Class: HTTPAccess2::SSLConfig
- Inherits:
-
Object
- Object
- HTTPAccess2::SSLConfig
- Defined in:
- lib/reap/vendor/http-access2.rb
Overview
HTTPAccess2::SSLConfig – SSL configuration of a client.
Instance Attribute Summary collapse
-
#cert_store ⇒ Object
don’t use if you don’t know what it is.
-
#ciphers ⇒ Object
Returns the value of attribute ciphers.
-
#client_ca ⇒ Object
Returns the value of attribute client_ca.
-
#client_cert ⇒ Object
:nodoc:.
-
#client_key ⇒ Object
Returns the value of attribute client_key.
-
#options ⇒ Object
Returns the value of attribute options.
-
#timeout ⇒ Object
Returns the value of attribute timeout.
-
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
-
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
-
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
Instance Method Summary collapse
-
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
-
#initialize(client) ⇒ SSLConfig
constructor
A new instance of SSLConfig.
-
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb.
-
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
- #set_client_cert_file(cert_file, key_file) ⇒ Object
-
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
- #set_crl(crl_file) ⇒ Object
- #set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
Constructor Details
#initialize(client) ⇒ SSLConfig
Returns a new instance of SSLConfig.
508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 |
# File 'lib/reap/vendor/http-access2.rb', line 508 def initialize(client) return unless SSLEnabled @client = client @cert_store = OpenSSL::X509::Store.new @client_cert = @client_key = @client_ca = nil @verify_mode = OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT @verify_depth = nil @verify_callback = nil @dest = nil @timeout = nil @options = defined?(OpenSSL::SSL::OP_ALL) ? OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" end |
Instance Attribute Details
#cert_store ⇒ Object
don’t use if you don’t know what it is.
506 507 508 |
# File 'lib/reap/vendor/http-access2.rb', line 506 def cert_store @cert_store end |
#ciphers ⇒ Object
Returns the value of attribute ciphers.
504 505 506 |
# File 'lib/reap/vendor/http-access2.rb', line 504 def ciphers @ciphers end |
#client_ca ⇒ Object
Returns the value of attribute client_ca.
496 497 498 |
# File 'lib/reap/vendor/http-access2.rb', line 496 def client_ca @client_ca end |
#client_cert ⇒ Object
:nodoc:
494 495 496 |
# File 'lib/reap/vendor/http-access2.rb', line 494 def client_cert @client_cert end |
#client_key ⇒ Object
Returns the value of attribute client_key.
495 496 497 |
# File 'lib/reap/vendor/http-access2.rb', line 495 def client_key @client_key end |
#options ⇒ Object
Returns the value of attribute options.
503 504 505 |
# File 'lib/reap/vendor/http-access2.rb', line 503 def @options end |
#timeout ⇒ Object
Returns the value of attribute timeout.
502 503 504 |
# File 'lib/reap/vendor/http-access2.rb', line 502 def timeout @timeout end |
#verify_callback ⇒ Object
Returns the value of attribute verify_callback.
500 501 502 |
# File 'lib/reap/vendor/http-access2.rb', line 500 def verify_callback @verify_callback end |
#verify_depth ⇒ Object
Returns the value of attribute verify_depth.
499 500 501 |
# File 'lib/reap/vendor/http-access2.rb', line 499 def verify_depth @verify_depth end |
#verify_mode ⇒ Object
Returns the value of attribute verify_mode.
498 499 500 |
# File 'lib/reap/vendor/http-access2.rb', line 498 def verify_mode @verify_mode end |
Instance Method Details
#default_verify_callback(is_ok, ctx) ⇒ Object
Default callback for verification: only dumps error.
