8

I am just trying to get my head around SSL.

I have set up a Jetty server on my localhost, and generated my own certificate using Keytool.

Now when I go to https://localhost:8443/ I get the can't trust this certificate error.

I use

keytool -export -alias pongus -keystore keystore -file certfile.cer

To create the certificate which I think is what the client needs to authenticate with the server. (This is where I could be very wrong!)

I have the following ruby code :

require 'net/https'
require 'openssl'

require 'open-uri'

puts 'yay' if File.exists?('certfile.cer')

uri = URI.parse("https://localhost:8443/")
http_session = Net::HTTP.new(uri.host, uri.port)
http_session.use_ssl = true
http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER
http_session.ca_file = 'certfile.cer'
res = http_session.start do |http|
  # do some requests here
  http.get('/')
end

This does print 'yay', so the certfile.cer file does exist.

But I get the errors 

/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586 warning: can't set verify locations
/Applications/NetBeans/NetBeans 6.8.app/Contents/Resources/NetBeans/ruby2/jruby-1.4.0/lib/ruby/1.8/net/http.rb:586:in `connect': certificate verify failed (OpenSSL::SSL::SSLError)

Any ideas what I am doing wrong?

EDIT

I want to get it so I guarantee that I am connecting to the right server, and the server can guarantee that it is me connecting to it, without any tampering in between. I am developing both the server and the client.

Mongus Pong
  • 11,337
  • 9
  • 44
  • 72

3 Answers3

7

Your client needs access to its private key.

You dont need the private key for server certificate verification. All you need is the certificate itself which contains the public key. Only the server has the private key. Well described here http://www.helpbytes.co.uk/https.php and here http://www.verisign.com/ssl/ssl-information-center/how-ssl-security-works/

My recommendation is simple. Check your certificate is correct.

openssl x509 -text -in mycert.crt

Also if you have access to the server you can explicitely validate if the certificate and key (used in httpd configuration) are correct (matches): http://kb.wisc.edu/middleware/page.php?id=4064 Please note this is explicit check ran on server. Never give out the private key. This check can be done only by the administrator to verify if the httpd was not misconfigured.

(openssl x509 -noout -modulus -in server.pem | openssl md5 ;\
   openssl rsa -noout -modulus -in server.key | openssl md5) | uniq

You can also debug the SSL certificate communication using standard openssl command. Issue this command then wait few seconds and then type QUIT and hit enter. You will see the certificate the server sends out.

openssl s_client -connect your.server.com:443

Also try to import the certificate to your browser and access the URL resource. Browser is able to validate it by clicking on https (Firefox and Chrome). Then you will see the certificate itself and validity information.

All the above was all about the server certificate. This is only one part of the problem. "I am connecting to the right server, and the server can guarantee that it is me connecting to it" Actully in your code above you only check for the server cert. Now. If you want a client certificate (the second part of your statement) than you need this in Ruby:

File.open( "client_certificate.pem", 'rb' ) { |f| cert = f.read }
File.open( "client_key.pem", 'rb' ) { |f| key = f.read }
http_session.cert = OpenSSL::X509::Certificate.new(cert)
http_session.key = OpenSSL::PKey::RSA.new(key, nil)

This is how client cert should be used in Ruby. If your private key is encrypted with a password just pass it instead nil in the second argument of RSA constructor.

I highly recommend to get server certificate working (your code) and then start with client certificate. Please note you keep your current code (ca_cert, validation constant) and add the above four lines to it.

Hope this helps.

lzap
  • 16,417
  • 12
  • 71
  • 108
  • In any case you DONT NEED private key on your client. Never ever. Period. – lzap Feb 17 '11 at 13:08
  • One more thing. You can also EXPORT the certificate using Firefox or IE! Its very simple. Access the page and export it to a PEM file. You can use that one with Ruby. I did this several times. Works! – lzap Feb 17 '11 at 15:39
  • Wrong. You just don't understand SSL client authentication, which is what the questioner has clearly stated he needs. "...which I think is what the client needs to authenticate with the server..." as well as the comment in the edit indicate this. – President James K. Polk Feb 17 '11 at 23:14
  • No Greg, you are *not* right. He is *not* asking about SSL client auth but he is facing an issue with SSL server cert verifiation. This is different. Attributes http_session.ca_file and http_session.verify_mode are *not* for SSL client certs. – lzap Feb 24 '11 at 09:52
  • @Izap: You need to read what he wrote: "...so I guarantee that I am connecting to the right server, and the server can guarantee that it is me connecting to it,...". That is called client auth. – President James K. Polk Feb 25 '11 at 00:14
  • @GregS: It's possible that there's a difference between what he said and what he meant. – Jumbogram Feb 25 '11 at 02:08
  • @Jumbogram: Agreed, that is often a problem here. You have to read between the lines sometimes. – President James K. Polk Feb 26 '11 at 01:08
  • Yeah, I missed the part "the server can guarantee that it is me connecting to it". Everything I wrote is still okay except "This is not true". He needs both. So in A he needs the server cert without the private key, B he needs a client cert including his private key (of course). Sorry for the confusion but I was pretty sure he needs only server cert (according his source code). – lzap Feb 28 '11 at 08:15
  • I have added client part to my answer. I hope it helps. – lzap Feb 28 '11 at 08:24
0

Your client needs access to its private key. The private key is not in the certificate, the certificate only contains the public key. Sorry, I don't know ruby, but a common technique is to bundle the private key and certificate in a single PKCS#12, aka p12, file and supply this to the crypto library.

President James K. Polk
  • 40,516
  • 21
  • 95
  • 125
  • Nice one, thats good information to give me something to go on! Ill go back to the keytool documentation. Thanks – Mongus Pong Jan 24 '10 at 02:50
  • Ruby does accept PEM. Theres no need for p12 and private key at all. Its a security hole to give out the PK :-) – lzap Feb 17 '11 at 15:36
  • 1
    @Izap: There is not a private key, there are two: one for the client and one for the server. That is why I said the client needs access to *ITS* private key, not the server's. – President James K. Polk Feb 17 '11 at 23:16
  • Greg you are trying to mix two things. The guy up there asked for SSL server certificate verifycation against CA cert. You are describing SSL user certification authorization. These are two different things. They can live together. – lzap Feb 24 '11 at 09:54
  • Sorry, he really needs a private key but only for a client cert. For server cert the private key is stored on the server. See my post above. – lzap Feb 28 '11 at 08:16
-6

Change

http_session.verify_mode = OpenSSL::SSL::VERIFY_PEER

to 

http_session.verify_mode = OpenSSL::SSL::VERIFY_NONE

Once you do that, the SSL will work properly. I have used this multiple times in my development environments, always works flawlessly.

Eugene
  • 4,829
  • 1
  • 24
  • 49
  • 1
    Thanks, but I dont want it to sidestep verification. . ;-) – Mongus Pong Jan 23 '10 at 21:30
  • I'm sorry it took so long to respond to this. As VERIFY_PEER tries to validate the cert against a known SSL issuer, you have to use VERIFY_NONE to bypass this check. Its not validating the certificate per se, but validating the issuer of the certificate. As self-signed certificates have no known issuer, it fails the check. – Eugene Jan 27 '10 at 16:58
  • 2
    This is REALLY DANGEROUS. Dont do this if you dont know what you do. – lzap Feb 17 '11 at 11:25