SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:仅在代理时证书验证失败 [英] SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed ONLY WHEN PROXYING

问题描述

此帖子几乎重复了许多其他帖子，包括 SSL_connect返回= 1 errno = 0 state = SSLv3读取服务器证书B:证书验证失败，但有一个主要区别:证书验证失败"错误仅在通过SSL代理进行代理时发生(

This post nearly duplicates a number of other posts, including Rails 4 and Ruby 2 Net/HTTP SSL Request: OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol and SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed, but with one key difference: the "certificate verify failed" error only happens when proxied via an SSL proxy (Charles), and only in the latest version of Ruby.

具体来说，此(非代理)代码有效:

Specifically, this (non-proxied) code works:

  uri = URI.parse('https://www.ibm.com')
  http = Net::HTTP.new(uri.host, uri.port, nil)
  http.use_ssl = true
  http.start { |agent| agent.get(uri.path) }

，此(代理)代码失败，并显示证书验证失败"错误:

and this (proxied) code fails with a "certificate verify failed" error:

  uri = URI.parse('https://www.ibm.com')
  http = Net::HTTP.new(uri.host, uri.port, "localhost", 8888)
  http.use_ssl = true
  http.start { |agent| agent.get(uri.path) }

难题

仅在当前版本的Ruby/OpenSSL中通过代理时才会出现错误.特别是:

the puzzle

The error ONLY appears when going through the proxy in the current versions of Ruby/OpenSSL. In particular:

• 不通过代理时没有错误，这使我认为本地证书有效.
• 使用Firefox或curl -v https://www.ibm.com/进行代理时没有错误，这使我认为Charles证书有效.
• 在早期版本的Ruby/OpenSSL上通过代理没有错误(请参见下面的两种环境).

• There's no error when NOT going through the proxy, which leads me to think that the local certs are valid.
• There's no error when going through the proxy with Firefox or curl -v https://www.ibm.com/, which leads me to think that the Charles certs are valid.
• There's no error going through the proxy on an earlier version of Ruby / OpenSSL (see below for the two environments).

所有这些使我怀疑是一个实际的Ruby错误，而不是我的证书有问题，但是很高兴能被其他人看到.

All this makes me suspect an actual Ruby bug rather than a problem with my certs, but I'd be happy to be shown otherwise.

在这种环境下，我正在观察错误:

I'm observing the error with this environment:

$ system_profiler SPSoftwareDataType | grep "System Version"
    System Version: OS X 10.8.5 (12F45)
$ ruby --version ; openssl version ; gem list | grep http
ruby 2.0.0p247 (2013-06-27) [x86_64-darwin12.4.0]
OpenSSL 1.0.1e 11 Feb 2013
http-cookie (1.0.2)
http_router (0.10.2)
net-http-digest_auth (1.4)
net-http-persistent (2.9)
ntlm-http (0.1.1)

以前的环境

使用较旧版本的ruby/OpenSSL不会出现该错误:

the previous environment

The error does not appear with a slightly older version of ruby/OpenSSL:

$ ruby --version ; openssl version ; gem list | grep http
ruby 2.0.0p0 (2013-02-24 revision 39474) [x86_64-darwin10.8.0]
OpenSSL 0.9.8y 5 Feb 2013
http_router (0.11.0, 0.10.2)
httpauth (0.2.0)
net-http-digest_auth (1.2.1)
net-http-persistent (2.8)
ntlm-http (0.1.1)

推荐答案

此处发生的情况是Charles无法为您提供" https://www.ibm.com "，因为您设置Charles所使用的任何证书(或者如果Charles创建自己的证书)都不能使用"www.ibm.com"名称并由受信任的证书颁发机构认证.因此，如果客户端验证证书，连接将失败，而如果您使用

What is going on here is that Charles cannot provide you with a valid certificate for "https://www.ibm.com", because whatever certificate you set up Charles with (or if Charles creates its own certificate) it cannot be for the "www.ibm.com" name AND certified by a trusted certificate authority. That's why the connection fails if the client verifies the the certificate, and works if you skip verification with

http.verify_mode = OpenSSL::SSL::VERIFY_NONE

它可能与旧版本的ruby一起使用，因为已对"net/https"进行了调整以验证 默认情况下，证书仅在最近使用.

It probably worked with the older version of ruby because "net/https" was adjusted to verify certificates by default only recently.

这篇关于SSL_connect返回= 1 errno = 0状态= SSLv3读取服务器证书B:仅在代理时证书验证失败的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！