views:

303

answers:

1

Hello,
I am developing a web application that is authenticated using CAS (A single-sign-on solution: http://www.ja-sig.org/wiki/display/CAS/Home).

For security reasons, I need two things to work:

  • The communication between CAS and my application needs to be secure
  • My application needs to accept the certification coming from CAS, so that I can guarantee that the CAS responding is the real CAS server

This is what I got so far:

uri = URI.parse("https://www.google.com/accounts")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = (uri.scheme == 'https')
https.verify_mode = (OpenSSL::SSL::VERIFY_PEER)
raw_res = https.start do |conn|
  conn.get("#{uri.path}?#{uri.query}")
end

This works just great in Mac OS X. When I try to reach an insecure URI, it raises an exception, and when I try to reach a secure URI, it allows me normally, just like expected.

The problem starts when I deploy my application on my Linux server. I tried in both Ubuntu and Red Hat. Independent of what URI I try to reach, it always raises this exception:

OpenSSL::SSL::SSLError: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
    from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /usr/local/lib/ruby/1.8/net/http.rb:586:in `connect'
    from /usr/local/lib/ruby/1.8/net/http.rb:553:in `do_start'
    from /usr/local/lib/ruby/1.8/net/http.rb:542:in `start'
    from (irb):7

I think this have something to do with my installed OpenSSL package, but I can't be sure. This are my installed OpenSSL packages:

openssl.x86_64                              0.9.8e-12.el5              installed
openssl-devel.x86_64                        0.9.8e-12.el5              installed

I tried using HTTParty as well, but it just ignores the SSL certificate.

I hope someone can help me, or tell me about a gem that works the way I need.

Thanks.

A: 

I would bet that there's a difference in the Certificate Authorities file. Try setting https.ca_file to another pem file, like maybe this one, and ensure that your cert's CA is in that list.

Or, perhaps one or both of the machines' clocks are wrong. (via this page)

Check that the clocks between the puppetmaster and client are in sync, if the client is behind when the certificate was generated, then the client sees that the start date of the certificate is in the future and therefore is invalid. Just for reference you can find out this info from the cert using the following:

openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/hostname.tld.pem | grep -A2 Validity

    Validity
        Not Before: Apr 19 23:21:29 2009 GMT
        Not After : Apr 18 23:21:29 2014 GMT
John Douthat