我正在尝试使用 ruby 2.1.2 连接到需要 SSL 客户端身份验证的 Web 服务,但是
当我在 curl 上使用相同的客户端证书 (client_cert.pem) 时,我得到了正确的响应:
curl 'https://mywebservice.xxx.com' --cert client_cert.pem --cacert mycacert.crt
当我详细 curl 时,我可以看到握手是这样进行的:
* Hostname was NOT found in DNS cache
* Trying 192.168.0.10...
* Connected to mywebservice.xxx.com (192.168.0.10) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: none
CApath: /etc/ssl/certs
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using DHE-RSA-AES256-SHA
* Server certificate:
* ...
> GET / HTTP/1.1
> User-Agent: curl/7.35.0
> Host: mywebservice.xxx.com
> Accept: */*
>
* SSLv3, TLS handshake, Hello request (0):
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server key exchange (12):
* SSLv3, TLS handshake, Request CERT (13):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS handshake, CERT verify (15):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
< HTTP/1.1 200 OK
< Date: Thu, 17 Jul 2014 12:50:26 GMT
* Server Apache/2.2.16 (Debian) is not blacklisted
< Server: Apache/2.2.16 (Debian)
< Pragma: No-cache
< Cache-Control: no-cache
< Expires: Wed, 31 Dec 1969 21:00:00 BRT
< Vary: Accept-Encoding
< Transfer-Encoding: chunked
< Content-Type: text/xml;charset=utf-8
<
<?xml version='1.0' encoding='UTF-8'?> .....the full xml response
这就是我所需要的,但后来我在 ruby 上尝试了同样的方法:
#ws_test.rb
require 'net/http'
require 'uri'
require 'openssl'
uri = URI.parse 'https://mywebservice.xxx.com/'
http = Net::HTTP.new(uri.host, 443)
http.use_ssl = true
http.ssl_version = :TLSv1
cert = OpenSSL::X509::Certificate.new(File.read("client_cert.pem"))
http.cert = cert
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.cert_store = OpenSSL::X509::Store.new
cacert = OpenSSL::X509::Certificate.new(File.read("mycacert.crt"))
http.cert_store.add_cert(cacert)
http.start do
http.request_get(uri.path) {|res|
print res.body
}
end
但是在 ruby 上我遇到了这个问题:
/home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `block in connect'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/timeout.rb:76:in `timeout'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:920:in `connect'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:863:in `do_start'
from /home/user/.rbenv/versions/2.1.2/lib/ruby/2.1.0/net/http.rb:852:in `start'
我尝试更改验证模式:
http.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
# same error
和
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
# a different error: " SSL_read: ssl handshake failure (OpenSSL::SSL::SSLError"
最佳答案
我已经使用 gem rest_client 解决了它...
这是我做的:
require 'rest_client'
RestClient::Resource.new(
'https://mywebservice.xxx.com/',
:ssl_client_cert => OpenSSL::X509::Certificate.new(File.read("client_cert.crt")),
:ssl_client_key => OpenSSL::PKey::RSA.new(File.read("client_cert.key")),
:ssl_ca_file => "mycacert.crt",
:verify_ssl => OpenSSL::SSL::VERIFY_PEER
).get
关于ruby - ruby SSLv3 上的 SSL 客户端身份验证 Web 服务读取服务器证书 B : certificate verify failed,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/24805209/