Class: HTTPClient::SSLConfig
- Inherits:
-
Object
- Object
- HTTPClient::SSLConfig
- Defined in:
- lib/httpclient.rb
Overview
HTTPClient::SSLConfig – SSL configuration of a client.
Instance Attribute Summary collapse
-
#cert_store ⇒ Object
don’t use if you don’t know what it is.
-
#ciphers ⇒ Object
Returns the value of attribute ciphers.
-
#client_ca ⇒ Object
Returns the value of attribute client_ca.
-
#client_cert ⇒ Object
:nodoc:.
-
#client_key ⇒ Object
Returns the value of attribute client_key.
-
#options ⇒ Object
Returns the value of attribute options.
-
#timeout ⇒ Object
Returns the value of attribute timeout.
-
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
-
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
-
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
Instance Method Summary collapse
- #clear_cert_store ⇒ Object
-
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
-
#initialize(client) ⇒ SSLConfig
constructor
A new instance of SSLConfig.
-
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb.
-
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
- #set_client_cert_file(cert_file, key_file) ⇒ Object
-
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
- #set_crl(crl_file) ⇒ Object
- #set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
Constructor Details
#initialize(client) ⇒ SSLConfig
Returns a new instance of SSLConfig.
141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
# File 'lib/httpclient.rb', line 141 def initialize(client) return unless SSLEnabled @client = client @cert_store = OpenSSL::X509::Store.new @client_cert = @client_key = @client_ca = nil @verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT @verify_depth = nil @verify_callback = nil @dest = nil @timeout = nil @options = defined?(OpenSSL::SSL::OP_ALL) ? OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" load_cacerts end |
Instance Attribute Details
#cert_store ⇒ Object
don’t use if you don’t know what it is.
139 140 141 |
# File 'lib/httpclient.rb', line 139 def cert_store @cert_store end |
#ciphers ⇒ Object
Returns the value of attribute ciphers.
137 138 139 |
# File 'lib/httpclient.rb', line 137 def ciphers @ciphers end |
#client_ca ⇒ Object
Returns the value of attribute client_ca.
129 130 131 |
# File 'lib/httpclient.rb', line 129 def client_ca @client_ca end |
#client_cert ⇒ Object
:nodoc:
127 128 129 |
# File 'lib/httpclient.rb', line 127 def client_cert @client_cert end |
#client_key ⇒ Object
Returns the value of attribute client_key.
128 129 130 |
# File 'lib/httpclient.rb', line 128 def client_key @client_key end |
#options ⇒ Object
Returns the value of attribute options.
136 137 138 |
# File 'lib/httpclient.rb', line 136 def @options end |
#timeout ⇒ Object
Returns the value of attribute timeout.
135 136 137 |
# File 'lib/httpclient.rb', line 135 def timeout @timeout end |
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
133 134 135 |
# File 'lib/httpclient.rb', line 133 def verify_callback @verify_callback end |
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
132 133 134 |
# File 'lib/httpclient.rb', line 132 def verify_depth @verify_depth end |
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
131 132 133 |
# File 'lib/httpclient.rb', line 131 def verify_mode @verify_mode end |
Instance Method Details
#clear_cert_store ⇒ Object
164 165 166 167 |
# File 'lib/httpclient.rb', line 164 def clear_cert_store @cert_store = OpenSSL::X509::Store.new change_notify end |
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
282 283 284 285 286 287 288 289 290 291 292 293 |
# File 'lib/httpclient.rb', line 282 def default_verify_callback(is_ok, ctx) if $DEBUG puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}" end if !is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" end is_ok end |
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb
254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 |
# File 'lib/httpclient.rb', line 254 def post_connection_check(peer_cert, hostname) check_common_name = true cert = peer_cert cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ext.value.split(/,\s+/).each{|general_name| if /\ADNS:(.*)/ =~ general_name check_common_name = false reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname elsif /\AIP Address:(.*)/ =~ general_name check_common_name = false return true if $1 == hostname end } } if check_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname end } end raise OpenSSL::SSL::SSLError, "hostname not match" end |
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 |
# File 'lib/httpclient.rb', line 296 def sample_verify_callback(is_ok, ctx) unless is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG return false end cert = ctx.current_cert self_signed = false ca = false pathlen = nil server_auth = true self_signed = (cert.subject.cmp(cert.issuer) == 0) # Check extensions whatever its criticality is. (sample) cert.extensions.each do |ex| case ex.oid when 'basicConstraints' /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value ca = ($1 == 'TRUE') pathlen = $2.to_i when 'keyUsage' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('Certificate Sign') server_auth = usage.include?('Key Encipherment') when 'extendedKeyUsage' usage = ex.value.split(/\s*,\s*/) server_auth = usage.include?('Netscape Server Gated Crypto') when 'nsCertType' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('SSL CA') server_auth = usage.include?('SSL Server') end end if self_signed STDERR.puts 'self signing CA' if $DEBUG return true elsif ca STDERR.puts 'middle level CA' if $DEBUG return true elsif server_auth STDERR.puts 'for server authentication' if $DEBUG return true end return false end |
#set_client_cert_file(cert_file, key_file) ⇒ Object
158 159 160 161 162 |
# File 'lib/httpclient.rb', line 158 def set_client_cert_file(cert_file, key_file) @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read) @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read) change_notify end |
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
238 239 240 241 242 243 244 245 246 247 248 249 250 251 |
# File 'lib/httpclient.rb', line 238 def set_context(ctx) # Verification: Use Store#verify_callback instead of SSLContext#verify*? ctx.cert_store = @cert_store ctx.verify_mode = @verify_mode ctx.verify_depth = @verify_depth if @verify_depth ctx.verify_callback = @verify_callback || method(:default_verify_callback) # SSL config ctx.cert = @client_cert ctx.key = @client_key ctx.client_ca = @client_ca ctx.timeout = @timeout ctx. = @options ctx.ciphers = @ciphers end |
#set_crl(crl_file) ⇒ Object
178 179 180 181 182 183 |
# File 'lib/httpclient.rb', line 178 def set_crl(crl_file) crl = OpenSSL::X509::CRL.new(File.open(crl_file).read) @cert_store.add_crl(crl) @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL change_notify end |
#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
169 170 171 172 173 174 175 176 |
# File 'lib/httpclient.rb', line 169 def set_trust_ca(trust_ca_file_or_hashed_dir) if FileTest.directory?(trust_ca_file_or_hashed_dir) @cert_store.add_path(trust_ca_file_or_hashed_dir) else @cert_store.add_file(trust_ca_file_or_hashed_dir) end change_notify end |