Net :: HTTP中的服务器名称指示支持? [英] Server Name Indication support in Net::HTTP?
问题描述
我正在尝试使用Ruby的 Net :: HTTP
实现与SNI一起使用。
I'm trying to get Ruby's Net::HTTP
implementation to work with SNI.
两封邮件.google.com和gmail.com位于相同的IP地址上,因此当通过SSL连接时,Google服务器需要知道要使用的证书。默认情况下,它会返回mail.google.com证书,如果您尝试实施WebFinger,则会出现问题。
Both mail.google.com and gmail.com live on the same IP address, so when connecting via SSL, the Google server needs to know which certificate to use. By default, it returns the mail.google.com certificate, which is a problem if you're trying to implement WebFinger.
WebFinger要求您检索 https://gmail.com/.well-known/host-meta
获取LRDD信息,但出于安全考虑,验证SSL证书信息至关重要。
WebFinger requires you to retrieve https://gmail.com/.well-known/host-meta
to get the LRDD information, however, for security reasons, it's critical to verify the SSL certificate information.
由于Google在这种情况下提供默认的mail.google.com证书,因此SSL post_connection_check
将失败。这里正确的解决方案是为 Net :: HTTP
启用服务器名称指示,但我不清楚如何使用OpenSSL的Ruby绑定。其他人有想法吗?
Since Google serves up the default mail.google.com certificate in this case, the SSL post_connection_check
fails. The correct solution here would be to enable Server Name Indication for Net::HTTP
, but it's not clear to me how to get that working with the Ruby bindings for OpenSSL. Anyone else have an idea?
您应该可以通过运行来查看问题:
You should be able to see the problem by running:
require 'open-uri'
open('https://gmail.com/.well-known/host-meta') { |f| f.read }
我还创建了一个使用早期版本curl来解决问题的要点和OpenSSL:
I've also created a gist that exhibits the problem using an earlier version of curl and OpenSSL:
https://gist.github.com / 7936ef38787092a22897
推荐答案
对于SNI支持,您需要更新的OpenSSL版本(0.9.8f, --enable -tlsext
或0.9.8j或更高版本)并在之前调用 OpenSSL :: SSL :: SSLSocket#hostname ='hostname'
SSLSocket的#连接
。 Net :: HTTPS
还不支持SNI,而open-uri则不支持。
For SNI support, you need a newer OpenSSL release (0.9.8f with --enable-tlsext
or 0.9.8j or later) and call OpenSSL::SSL::SSLSocket#hostname = 'hostname'
before SSLSocket#connect
. Net::HTTPS
does not support SNI yet, and open-uri doesn't.
签出httpclient开发存储库应该支持SNI。
Checking out httpclient development repository should support SNI.
- https://github.com/nahi/httpclient
如果您现在需要快速发布宝石,请告诉我。 ..
Let me know if you need released gem real soon now...
这篇关于Net :: HTTP中的服务器名称指示支持?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!