在Ruby on Rails应用程序中使用客户端SSL [英] Using Client SSL in a Ruby on Rails App
问题描述
我正在为需要与API进行SSL连接的客户端开发应用程序.我已经得到了三个文件.信任根证书(.cer)文件,中间证书(.cer)文件和签名的响应文件.我已给出的安装说明与IIS或Java keytool程序有关.我正在Ruby on Rails中构建应用程序,所以这都不是一个选择(据我所知).
I'm working on an app for a client that requires an SSL connection with an API. I've been provided with three files; a trust root certificate (.cer) file, an intermediate certificate (.cer) file and a signed response file. The instructions I've been given to install this relate to either IIS or the Java keytool program; I'm building the app in Ruby on Rails so neither is an option (as far as I am aware).
这些证书是由运行API服务的组织自签名的,似乎我得到了给定的客户端证书,以相互验证https连接.我不确定
The certificates are self-signed by the organisation who runs the API service and it appears I get given client certificates to mutually authenticate an https connection. I'm unsure how to
- 使用我的应用程序中的证书来连接和使用API
- 已签名的响应文件做什么
我已阅读使用自签名证书" 和这篇关于Ruby的OpenSSL的文章,但似乎都没有引起人们的关注(并且两者都依赖于Java/JRuby,这会使事情感到困惑).
I've read "Using a self-signed certificate" and this article on OpenSSL in Ruby but neither seems to quite hit the spot (and both have some reliance on Java/JRuby which confuses things).
任何指针将不胜感激.
推荐答案
根据您的评论,我假设证书采用DER格式,您可以使用openssl x509命令将其转换为PEM(请参阅: openssl x509命令):
Based on your comments, I'm assuming that the certificates are in DER format, which you can convert to PEM with the openssl x509 command (see: openssl x509 command):
openssl x509 -inform DER -outform PEM -in certfile.cer -out certfile.pem
之后,您可以指示Ruby OpenSSL库使用受信任的根证书来通过以下方式对SSL连接进行身份验证:
After that, you can instruct the Ruby OpenSSL library to use the trusted root certificate to authenticate the SSL connection with something like this:
require 'socket'
require 'openssl'
tcp_sock = TCPSocket.new("my.host.tld", 443)
ctx = OpenSSL::SSL::SSLContext.new
ctx.verify_mode = OpenSSL::SSL::VERIFY_PEER|OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
#You may need to specify the absolute path to the file
ctx.ca_file = "certfile.pem"
ssl_sock = OpenSSL::SSL::SSLSocket.new(tcp_sock, ctx)
ssl_sock.sync_close = true
ssl_sock.connect
begin
ssl_sock.post_connection_check('my.host.tld')
rescue
puts "Certificate host did not match expected hostname"
end
在那之后,您应该能够像其他任何Ruby IO对象一样对ssl_sock进行读写.如果获得了用于允许服务器验证您身份的客户端证书,则可以使用以下方法配置SSL上下文:
After that, you should be able to read and write to ssl_sock like any other Ruby IO object. If you are given a client certificate to use to allow the server to authenticate you, you can configure the SSL context with:
ctx.cert = OpenSSL::X509::Certificate.new(File.read("my_cert.pem"))
ctx.key = OpenSSL::PKey::RSA.new(File.read("my_key.rsa"))
在创建ssl_sock之前.除了RSA之外,OpenSSL库还支持其他密钥类型,例如DSA(请参阅: OpenSSL: :PKey模块.)
before you create ssl_sock. The OpenSSL library also supports other key types besides RSA, such as DSA (see: OpenSSL::PKey module.)
最后,最后一条建议是,如果您要访问RESTful API,则可能需要考虑使用
Finally, a last piece of advice, if you are accessing a RESTful API, you may want to consider using a gem like rest-client instead of handling all of the HTTP/S connection stuff directly. Whether or not such a library is appropriate or useful will depend on the service you are using, of course.
这篇关于在Ruby on Rails应用程序中使用客户端SSL的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