642 643 644 645 646 647 648 649 650 651 652 653 |
# File 'lib/reap/vendor/http-access2.rb', line 642 def default_verify_callback(is_ok, ctx) if $DEBUG puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}" end if !is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" end is_ok end |
#post_connection_check(peer_cert, hostname) ⇒ Object
this definition must match with the one in ext/openssl/lib/openssl/ssl.rb
615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 |
# File 'lib/reap/vendor/http-access2.rb', line 615 def post_connection_check(peer_cert, hostname) check_common_name = true cert = peer_cert cert.extensions.each{|ext| next if ext.oid != "subjectAltName" ext.value.split(/,\s+/).each{|general_name| if /\ADNS:(.*)/ =~ general_name check_common_name = false reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+") return true if /\A#{reg}\z/i =~ hostname elsif /\AIP Address:(.*)/ =~ general_name check_common_name = false return true if $1 == hostname end } } if check_common_name cert.subject.to_a.each{|oid, value| if oid == "CN" && value.casecmp(hostname) == 0 return true end } end raise OpenSSL::SSL::SSLError, "hostname not match" end |
#sample_verify_callback(is_ok, ctx) ⇒ Object
Sample callback method: CAUTION: does not check CRL/ARL.
656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 |
# File 'lib/reap/vendor/http-access2.rb', line 656 def sample_verify_callback(is_ok, ctx) unless is_ok depth = ctx.error_depth code = ctx.error msg = ctx.error_string STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG return false end cert = ctx.current_cert self_signed = false ca = false pathlen = nil server_auth = true self_signed = (cert.subject.cmp(cert.issuer) == 0) # Check extensions whatever its criticality is. (sample) cert.extensions.each do |ex| case ex.oid when 'basicConstraints' /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value ca = ($1 == 'TRUE') pathlen = $2.to_i when 'keyUsage' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('Certificate Sign') server_auth = usage.include?('Key Encipherment') when 'extendedKeyUsage' usage = ex.value.split(/\s*,\s*/) server_auth = usage.include?('Netscape Server Gated Crypto') when 'nsCertType' usage = ex.value.split(/\s*,\s*/) ca = usage.include?('SSL CA') server_auth = usage.include?('SSL Server') end end if self_signed STDERR.puts 'self signing CA' if $DEBUG return true elsif ca STDERR.puts 'middle level CA' if $DEBUG return true elsif server_auth STDERR.puts 'for server authentication' if $DEBUG return true end return false end |
#set_client_cert_file(cert_file, key_file) ⇒ Object
524 525 526 527 528 |
# File 'lib/reap/vendor/http-access2.rb', line 524 def set_client_cert_file(cert_file, key_file) @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read) @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read) change_notify end |
#set_context(ctx) ⇒ Object
interfaces for SSLSocketWrap.
599 600 601 602 603 604 605 606 607 608 609 610 611 612 |
# File 'lib/reap/vendor/http-access2.rb', line 599 def set_context(ctx) # Verification: Use Store#verify_callback instead of SSLContext#verify*? ctx.cert_store = @cert_store ctx.verify_mode = @verify_mode ctx.verify_depth = @verify_depth if @verify_depth ctx.verify_callback = @verify_callback || method(:default_verify_callback) # SSL config ctx.cert = @client_cert ctx.key = @client_key ctx.client_ca = @client_ca ctx.timeout = @timeout ctx. = @options ctx.ciphers = @ciphers end |
#set_crl(crl_file) ⇒ Object
539 540 541 542 543 544 |
# File 'lib/reap/vendor/http-access2.rb', line 539 def set_crl(crl_file) crl = OpenSSL::X509::CRL.new(File.open(crl_file).read) @cert_store.add_crl(crl) @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL change_notify end |
#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object
530 531 532 533 534 535 536 537 |
# File 'lib/reap/vendor/http-access2.rb', line 530 def set_trust_ca(trust_ca_file_or_hashed_dir) if FileTest.directory?(trust_ca_file_or_hashed_dir) @cert_store.add_path(trust_ca_file_or_hashed_dir) else @cert_store.add_file(trust_ca_file_or_hashed_dir) end change_notify end |