Class: HTTPAccess2::SSLConfig

Inherits:
Object
  • Object
show all
Defined in:
lib/rss-client/http-access2.rb

Overview

HTTPAccess2::SSLConfig – SSL configuration of a client.

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(client) ⇒ SSLConfig

Returns a new instance of SSLConfig.



624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
 
# File 'lib/rss-client/http-access2.rb', line 624

def initialize(client)
  return unless SSLEnabled
  @client = client
  @cert_store = OpenSSL::X509::Store.new
  @client_cert = @client_key = @client_ca = nil
  @verify_mode = OpenSSL::SSL::VERIFY_PEER |
    OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT
  @verify_depth = nil
  @verify_callback = nil
  @dest = nil
  @timeout = nil
  @options = defined?(OpenSSL::SSL::OP_ALL) ?
    OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2 : nil
  @ciphers = "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH"
  load_cacerts
end

Instance Attribute Details

#cert_storeObject

don’t use if you don’t know what it is.



622
623
624
 
# File 'lib/rss-client/http-access2.rb', line 622

def cert_store
  @cert_store
end

#ciphersObject

Returns the value of attribute ciphers.



620
621
622
 
# File 'lib/rss-client/http-access2.rb', line 620

def ciphers
  @ciphers
end

#client_caObject

Returns the value of attribute client_ca.



612
613
614
 
# File 'lib/rss-client/http-access2.rb', line 612

def client_ca
  @client_ca
end

#client_certObject

:nodoc:



610
611
612
 
# File 'lib/rss-client/http-access2.rb', line 610

def client_cert
  @client_cert
end

#client_keyObject

Returns the value of attribute client_key.



611
612
613
 
# File 'lib/rss-client/http-access2.rb', line 611

def client_key
  @client_key
end

#optionsObject

Returns the value of attribute options.



619
620
621
 
# File 'lib/rss-client/http-access2.rb', line 619

def options
  @options
end

#timeoutObject

Returns the value of attribute timeout.



618
619
620
 
# File 'lib/rss-client/http-access2.rb', line 618

def timeout
  @timeout
end

#verify_callbackObject

Returns the value of attribute verify_callback.



616
617
618
 
# File 'lib/rss-client/http-access2.rb', line 616

def verify_callback
  @verify_callback
end

#verify_depthObject

Returns the value of attribute verify_depth.



615
616
617
 
# File 'lib/rss-client/http-access2.rb', line 615

def verify_depth
  @verify_depth
end

#verify_modeObject

Returns the value of attribute verify_mode.



614
615
616
 
# File 'lib/rss-client/http-access2.rb', line 614

def verify_mode
  @verify_mode
end

Instance Method Details

#clear_cert_storeObject 



647
648
649
650
 
# File 'lib/rss-client/http-access2.rb', line 647

def clear_cert_store
  @cert_store = OpenSSL::X509::Store.new
  change_notify
end

#default_verify_callback(is_ok, ctx) ⇒ Object

Default callback for verification: only dumps error.



765
766
767
768
769
770
771
772
773
774
775
776
 
# File 'lib/rss-client/http-access2.rb', line 765

def default_verify_callback(is_ok, ctx)
  if $DEBUG
    puts "#{ is_ok ? 'ok' : 'ng' }: #{ctx.current_cert.subject}"
  end
  if !is_ok
    depth = ctx.error_depth
    code = ctx.error
    msg = ctx.error_string
    STDERR.puts "at depth #{depth} - #{code}: #{msg}"
  end
  is_ok
end

#post_connection_check(peer_cert, hostname) ⇒ Object

this definition must match with the one in ext/openssl/lib/openssl/ssl.rb

Raises:

  • (OpenSSL::SSL::SSLError) 


737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
 
# File 'lib/rss-client/http-access2.rb', line 737

def post_connection_check(peer_cert, hostname)
  check_common_name = true
  cert = peer_cert
  cert.extensions.each{|ext|
    next if ext.oid != "subjectAltName"
    ext.value.split(/,\s+/).each{|general_name|
      if /\ADNS:(.*)/ =~ general_name
        check_common_name = false
        reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      elsif /\AIP Address:(.*)/ =~ general_name
        check_common_name = false
        return true if $1 == hostname
      end
    }
  }
  if check_common_name
    cert.subject.to_a.each{|oid, value|
      if oid == "CN"
        reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
        return true if /\A#{reg}\z/i =~ hostname
      end
    }
  end
  raise OpenSSL::SSL::SSLError, "hostname not match"
end

#sample_verify_callback(is_ok, ctx) ⇒ Object

Sample callback method: CAUTION: does not check CRL/ARL.



