Class: HTTPClient::SSLConfig

Inherits:

Object

• Object
• HTTPClient::SSLConfig

Defined in:

lib/httpclient.rb

Overview

HTTPClient::SSLConfig – SSL configuration of a client.

Instance Attribute Summary

• #cert_store ⇒ Object

  don’t use if you don’t know what it is.

• #ciphers ⇒ Object

  Returns the value of attribute ciphers.

• #client_ca ⇒ Object

  Returns the value of attribute client_ca.

• #client_cert ⇒ Object

  :nodoc:.

• #client_key ⇒ Object

  Returns the value of attribute client_key.

• #options ⇒ Object

  Returns the value of attribute options.

• #timeout ⇒ Object

  Returns the value of attribute timeout.

• #verify_callback ⇒ Object

  Returns the value of attribute verify_callback.

• #verify_depth ⇒ Object

  Returns the value of attribute verify_depth.

• #verify_mode ⇒ Object

  Returns the value of attribute verify_mode.

Instance Method Summary

• #clear_cert_store ⇒ Object
• #default_verify_callback(is_ok, ctx) ⇒ Object

  Default callback for verification: only dumps error.

• #initialize(client) ⇒ SSLConfig constructor

  A new instance of SSLConfig.

• #post_connection_check(peer_cert, hostname) ⇒ Object

  this definition must match with the one in ext/openssl/lib/openssl/ssl.rb.

• #sample_verify_callback(is_ok, ctx) ⇒ Object

  Sample callback method: CAUTION: does not check CRL/ARL.

• #set_client_cert_file(cert_file, key_file) ⇒ Object
• #set_context(ctx) ⇒ Object

  interfaces for SSLSocketWrap.

• #set_crl(crl_file) ⇒ Object
• #set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object

Constructor Details

#initialize(client) ⇒ SSLConfig

Returns a new instance of SSLConfig.

# File 'lib/httpclient.rb', line 142

def initialize(client)
  return unless SSLEnabled
  @client = client
  @cert_store = OpenSSL::X509::Store.new
  @client_cert = @client_key = @client_ca = nil
  @verify_mode = OpenSSL::SSL::VERIFY_PEER |
    OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
  @verify_depth = nil
  @verify_callback = nil
  @dest = nil
  @timeout = nil
  @options = defined?(OpenSSL::SSL::OP_ALL) ?
    OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil
  @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
  load_cacerts
end

Instance Attribute Details

#cert_store ⇒ Object

don’t use if you don’t know what it is.

# File 'lib/httpclient.rb', line 140

def cert_store
  @cert_store
end

#ciphers ⇒ Object

Returns the value of attribute ciphers.

# File 'lib/httpclient.rb', line 138

def ciphers
  @ciphers
end

#client_ca ⇒ Object

Returns the value of attribute client_ca.

# File 'lib/httpclient.rb', line 130

def client_ca
  @client_ca
end

#client_cert ⇒ Object

:nodoc:

# File 'lib/httpclient.rb', line 128

def client_cert
  @client_cert
end

#client_key ⇒ Object

Returns the value of attribute client_key.

# File 'lib/httpclient.rb', line 129

def client_key
  @client_key
end

#options ⇒ Object

Returns the value of attribute options.

# File 'lib/httpclient.rb', line 137

def options
  @options
end

#timeout ⇒ Object

Returns the value of attribute timeout.

# File 'lib/httpclient.rb', line 136

def timeout
  @timeout
end

#verify_callback ⇒ Object

Returns the value of attribute verify_callback.

# File 'lib/httpclient.rb', line 134

def verify_callback
  @verify_callback
end

#verify_depth ⇒ Object

Returns the value of attribute verify_depth.

# File 'lib/httpclient.rb', line 133

def verify_depth
  @verify_depth
end

#verify_mode ⇒ Object

Returns the value of attribute verify_mode.

# File 'lib/httpclient.rb', line 132

def verify_mode
  @verify_mode
end

Instance Method Details

#clear_cert_store ⇒ Object

# File 'lib/httpclient.rb', line 165

def clear_cert_store
  @cert_store = OpenSSL::X509::Store.new
  change_notify
end

#default_verify_callback(is_ok, ctx) ⇒ Object

Default callback for verification: only dumps error.

