New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Inconsistency between cert: and cert_pem: parameters to ssl_bind #3172
Comments
If I recall, there has never been parity between 'file based' and 'string based' functions. Or, as you've mentioned, there are two 'file based' functions that will process multiple certs, but there are not equivalent string functions. I.think. So, not sure what to do. The docs could be improved. I can't seriously look at this until this weekend... |
I like consistency. There's probably not consistency here because the functionality has been contributed by different parties with different needs over time. Maybe you can dive into the git history/PRs and see what you find? I know @stanhu of GitLab recently contributed a SSL related thing (#3133), maybe they have some thoughts on this. |
At the time, there wasn't an API for using strings. That was added 27-Oct-2021 with #2728. #3133 added an option to pass a file thru a program/script, decrypting the file. The file doesn't contain useful information until it's decrypted. |
I took a look at the implementation of I'll give a go at an initial implementation to make |
With the patch in the above PR - I now get the same results from the
And the ssl client test
|
Describe the bug
When using
ssl_bind
the documentation seems to indicate that the following are equivalent:File based certs/keys
puma/lib/puma/dsl.rb
Lines 513 to 520 in 763d1a1
String based certs/keys
puma/lib/puma/dsl.rb
Lines 526 to 531 in 763d1a1
This appears to be incorrect.
When
cert:
is passed tossl_bind
- inside MiniSSL this file is loaded from disk usingSSL_CTX_use_certificate_chain_file()
puma/ext/puma_http11/mini_ssl.c
Lines 272 to 278 in 763d1a1
When
cert_pem:
is passed tossl_bind
- inside MiniSSL this file is loaded using a combination ofPEM_read_bio_X509
andSSL_CTX_use_certificate
puma/ext/puma_http11/mini_ssl.c
Lines 300 to 311 in 763d1a1
If the contents of the file at
path_to_cert
is a full chain PEM then:cert: path_to_cert
a fully resolve cert chain is served up by pumacert_pem: File.read(path_to_cert)
results in only the certificate itelf being loaded, and not the full chain.To Reproduce
Take the self contained gist
puma_ssl_test.rb
and run it with ruby:There are 3 different tests
ruby puma_ssl_test.rb --test files
ruby puma_ssl_test.rb --test strings
ruby puma_ssl_test.rb --test ca
Expected Behavior
I would expect that give the same contents to
cert_pem:
that was in the file that was given tocert:
should result in the same level of ssl validation.ruby puma_ssl_test.rb --test files
And testing the ssl
What I would expect -- full cert chain and notification that the self signed cert is there.
ruby puma_ssl_test.rb --test strings
And testing the ssl
The cert chain is missing.
Observations
It appears that in order to use the
cert_pem:
option and get the same results as usingcert:
you must also use theca:
andverify_mode:
optionsruby puma_ssl_test.rb --test ca
And testing results in the same result as using
cert:
with the path to a fileQuestions
cert_pem:
cert:
option that is actually out of spec, and they should both be usingca:
ca_pem:
option for passing a string based ca option so none of them need to read from disk?Desktop Environment (please complete the following information)
The text was updated successfully, but these errors were encountered: