes with the system
add this line:
http.ca_file = "cacert filename"
Like this:
require 'net/http'
require 'json'
require 'uri'
full_url = "https://localhost/test.html"
uri = URI.parse(full_url)
data = { "acb": 123 }
headers = { 'Content-Type' => "application/json" }
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
# You need to specify the cacert file used for curl above (filename: cert.cer)
http.ca_file = "/root/myca/cacert.crt"
request = Net::HTTP::Post.new(uri.request_uri, headers)
request.body = data.to_json
response = http.request(request)
puts response.code
puts response.body
you should add your certificate in .pem format to (depending on the version) either:
C:\Ruby{version number}{-x64 - if 64 bit operating system}\ssl
e.g. C:\Ruby25-x64\ssl
or to
C:\Ruby{version number}{-x64 - if 64 bit operating system}\lib\ruby{version number}\rubygems\ssl_certs{your cn}
e.g. C:\Ruby25-x64\lib\ruby\2.5.0\rubygems\ssl_certs\client.cn
and then in the C:\Ruby{The version number}{-x64 - If it's a 64-bit operating system}\ssl\certs run the c_rehash.r script
For Apps using PayPal::SDK.configure(...)
PayPal::SDK.configure(
mode: ...,
client_id: ...,
client_secret: ...,
# Deliberately set ca_file to nil so the system's Cert Authority is used,
# instead of the bundled paypal.crt file which is out-of-date due to:
# https://www.paypal.com/va/smarthelp/article/discontinue-use-of-verisign-g5-root-certificates-ts2240
ssl_options: { ca_file: nil }
)
For apps using a YAML config file
ssl_options:
ca_file: null

REST HTTPS login with Ruby - Connection Reset by peer

I am trying to do a REST API login over HTTPS. I keep getting Connection reset by peer (Errno::ECONNRESET):
require 'net/http'
require 'net/https'
uri = URI.parse("https://.../login.jsp")
https = Net::HTTP.new(uri.host,uri.port)
https.use_ssl = true
req = Net::HTTP::Post.new(uri.path)
req['userid'] = 'myemail%40hostname.com'
req['passwd'] = 'mypassword'
res = https.request(req)
puts res.body
I'm not sure what I'm doing wrong. The corresponding cURL command that works without a hitch is:
curl --user-agent "MyUserAgent" --cookie-jar cookiefile -o - --data 'userid=myemail%40hostname.com&passwd=mypassword' https://.../login.jsp
(I haven't gotten to dealing with capturing the cookie file yet, I'm just trying to get the login to work)
Suggestions appreciated! Thanks!!
Turned out that I needed to set form data for this work.
require 'net/http'
require 'openssl'
uri = URI.parse("https://.../login.jsp")
https = Net::HTTP.new(uri.host,uri.port)
https.use_ssl = true
req = Net::HTTP::Post.new(uri)
req.set_form_data('userid' => 'myemail#hostname.com', 'passwd' => 'mypassword')
res = https.request(req)
puts res

Net::HTTP not sending request

I have the following method in our Ruby 1.8.7 project:
def self.ping_server
request_data = get_request_data
uri = 'another_server.our_company.com'
https = Net::HTTP.new(uri)
https.use_ssl = true
path = "/our_service"
data = request_data.to_json
response = https.post(path, data, {'Content-Type' => 'application/json'})
return response
end
Whenever I run this method, I get the following time out error:
Completed 500 Internal Server Error in 128936ms
Errno::ETIMEDOUT (Connection timed out - connect(2)):
lib/my_class.rb:51:in `ping_our_server'
I checked with a coworker who has access to the logs for another_server.our_company.com. My request isn't arriving at the other server.
What should I do to get my request to work?
EDIT: On further inspection, this is what I think is happening (but I'm not completely sure): Our other server will only accept HTTPS requests, but it looks like my request is being sent over HTTP for some reason. Is there something I need to add to make sure my request is sent over HTTPS?
According to this website, this is how you send an HTTPS request:
require "net/https"
require "uri"
uri = URI.parse("https://secure.com/")
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Get.new(uri.request_uri)
response = http.request(request)
response.body
response.status
response["header-here"] # All headers are lowercase
According to this website (which is linked from my first link), you should also do this to close up a vulnerability in the net/https library:
To get going, you need a local CA certificates bundle, the official
curl site maintains an up to date cacert.pem / ca-bundle.crt file
containing all of the major certificates if you need one.
Next, after a gem install always_verify_ssl_certificates, you can be
up and running with a test as simply as:
require 'always_verify_ssl_certificates'
AlwaysVerifySSLCertificates.ca_file = "/path/path/path/cacert.pem"
http= Net::HTTP.new('https://some.ssl.site', 443)
http.use_ssl = true
req = Net::HTTP::Get.new('/')
response = http.request(req)
If the site
has a bad certificate an error will be raised at this point. If not, a
legitimate HTTP response object will be returned.