779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
 
# File 'lib/rss-client/http-access2.rb', line 779

def sample_verify_callback(is_ok, ctx)
  unless is_ok
    depth = ctx.error_depth
    code = ctx.error
    msg = ctx.error_string
    STDERR.puts "at depth #{depth} - #{code}: #{msg}" if $DEBUG
    return false
  end

  cert = ctx.current_cert
  self_signed = false
  ca = false
  pathlen = nil
  server_auth = true
  self_signed = (cert.subject.cmp(cert.issuer) == 0)

  # Check extensions whatever its criticality is. (sample)
  cert.extensions.each do |ex|
    case ex.oid
    when 'basicConstraints'
      /CA:(TRUE|FALSE), pathlen:(\d+)/ =~ ex.value
      ca = ($1 == 'TRUE')
      pathlen = $2.to_i
    when 'keyUsage'
      usage = ex.value.split(/\s*,\s*/)
      ca = usage.include?('Certificate Sign')
      server_auth = usage.include?('Key Encipherment')
    when 'extendedKeyUsage'
      usage = ex.value.split(/\s*,\s*/)
      server_auth = usage.include?('Netscape Server Gated Crypto')
    when 'nsCertType'
      usage = ex.value.split(/\s*,\s*/)
      ca = usage.include?('SSL CA')
      server_auth = usage.include?('SSL Server')
    end
  end

  if self_signed
    STDERR.puts 'self signing CA' if $DEBUG
    return true
  elsif ca
    STDERR.puts 'middle level CA' if $DEBUG
    return true
  elsif server_auth
    STDERR.puts 'for server authentication' if $DEBUG
    return true
  end

  return false
end

#set_client_cert_file(cert_file, key_file) ⇒ Object 



641
642
643
644
645
 
# File 'lib/rss-client/http-access2.rb', line 641

def set_client_cert_file(cert_file, key_file)
  @client_cert = OpenSSL::X509::Certificate.new(File.open(cert_file).read)
  @client_key = OpenSSL::PKey::RSA.new(File.open(key_file).read)
  change_notify
end

#set_context(ctx) ⇒ Object

interfaces for SSLSocketWrap.



721
722
723
724
725
726
727
728
729
730
731
732
733
734
 
# File 'lib/rss-client/http-access2.rb', line 721

def set_context(ctx)
  # Verification: Use Store#verify_callback instead of SSLContext#verify*?
  ctx.cert_store = @cert_store
  ctx.verify_mode = @verify_mode
  ctx.verify_depth = @verify_depth if @verify_depth
  ctx.verify_callback = @verify_callback || method(:default_verify_callback)
  # SSL config
  ctx.cert = @client_cert
  ctx.key = @client_key
  ctx.client_ca = @client_ca
  ctx.timeout = @timeout
  ctx.options = @options
  ctx.ciphers = @ciphers
end

#set_crl(crl_file) ⇒ Object 



661
662
663
664
665
666
 
# File 'lib/rss-client/http-access2.rb', line 661

def set_crl(crl_file)
  crl = OpenSSL::X509::CRL.new(File.open(crl_file).read)
  @cert_store.add_crl(crl)
  @cert_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK | OpenSSL::X509::V_FLAG_CRL_CHECK_ALL
  change_notify
end

#set_trust_ca(trust_ca_file_or_hashed_dir) ⇒ Object 



652
653
654
655
656
657
658
659
 
# File 'lib/rss-client/http-access2.rb', line 652

def set_trust_ca(trust_ca_file_or_hashed_dir)
  if FileTest.directory?(trust_ca_file_or_hashed_dir)
    @cert_store.add_path(trust_ca_file_or_hashed_dir)
  else
    @cert_store.add_file(trust_ca_file_or_hashed_dir)
  end
  change_notify
end