OpenSSL::SSL::SSLServer doesn't add peer_cert

Question

I have server working that looks a little bit like this


require "socket"
require "openssl"
require "thread"

listeningPort = Integer(ARGV[0])

server = TCPServer.new(listeningPort)
sslContext = OpenSSL::SSL::SSLContext.new
sslContext.cert = OpenSSL::X509::Certificate.new(File.open("cert.pem"))
sslContext.key = OpenSSL::PKey::RSA.new(File.open("priv.pem"))
sslServer = OpenSSL::SSL::SSLServer.new(server, sslContext)

puts "Listening on port #{listeningPort}"

loop do
  connection = sslServer.accept
  Thread.new {...}
end

When I connect with TLS1.3 and I provide a client cert, I can see that it's working when I verify the cert in the ssl context, but peer_cert is never set on the connection, only the context receives a session.

Do I need to upgrade manually to TLS to access the cert from the client?

The reason why I want it is, I can restrict content or authenticate by looking at the cert on the Gemini protocol

score 0 · Answer 1 · answered Jun 17 '21 at 20:29

After a lot of reading in the OpenSSL docs I found a solution:

I set the sslContext.verify_mode = OpenSSL::SSL::VERIFY_PEER and add a verification callback

sslContext.verify_callback = proc do |_a, _b|
  true
end

Which will behave like VERIFY_NONE, but it does request the peer certificate (which it won't when mode is set to VERIFY_NONE as the documentation states: https://www.openssl.org/docs/man1.1.1/man3/SSL_CTX_set_verify.html

OpenSSL::SSL::SSLServer doesn't add peer_cert

1 Answers1