OpenSSL :: SSL :: SSLError:主机名与服务器证书不匹配 [英] OpenSSL::SSL::SSLError: hostname does not match the server certificate
问题描述
今天早上突然,我的HTTP客户端(HTTParty)抛出了错误OpenSSL::SSL::SSLError: hostname does not match the server certificate
All of sudden today morning my HTTP client (HTTParty) threw an error OpenSSL::SSL::SSLError: hostname does not match the server certificate
首先,我无法理解是哪一个,因此今天我们过去两年来几乎每天都进行该api调用,没有任何问题
Firstly I'm not able to understand which so today we have been make that api call almost all day number times from past 2 years without any issue
其次,我不知道该如何解决,因为它是HTTParty内部的
Secondly I don't understand how do I solve it since it internal to HTTParty
我唯一了解的是我无法在ENV中设置SSL_CERT_FILE,但是正如我所说的,我已经在/etc/ssl/certs(SSL_CERT_DIR)
The only thing I know of is that I cant set SSL_CERT_FILE in ENV but as said I already have ROOT CA listed in my /etc/ssl/certs (SSL_CERT_DIR)
这是我的输出
irb(main):001:0> require "openssl"
=> true
irb(main):002:0> puts OpenSSL::OPENSSL_VERSION
OpenSSL 1.0.1 14 Mar 2012
=> nil
irb(main):003:0> puts "SSL_CERT_FILE: %s" % OpenSSL::X509::DEFAULT_CERT_FILE
SSL_CERT_FILE: /usr/lib/ssl/cert.pem
=> nil
irb(main):004:0> puts "SSL_CERT_DIR: %s" % OpenSSL::X509::DEFAULT_CERT_DIR
SSL_CERT_DIR: /usr/lib/ssl/certs
最后,正如所说的,Openssl并没有改变,仅代码明智的事情是opensl版本的补丁,引用了 HEARTBLEED 漏洞
Lastly as said nothing has change on Openssl and code wise only thing that has happen is the patch the openssl version citing HEARTBLEED vulnerability
请记住,我们只是修补了openssl版本,但didnt recompile the RUBY可能会对此造成影响
Mind you we just patch the openssl version but didnt recompile the RUBY could that be a issue for this
有问题的Ruby是ruby 1.9.3p327
Net :: HTTP库的版本为httparty-0.13.0
Net::HTTP library is version httparty-0.13.0
注意:-作为解决方案,我没有在OPENSSL中具有 VERIFY_NONE 选项
NOTE: - As a solution I didn't except to have VERIFY_NONE options in OPENSSL
推荐答案
很难不知道您也正在连接的主机,但是我想他们只是在服务器端更改了证书.问题可能是您的脚本不支持SNI(服务器名称指示,例如,同一IP后面有多个主机名和证书),但是服务器提供商现在更改了该站点的默认证书(如果客户端执行此操作,则使用该证书).不支持SNI.)
It's hard to be sure without knowing host you are connecting too, but I guess that they simply changed the certificate at the servers end. The problem might be, that your script does not support SNI (server name indication, e.g. multiple host names and certificates behind the same IP), but the server providers now changed the default certificate for this site (the one which is used if client does not support SNI).
但是就像我说的那样,很难确定问题中是否缺少细节.
But like I said, it's hard to be sure with this lack of details in the question.
这篇关于OpenSSL :: SSL :: SSLError:主机名与服务器证书不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
