Class: HTTPClient::SSLConfig
- Inherits:
-
Object
- Object
- HTTPClient::SSLConfig
- Defined in:
- lib/httpclient.rb
Overview
HTTPClient::SSLConfig – SSL configuration of a client.
Instance Attribute Summary collapse
-
#cert_store ⇒ Object
don’t use if you don’t know what it is.
-
#ciphers ⇒ Object
Returns the value of attribute ciphers.
-
#client_ca ⇒ Object
Returns the value of attribute client_ca.
-
#client_cert ⇒ Object
:nodoc:.
-
#client_key ⇒ Object
Returns the value of attribute client_key.
-
#options ⇒ Object
Returns the value of attribute options.
-
#timeout ⇒ Object
Returns the value of attribute timeout.
-
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
-
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
-
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
Instance Method Summary collapse
- #clear_cert_store ⇒ Object
-
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
-
#initialize(client) ⇒ SSLConfig
constructor
A new instance of SSLConfig.
-
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb.
-
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
- #set_client_cert_file(cert_file, key_file) ⇒ Object
-
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
- #set_crl(crl_file) ⇒ Object
- #set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
Constructor Details
#initialize(client) ⇒ SSLConfig
Returns a new instance of SSLConfig.
149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 |
# File 'lib/httpclient.rb', line 149 def initialize(client) return unless SSLEnabled @client = client @cert_store = OpenSSL::X509::Store.new @client_cert = @client_key = @client_ca = nil @verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT @verify_depth = nil @verify_callback = nil @dest = nil @timeout = nil @options = defined?(OpenSSL::SSL::OP_ALL) ? OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH" load_cacerts end |
Instance Attribute Details
#cert_store ⇒ Object
don’t use if you don’t know what it is.
147 148 149 |
# File 'lib/httpclient.rb', line 147 def cert_store @cert_store end |
#ciphers ⇒ Object
Returns the value of attribute ciphers.
145 146 147 |
# File 'lib/httpclient.rb', line 145 def ciphers @ciphers end |
#client_ca ⇒ Object
Returns the value of attribute client_ca.
137 138 139 |
# File 'lib/httpclient.rb', line 137 def client_ca @client_ca end |
#client_cert ⇒ Object
:nodoc:
135 136 137 |
# File 'lib/httpclient.rb', line 135 def client_cert @client_cert end |
#client_key ⇒ Object
Returns the value of attribute client_key.
136 137 138 |
# File 'lib/httpclient.rb', line 136 def client_key @client_key end |
#options ⇒ Object
Returns the value of attribute options.
144 145 146 |
# File 'lib/httpclient.rb', line 144 def @options end |
#timeout ⇒ Object
Returns the value of attribute timeout.
143 144 145 |
# File 'lib/httpclient.rb', line 143 def timeout @timeout end |
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
141 142 143 |
# File 'lib/httpclient.rb', line 141 def verify_callback @verify_callback end |
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
140 141 142 |
# File 'lib/httpclient.rb', line 140 def verify_depth @verify_depth end |
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
139 140 141 |
# File 'lib/httpclient.rb', line 139 def verify_mode @verify_mode end |
Instance Method Details
#clear_cert_store ⇒ Object
172 173 174 175 |
# File 'lib/httpclient.rb', line 172 def clear_cert_store @cert_store = OpenSSL::X509::Store.new change_notify end |
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
290 291 292 293 294 295 296 297 298 299 300 301 |
# File 'lib/httpclient.rb', line 290 def default_verify_callback(is_ok, ctx) if $DEBUG puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}" end if !is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" end is_ok end |
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb
262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 |
# File 'lib/httpclient.rb', line 262 def post_connection_check(peer_cert, hostname) check_common_name = true cert = peer_cert cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ext.value.split(/,\s+/).each{|general_name| if /\ADNS:(.*)/ =~ general_name check_common_name = false reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname elsif /\AIP Address:(.*)/ =~ general_name check_common_name = false return true if $1 == hostname end } } if check_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname end } end raise OpenSSL::SSL::SSLError, "hostname not match" end |
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 |
# File 'lib/httpclient.rb', line 304 def sample_verify_callback(is_ok, ctx) unless is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG return false end cert = ctx.current_cert self_signed = false ca = false pathlen = nil server_auth = true self_signed = (cert.subject.cmp(cert.issuer) == 0) # Check extensions whatever its criticality is. (sample) cert.extensions.each do |ex| case ex.oid when 'basicConstraints' /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value ca = ($1 == 'TRUE') pathlen = $2.to_i when 'keyUsage' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('Certificate Sign') server_auth = usage.include?('Key Encipherment') when 'extendedKeyUsage' usage = ex.value.split(/\s*,\s*/) server_auth = usage.include?('Netscape Server Gated Crypto') when 'nsCertType' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('SSL CA') server_auth = usage.include?('SSL Server') end end if self_signed STDERR.puts 'self signing CA' if $DEBUG return true elsif ca STDERR.puts 'middle level CA' if $DEBUG return true elsif server_auth STDERR.puts 'for server authentication' if $DEBUG return true end return false end |
#set_client_cert_file(cert_file, key_file) ⇒ Object
166 167 168 169 170 |
# File 'lib/httpclient.rb', line 166 def set_client_cert_file(cert_file, key_file) @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read) @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read) change_notify end |
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
246 247 248 249 250 251 252 253 254 255 256 257 258 259 |
# File 'lib/httpclient.rb', line 246 def set_context(ctx) # Verification: Use Store#verify_callback instead of SSLContext#verify*? ctx.cert_store = @cert_store ctx.verify_mode = @verify_mode ctx.verify_depth = @verify_depth if @verify_depth ctx.verify_callback = @verify_callback || method(:default_verify_callback) # SSL config ctx.cert = @client_cert ctx.key = @client_key ctx.client_ca = @client_ca ctx.timeout = @timeout ctx. = @options ctx.ciphers = @ciphers end |
#set_crl(crl_file) ⇒ Object
186 187 188 189 190 191 |
# File 'lib/httpclient.rb', line 186 def set_crl(crl_file) crl = OpenSSL::X509::CRL.new(File.open(crl_file).read) @cert_store.add_crl(crl) @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL change_notify end |
#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
177 178 179 180 181 182 183 184 |
# File 'lib/httpclient.rb', line 177 def set_trust_ca(trust_ca_file_or_hashed_dir) if FileTest.directory?(trust_ca_file_or_hashed_dir) @cert_store.add_path(trust_ca_file_or_hashed_dir) else @cert_store.add_file(trust_ca_file_or_hashed_dir) end change_notify end |