Class: HTTPAccess2::SSLConfig
- Inherits:
-
Object
- Object
- HTTPAccess2::SSLConfig
- Defined in:
- lib/http-access2.rb
Overview
HTTPAccess2::SSLConfig – SSL configuration of a client.
Instance Attribute Summary collapse
-
#cert_store ⇒ Object
don’t use if you don’t know what it is.
-
#ciphers ⇒ Object
Returns the value of attribute ciphers.
-
#client_ca ⇒ Object
Returns the value of attribute client_ca.
-
#client_cert ⇒ Object
:nodoc:.
-
#client_key ⇒ Object
Returns the value of attribute client_key.
-
#options ⇒ Object
Returns the value of attribute options.
-
#timeout ⇒ Object
Returns the value of attribute timeout.
-
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
-
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
-
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
Instance Method Summary collapse
-
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
-
#initialize(client) ⇒ SSLConfig
constructor
A new instance of SSLConfig.
-
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb.
-
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
- #set_client_cert_file(cert_file, key_file) ⇒ Object
-
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
- #set_crl(crl_file) ⇒ Object
- #set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
Constructor Details
#initialize(client) ⇒ SSLConfig
Returns a new instance of SSLConfig.
506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 |
# File 'lib/http-access2.rb', line 506 def initialize(client) return unless SSLEnabled @client = client @cert_store = OpenSSL::X509::Store.new @client_cert = @client_key = @client_ca = nil @verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT @verify_depth = nil @verify_callback = nil @dest = nil @timeout = nil @options = defined?(OpenSSL::SSL::OP_ALL) ? OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" end |
Instance Attribute Details
#cert_store ⇒ Object
don’t use if you don’t know what it is.
504 505 506 |
# File 'lib/http-access2.rb', line 504 def cert_store @cert_store end |
#ciphers ⇒ Object
Returns the value of attribute ciphers.
502 503 504 |
# File 'lib/http-access2.rb', line 502 def ciphers @ciphers end |
#client_ca ⇒ Object
Returns the value of attribute client_ca.
494 495 496 |
# File 'lib/http-access2.rb', line 494 def client_ca @client_ca end |
#client_cert ⇒ Object
:nodoc:
492 493 494 |
# File 'lib/http-access2.rb', line 492 def client_cert @client_cert end |
#client_key ⇒ Object
Returns the value of attribute client_key.
493 494 495 |
# File 'lib/http-access2.rb', line 493 def client_key @client_key end |
#options ⇒ Object
Returns the value of attribute options.
501 502 503 |
# File 'lib/http-access2.rb', line 501 def @options end |
#timeout ⇒ Object
Returns the value of attribute timeout.
500 501 502 |
# File 'lib/http-access2.rb', line 500 def timeout @timeout end |
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
498 499 500 |
# File 'lib/http-access2.rb', line 498 def verify_callback @verify_callback end |
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
497 498 499 |
# File 'lib/http-access2.rb', line 497 def verify_depth @verify_depth end |
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
496 497 498 |
# File 'lib/http-access2.rb', line 496 def verify_mode @verify_mode end |
Instance Method Details
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
640 641 642 643 644 645 646 647 648 649 650 651 |
# File 'lib/http-access2.rb', line 640 def default_verify_callback(is_ok, ctx) if $DEBUG puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}" end if !is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" end is_ok end |
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb
613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 |
# File 'lib/http-access2.rb', line 613 def post_connection_check(peer_cert, hostname) check_common_name = true cert = peer_cert cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ext.value.split(/,\s+/).each{|general_name| if /\ADNS:(.*)/ =~ general_name check_common_name = false reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname elsif /\AIP Address:(.*)/ =~ general_name check_common_name = false return true if $1 == hostname end } } if check_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" && value.casecmp(hostname) == 0 return true end } end raise OpenSSL::SSL::SSLError, "hostname not match" end |
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 |
# File 'lib/http-access2.rb', line 654 def sample_verify_callback(is_ok, ctx) unless is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG return false end cert = ctx.current_cert self_signed = false ca = false pathlen = nil server_auth = true self_signed = (cert.subject.cmp(cert.issuer) == 0) # Check extensions whatever its criticality is. (sample) cert.extensions.each do |ex| case ex.oid when 'basicConstraints' /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value ca = ($1 == 'TRUE') pathlen = $2.to_i when 'keyUsage' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('Certificate Sign') server_auth = usage.include?('Key Encipherment') when 'extendedKeyUsage' usage = ex.value.split(/\s*,\s*/) server_auth = usage.include?('Netscape Server Gated Crypto') when 'nsCertType' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('SSL CA') server_auth = usage.include?('SSL Server') end end if self_signed STDERR.puts 'self signing CA' if $DEBUG return true elsif ca STDERR.puts 'middle level CA' if $DEBUG return true elsif server_auth STDERR.puts 'for server authentication' if $DEBUG return true end return false end |
#set_client_cert_file(cert_file, key_file) ⇒ Object
522 523 524 525 526 |
# File 'lib/http-access2.rb', line 522 def set_client_cert_file(cert_file, key_file) @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read) @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read) change_notify end |
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
597 598 599 600 601 602 603 604 605 606 607 608 609 610 |
# File 'lib/http-access2.rb', line 597 def set_context(ctx) # Verification: Use Store#verify_callback instead of SSLContext#verify*? ctx.cert_store = @cert_store ctx.verify_mode = @verify_mode ctx.verify_depth = @verify_depth if @verify_depth ctx.verify_callback = @verify_callback || method(:default_verify_callback) # SSL config ctx.cert = @client_cert ctx.key = @client_key ctx.client_ca = @client_ca ctx.timeout = @timeout ctx. = @options ctx.ciphers = @ciphers end |
#set_crl(crl_file) ⇒ Object
537 538 539 540 541 542 |
# File 'lib/http-access2.rb', line 537 def set_crl(crl_file) crl = OpenSSL::X509::CRL.new(File.open(crl_file).read) @cert_store.add_crl(crl) @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL change_notify end |
#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
528 529 530 531 532 533 534 535 |
# File 'lib/http-access2.rb', line 528 def set_trust_ca(trust_ca_file_or_hashed_dir) if FileTest.directory?(trust_ca_file_or_hashed_dir) @cert_store.add_path(trust_ca_file_or_hashed_dir) else @cert_store.add_file(trust_ca_file_or_hashed_dir) end change_notify end |