# File 'lib/httpclient.rb', line 283

def default_verify_callback(is_ok, ctx)
  if $DEBUG
    puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}"
  end
  if !is_ok
    depth = ctx.error_depth
    code = ctx.error
    msg = ctx.error_string
    STDERR.puts "at depth #{depth} - #{code}: #{msg}"
  end
  is_ok
end

#post_connection_check(peer_cert, hostname) ⇒ Object

this definition must match with the one in ext/openssl/lib/openssl/ssl.rb

Raises:

• (OpenSSL::SSL::SSLError)

# File 'lib/httpclient.rb', line 255

def post_connection_check(peer_cert, hostname)
  check_common_name = true
  cert = peer_cert
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ext.value.split(/,\s+/).each{|general_name|
      if /\ADNS:(.*)/ =~ general_name
        check_common_name = false
        reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      elsif /\AIP Address:(.*)/ =~ general_name
        check_common_name = false
        return true if $1 == hostname
      end
    }
  }
  if check_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN"
        reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      end
    }
  end
  raise OpenSSL::SSL::SSLError, "hostname not match"
end

#sample_verify_callback(is_ok, ctx) ⇒ Object

Sample callback method: CAUTION: does not check CRL/ARL.

# File 'lib/httpclient.rb', line 297

def sample_verify_callback(is_ok, ctx)
  unless is_ok
    depth = ctx.error_depth
    code = ctx.error
    msg = ctx.error_string
    STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG
    return false
  end

  cert = ctx.current_cert
  self_signed = false
  ca = false
  pathlen = nil
  server_auth = true
  self_signed = (cert.subject.cmp(cert.issuer) == 0)

  # Check extensions whatever its criticality is. (sample)
  cert.extensions.each do |ex|
    case ex.oid
    when 'basicConstraints'
      /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value
      ca = ($1 == 'TRUE')
      pathlen = $2.to_i
    when 'keyUsage'
      usage = ex.value.split(/\s*,\s*/)
      ca = usage.include?('Certificate Sign')
      server_auth = usage.include?('Key Encipherment')
    when 'extendedKeyUsage'
      usage = ex.value.split(/\s*,\s*/)
      server_auth = usage.include?('Netscape Server Gated Crypto')
    when 'nsCertType'
      usage = ex.value.split(/\s*,\s*/)
      ca = usage.include?('SSL CA')
      server_auth = usage.include?('SSL Server')
    end
  end

  if self_signed
    STDERR.puts 'self signing CA' if $DEBUG
    return true
  elsif ca
    STDERR.puts 'middle level CA' if $DEBUG
    return true
  elsif server_auth
    STDERR.puts 'for server authentication' if $DEBUG
    return true
  end

  return false
end

#set_client_cert_file(cert_file, key_file) ⇒ Object

# File 'lib/httpclient.rb', line 159

def set_client_cert_file(cert_file, key_file)
  @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read)
  @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read)
  change_notify
end

#set_context(ctx) ⇒ Object

interfaces for SSLSocketWrap.

# File 'lib/httpclient.rb', line 239

def set_context(ctx)
  # Verification: Use Store#verify_callback instead of SSLContext#verify*?
  ctx.cert_store = @cert_store
  ctx.verify_mode = @verify_mode
  ctx.verify_depth = @verify_depth if @verify_depth
  ctx.verify_callback = @verify_callback || method(:default_verify_callback)
  # SSL config
  ctx.cert = @client_cert
  ctx.key = @client_key
  ctx.client_ca = @client_ca
  ctx.timeout = @timeout
  ctx.options = @options
  ctx.ciphers = @ciphers
end

#set_crl(crl_file) ⇒ Object

# File 'lib/httpclient.rb', line 179

def set_crl(crl_file)
  crl = OpenSSL::X509::CRL.new(File.open(crl_file).read)
  @cert_store.add_crl(crl)
  @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
  change_notify
end

#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object

# File 'lib/httpclient.rb', line 170

def set_trust_ca(trust_ca_file_or_hashed_dir)
  if FileTest.directory?(trust_ca_file_or_hashed_dir)
    @cert_store.add_path(trust_ca_file_or_hashed_dir)
  else
    @cert_store.add_file(trust_ca_file_or_hashed_dir)
  end
  change_notify
end