Issue with the `AuthorityKeyIdentifier` when creating self signed certificate - Githubissues

jordansissel / ruby-flores

Exploration in randomized testing (fuzzing, stress testing, etc)

Apache License 2.0

10 stars 4 forks source link

Issue with the `AuthorityKeyIdentifier` when creating self signed certificate #2

Closed ph closed 9 years ago

ph commented 9 years ago

When I create a self signed certificate I get this error when trying to connect to a ssl server.

jruby 1.7.20

OpenSSL::SSL::SSLError: java.io.IOException: Invalid encoding of AuthorityKeyIdentifierExtension.
  connect at org/jruby/ext/openssl/SSLSocket.java:190
   (root) at ssl_test.rb:57

ruby 2.2.0

Starting Server
ssl_test.rb:56:in `connect': SSL_connect SYSCALL returned=5 errno=0 state=SSLv2/v3 read server hello A (OpenSSL::SSL::SSLError)
    from ssl_test.rb:56:in `block in <main>'

ruby code is: https://gist.github.com/4a678ec4e4206b45bba1

jordansissel commented 9 years ago

I'll take a look <3

ph commented 9 years ago

I've used the old method of using the openssl binaries works great :( Not sure If I did something wrong.

jordansissel commented 9 years ago

I think the jruby problem Invalid encoding of AuthorityKeyIdentifierExtension is a known issue (JRuby has problems generating certificate payloads sometimes)

The MRI problem, not sure. I'll try to write some tests for flores to figure out what's going on

jordansissel commented 9 years ago

I ran your code, and amusingly I get a different error:

# Ruby 2.2.1p85
% ruby -I./lib ssl_test.rb 
Starting Server
/home/jls/.rvm/rubies/ruby-2.2.1/lib/ruby/2.2.0/openssl/ssl.rb:236:in `accept': SSL_accept returned=1 errno=0 state=error: EVP lib (OpenSSL::SSL::SSLError)

jordansissel commented 9 years ago

Hah, my error was caused by the RSA key size being too small (512 is rejected by newer openssl implementations, I guess?) Changing to 1024 fixed it. Will keep testing.

jordansissel commented 9 years ago

Ok, the problem with your code was that you are not telling the client socket about the server's cert properly.

SSLContext#cert= is for setting the local certificate identity. If you want to tell the context what certificates are trusted, you'll want to use OpenSSL::X509::Store like so:

# For the client to trust the server's `certificate`
store = OpenSSL::X509::Store.new
store.add_cert(certificate)
context.cert_store = store

ph commented 9 years ago

weird, from the doc #cert should have worked too. good catch for the RSA. I've used #ca_file in the past, but obviously it only work with physical file ;)

jordansissel commented 9 years ago

yeah, the ssl api is terrible. I'm still having trouble getting your example working with VERIFY_PEER. I'm not sure why it's failing still.

jordansissel commented 9 years ago

You can write the ssl cert/key to disk if you want, as a workaround.

ph commented 9 years ago

@jordansissel can you paste the error, I've created a simple socket/server example with physical certificates.

ph commented 9 years ago

Also this is a bit strange that #cert work in some context and not on the other see https://github.com/elastic/ruby-lumberjack/blob/master/lib/lumberjack/server.rb#L41

jordansissel commented 9 years ago

Fixed by 3516bbfba3ec2cfbb85aa9df508208d64bd66735 w/ specs to keep it working.