禁用Ruby net/http的SNI扩展-将IP地址与SSL/TLS一起使用 [英] Disable SNI Extension for Ruby net/http - Using IP address with SSL/TLS
问题描述
我有一个Ruby轮询脚本,该脚本在IP范围内的一组服务器上运行.我非常强烈更喜欢按IP地址而不是按主机名进行轮询,因为:
I have a Ruby polling script that runs on a set of servers in an IP range. I very strongly prefer to do this polling by IP address, not by hostname, because:
1)我已经定义了要轮询的IP地址范围,并且主机名是任意的/更改很多
1) I have defined IP address ranges to poll, and hostnames are arbitrary/change a lot
2)因为它们变化很大,所以大多数主机名没有反向DNS查找,因此我无法设计IP中的主机名列表
2) Because they change a lot, most of the hostnames do not have a reverse DNS lookup, so I can't engineer a list of hostnames from IPs
在我们的Web服务器对此轮询没有问题之前,但是在不接受SSLv3通信的新服务器上,这是我在运行轮询时遇到的错误:
Before our web servers had no problem with this polling, but on a new server that does not accept SSLv3 communication, this is the error I get when I run my poll:
/home/dashboard/.rvm/rubies/ruby-2.1.6/lib/ruby/2.1.0/net/http.rb:923:in `connect': SSL_connect returned=1 errno=0 state=unknown state: tlsv1 unrecognized name (OpenSSL::SSL::SSLError)
在服务器端,这是错误:
On the server side, this is the error:
nss_engine_init.c(1802): start function ownSSLSNISocketConfig for SNI
nss_engine_init.c(1827): Search [val = 172.16.99.18] failed, unrecognized name
当我使用主机名运行民意测验时,一切正常.
When I run the poll with hostname, everything works fine.
这是Ruby中HTTP客户端代码的症结所在:
Here is the crux of the HTTP Client code in Ruby:
def init_http(url)
uri = URI.parse(url)
http = Net::HTTP.new(uri.host, uri.port)
http.verify_mode = OpenSSL::SSL::VERIFY_PEER
http.read_timeout = 10
http.use_ssl = true
#http.ssl_version = 'TLSv1'
return [http, uri]
end
您可以说,我一直在使用TLS和SSL版本,因为我认为这可能是问题所在.我的下一个想法(谷歌只有Java的证据)是,仅禁用客户端上的SNI扩展有多容易?"更为笼统的问题是:我可以在使用更新,更安全的通信协议的同时继续在Ruby net/http中使用IP地址吗?"
As you can tell, I've been playing around with TLS and SSL version, because I figured that might be the issue. My next thought (that Google only has evidence of for Java) is, "How easy is it to just disable the SNI extension on my client?" The more general question is, "Can I keep using IP addresses with Ruby net/http while taking advantage of newer, more secure communication protocols?"
推荐答案
The easiest way to solve this is to add the patch that @steffenullrich mentioned for bug 10613.
我所做的只是查看差异文件,然后自己编辑文件,但是如果您熟悉Linux修补程序工具,就可以使用它.
All I did was look at the diff, and edit the file myself, but you can use the Linux patch tool if you're familiar with it.
对于不确定/net/http.rb位置的用户,它与其余Ruby源代码位于同一位置.例如,我的在这里:
For those who are unsure of where /net/http.rb is located, it is in the same location as the rest of your Ruby sources. For example, mine was here:
/home/myuser/.rvm/rubies/ruby-2.1.6/lib/net/http.rb
/home/myuser/.rvm/rubies/ruby-2.1.6/lib/net/http.rb
修补文件后,将HTTP对象的.disable_sni属性设置为true,并且不需要SNI,从而允许在混合TLS通信中使用IP地址.
Once you patch the file, set the .disable_sni property of your HTTP object to true, and SNI will not be required, allowing the use of IP addresses in mixed-TLS communication.
这篇关于禁用Ruby net/http的SNI扩展-将IP地址与SSL/TLS一起使用的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
