Puma does not load a CA when verification mode is set to :peer

[seanmckinley]

Steps to reproduce

1. Configure Puma to accept SSL connections:

key =  File.expand_path "./certs/my_key.key"
cert = File.expand_path "./certs/my_cert.crt"
ca = File.expand_path "./certs/my_ca.crt"

ssl_bind "0.0.0.0", 9292, :ca => ca, :cert => cert, :key => key, :verify_mode => :peer

2. Start Puma, and get the following:

 starting in single mode...
* Version 3.6.2 (ruby 2.3.1-p112), codename: Sleepy Sunday Serenity
* Min threads: 5, max threads: 5
* Environment: production
ERROR: Please specify the SSL ca via 'ca='

Expected behavior

Puma should just start and accept TLS connections.

Actual behavior

Puma exits 1, requesting a CA be specified.

Why it's happening

If mode is set to verify a peer, it requests a CA:

puma/lib/puma/binder.rb

Line 178 in 0912b0c

if ['peer', 'force_peer'].include?(params['verify_mode'])

However, the ssl bind method will not attach a CA param to the URL it generates:
https://github.com/puma/puma/blob/master/lib/puma/dsl.rb#L273

If this is a bug and not just me being dumb/wrong, I have no problem submitting a PR to fix it.

System configuration

Ruby version: ruby 2.3.1p112 (2016-04-26 revision 54768)
Rails version: rails (5.0.1)

[nateberkopec]

Looks like a bug.

[fruwe]

👍

[fruwe]

temporarily can be fixed by using bind instead of ssl_bind like this:

ssl_options = {
  ca: "xxx/yyy.cer",
  cert: "xxx/yyy.crt",
  key: "xxx/yyy.key",
  verify_mode: 'peer',
}

# ssl_bind '0.0.0.0', '443', ssl_options
bind "ssl://0.0.0.0:443?cert=#{ssl_options[:cert]}&key=#{ssl_options[:key]}&verify_mode=#{ssl_options[:verify_mode]}&ca=#{ssl_options[:ca]}"

[MikaelSmith]

I'd also like to be able to set both ca and verify_mode (when not using Java as well).

[karlwilbur]

Still not working with ssl_bind as of latest Puma 3.12.0 (I mention it because the title explicitly states 3.6.2):

https://github.com/puma/puma/blob/v3.12.0/lib/puma/dsl.rb#L286-L295

puma/lib/puma/dsl.rb

Lines 286 to 295 in f7e1e58

	def ssl_bind(host, port, opts)
	verify = opts.fetch(:verify_mode, 'none')
	if defined?(JRUBY_VERSION)
	keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
	bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}"
	else
	bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{verify}"
	end
	end

[iovis]

Can reproduce:
Puma 4.2.0
Ruby 2.6.3

# config.rb
key =  File.expand_path "./certs/my_key.key"
cert = File.expand_path "./certs/my_cert.crt"
ca = File.expand_path "./certs/my_ca.crt"

ssl_bind "0.0.0.0", 9292, :ca => ca, :cert => cert, :key => key, :verify_mode => :peer

I created three empty files for the certs and then run:

bundle exec bin/puma -C config.rb test/rackup/hello.ru