Module: SSLCertificateVerification

Included in:: Bridge::Tcp

Defined in:: lib/ssl_utils.rb

Overview

Verifies that the peer certificate is a valid chained certificate. That is, it’s signed by a root CA or a CA signed by a root CA.

This module will also perform hostname verification against the server’s certificate, but only if an instance variable called @hostname exists.

Class Attribute Summary collapse

.ca_cert_file ⇒ Object

In PEM format.

Instance Method Summary collapse

#ca_store ⇒ Object
#ssl_handshake_completed ⇒ Object
#ssl_verify_peer(cert_string) ⇒ Object

It’s important that we try to not add a certificate to the store that’s already in the store, because OpenSSL::X509::Store will raise an exception.

Class Attribute Details

.ca_cert_file ⇒ `Object`

In PEM format.

Eg: curl.haxx.se/docs/caextract.html



27
28
29

# File 'lib/ssl_utils.rb', line 27

def ca_cert_file
  @ca_cert_file
end

Instance Method Details

#ca_store ⇒ `Object`

# File 'lib/ssl_utils.rb', line 30

def ca_store
  unless @ca_store
    if file = SSLCertificateVerification.ca_cert_file
      @ca_store = OpenSSL::X509::Store.new
      @ca_store.add_file(file)
    else
      fail "you must specify a file with root CA certificates as `SSLCertificateVerification.ca_cert_file'"
    end
  end
  @ca_store
end

#ssl_handshake_completed ⇒ `Object`

# File 'lib/ssl_utils.rb', line 61

def ssl_handshake_completed
  if @hostname
    unless OpenSSL::SSL.verify_certificate_identity(@last_seen_cert, @hostname)
      fail "the hostname `HOSTNAME' does not match the server certificate"
    end
  end
end

#ssl_verify_peer(cert_string) ⇒ `Object`

It’s important that we try to not add a certificate to the store that’s already in the store, because OpenSSL::X509::Store will raise an exception.

# File 'lib/ssl_utils.rb', line 44

def ssl_verify_peer(cert_string)
  cert = OpenSSL::X509::Certificate.new(cert_string)
  # Some servers send the same certificate multiple times. I'm not even joking... (gmail.com)
  return true if cert == @last_seen_cert
  @last_seen_cert = cert

  if ca_store.verify(@last_seen_cert)
    # A server may send the root certifiacte, which we already have and thus
    # should not be added to the store again.
    ca_store.add_cert(@last_seen_cert) unless @last_seen_cert.root?
    true
  else
    fail "unable to verify the server certificate of `#{@hostname}'"
    false
  end
end