Socksify and SSL for HTTPS request

For a project I need to make an HTTPS call through a Socks5 proxy so I can access the remote API of a customer.
The original code I'm using is this:
url = "/proxyValidate?service=#{migration_station_verification_url}&ticket=#{service_ticket}"
if Rails.env == 'development'
uri = URI.parse(soe_cas_url + url)
Net::HTTP.SOCKSProxy('127.0.0.1', 1080).start(uri.host, uri.port) do |http|
res = http.get(uri.path)
doc = Nokogiri::XML(res)
doc.remove_namespaces!
doc.xpath('//sessionId').first.content
end
else
http = Net::HTTP.new(soe_cas_url)
http.use_ssl = true
req = Net::HTTP::Get.new(url)
res = http.request(req)
doc = Nokogiri::XML(res)
doc.remove_namespaces!
doc.xpath('//sessionId').first.content
end
The goal is to use the proxy only in development environment. When I make the call using the proxy I receive the error:
wrong status line: "<!DOCTYPE
Googling this shows I need to set the use_ssl flag to true, which works outside the development cycle. When using the socksify there is no such mechanism. If I call this inside the do block, I receive an error that the session is already started. Calling it outside the block returns an exception that no such function exists.
Anyone can tell me how to run SSL/HTTPS through the socksify proxy?
EDIT:
I'm currently playing around with pure sockets to get what I want, using the following code:
socket = Socket::TCPSocket.open('127.0.0.1', 1080)
ssl_context = OpenSSL::SSL::SSLContext.new
ssl_context.verify_mode = OpenSSL::SSL::VERIFY_NONE
ssl_context.ca_file = File.join(Rails.root, 'ssl', 'cacert.pem')
ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ssl_context)
ssl_socket.sync_close = true
ssl_socket.connect
request = "GET #{url} HTTP/1.1\r\nAccept: */*\r\nHost: #{soe_cas_url}"
ssl_socket.puts(request)
ssl_socket.puts("")
response = ""
while (line = ssl_socket.gets)
response << line
end
This however fails at the ssl_socket.connect with the following error:
ssl_connect syscall returned=5 errno=0 state=sslv2/v3 read server hello a
I've tried using self-signed certificates, no certificates etc but nothing seems to work. I do know the endpoint relies on self-signed certificates on staging environmnet.

How to validate SSL certificate chain in ruby with net/http

How can I verify the certificates of a site like https://processing.ukash.com/ in ruby with net/http?
https = Net::HTTP.new('processing.ukash.com', 443)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_NONE
Works so far, but how do I verify that it's the right cert now? I saved the certificate from within firefox, but the resulting .pem file has many certificates in it and net/http doesn't seem to like it.
From my code snippets collection:
#!/usr/bin/env ruby
# How to:
# =======
# Use Ruby's net/https library, to verify a SSL certificate.
# ==========================================================
# - Without verification the following code will lead to:
# warning: peer certificate won't be verified in this SSL session
#
# #------------------begin example-----------------------------
# require 'net/http'
# require 'net/https'
# require 'uri'
#
# url = URI.parse 'https://myname:mypass#mail.google.com/'
# http = Net::HTTP.new(url.host, url.port)
# http.use_ssl = (url.scheme == 'https')
# request = Net::HTTP::Get.new(url.path)
# request.basic_auth url.user, url.password
# response = http.request(request)
# #-------------------end example------------------------------
#
# To verify the ssl cert cosider adapting the following.
# Status: Untested
# =======
#
# References:
# ===========
# [1] http://mimori.org/%7Eh/tdiary/20080301.html#p03
# [2] http://redcorundum.blogspot.com/2008/03/ssl-certificates-and-nethttps.html
#
require 'net/http'
require 'net/https'
require 'uri'
RootCA = '/etc/ssl/certs'
url = URI.parse 'https://myname:mypass#mail.google.com/'
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = (url.scheme == 'https')
if (File.directory?(RootCA) && http.use_ssl?)
http.ca_path = RootCA
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.verify_depth = 5
else
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
request = Net::HTTP::Get.new(url.path)
request.basic_auth url.user, url.password
response = http.request(request)
Hope this helps?
For the sake of completeness and for my future me, this is a small gem I made out of this: https://github.com/jarthod/ssl-test

Resources