0

We prepare proxy server that listens to HTTPS on port 13128 at proxy.foo.com using self signed cert and want to request https://target-site.com over that proxy.

curl request curl -v --proxy-cacert /path/to/proxy-cert.pem https://target-site.com/ -x https://user:pass@proxy.foo.com:13128 > /dev/null passes.

What does corresponding ruby code looks like? We uses faraday 0.12.2, but net/http is also welcome.

This code does not work

cert = OpenSSL::X509::Certificate.new(<<PEM)
-----BEGIN CERTIFICATE-----
# this is our self signed cert
-----END CERTIFICATE-----
PEM
cert_store = OpenSSL::X509::Store.new
cert_store.add_cert(cert)
conn = Faraday.new(url: "https://target-site.com/", ssl: { cert_store: cert_store }, proxy: 'https://user:pass@proxy.foo.com:13128')
p "conn is #{conn.inspect}"
p conn.get()

Part of output is:

"conn is #<Faraday::Connection:0x007fb7e7d40520 @parallel_manager=nil, @headers={\"User-Agent\"=>\"Faraday v0.12.2\"}, @params={}, @options=#<Faraday::RequestOptions (empty)>, @ssl=#<Faraday::SSLOptions (empty)>, @default_parallel_manager=nil, @builder=#<Faraday::RackBuilder:0x007fb7ea143f08 @handlers=[Faraday::Request::UrlEncoded, Faraday::Adapter::NetHttp]>, @url_prefix=#<URI::HTTPS https://target-site.com/>, @proxy=#<Faraday::ProxyOptions uri=#<URI::HTTPS https://user:pass@proxy.foo.com:13128>, user=\"user\", password=\"pass\">>"
<internal:prelude>:78:in `__read_nonblock': Connection reset by peer (Faraday::ConnectionFailed)
    from <internal:prelude>:78:in `read_nonblock'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:172:in `rbuf_fill'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:154:in `readuntil'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/protocol.rb:164:in `readline'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http/response.rb:40:in `read_status_line'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http/response.rb:29:in `read_new'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:925:in `connect'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:887:in `do_start'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:876:in `start'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1407:in `request'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/2.4.0/net/http.rb:1165:in `get'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/adapter/net_http.rb:78:in `perform_request'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/adapter/net_http.rb:38:in `block in call'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/adapter/net_http.rb:85:in `with_net_http_connection'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/adapter/net_http.rb:33:in `call'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/request/url_encoded.rb:15:in `call'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/rack_builder.rb:141:in `build_response'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/connection.rb:386:in `run_request'
    from /Users/yskkin/.rbenv/versions/2.4.1/lib/ruby/gems/2.4.0/gems/faraday-0.12.2/lib/faraday/connection.rb:149:in `get'
yskkin
  • 854
  • 7
  • 24

1 Answers1

0

I've used net/http for my cert based requests. I forget where I found this patch, but it was instrumental in allowing us to attach more than one cert.



class NetHttpPatch < Net::HTTP
  SSL_IVNAMES << :@extra_chain_cert unless SSL_IVNAMES.include?(:@extra_chain_cert)
  SSL_ATTRIBUTES << :extra_chain_cert unless SSL_ATTRIBUTES.include?(:extra_chain_cert)

  # Sets the rest of the cert chain if there is one by adding an array of OpenSSL::X509::Certificate objects
  attr_accessor :extra_chain_cert

end

As for the actual implementation of net/http, I follow the steps to attach a cert

uri = URI.parse(url)
http = NetHttpPatch.new(uri.host, uri.port)
http.use_ssl = true
http.cert = certificate(<CERT STRING>)
http.key = OpenSSL::PKey::RSA.new(<PRIVATE KEY>)

# Here is the usage of the patch
http.extra_chain_cert = cert_chain([<EXTRA CERTS>])

http.verify_mode = OpenSSL::SSL::VERIFY_PEER

request = Net::HTTP::<WHATEVER METHOD YOU NEED HERE>
request.body = body
request.content_type = ...
request['Authorization'] = ...

http.request(request)
Int'l Man Of Coding Mystery
  • 1,632
  • 2
  • 14
  • 29