search

ruby / openssl

Provides SSL, TLS and general purpose cryptography.
Other
240 stars 167 forks source link

Can we get DEBUG loggin from the OpenSSL library? #800

Open valentijnscholten opened 2 months ago

valentijnscholten commented 2 months ago

Hi,

Problem

As a developer I would like to see (DEBUG) logging from OpenSSL. We have a Ruby application that connects to Amazon Cloudfront to retrieve a file. This runs through a network outside of our control containing NAT gateways, proxies, etc.

This works 99% of the time, but Intermittently we get a self signed certificate error:

OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0 
peeraddr=18.66.171.65:443 state=error: certificate verify failed 
(self signed certificate in certificate chain))

But it doesn't show WHICH certificate (or subject, fignerprint, ...) is being seen.

Question / Request Ideally we would have a ruby OpenSSL flag that instructs OpenSSL to do its (DEBUG) logging so we can get this information. I can see OpenSSL is logging the desired information in:

https://github.com/openssl/openssl/blob/6288aa440c1ba111eaf52cf79659a25329205022/crypto/x509/t_x509.c#L484-L501

Is it possible to get the Ruby app to log this information?

I have found OpenSSL::debug=true, but this only seems to trigger debug logging done in this Ruby Gem.

In java we have -Djava.net.debug=ssl, but I realize that is not using OpenSSL underneath.

Alternative I have found a way to get Ruby to log the self-signed certificate that is being seen in Ruby via https://github.com/mislav/ssl-tools/blob/master/doctor.rb. Something along these lines, where the store_context contains the failed certificat:

  http.verify_callback = lambda { |verify_ok, store_context|
    if !verify_ok
      failed_cert = store_context.current_cert
      failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
    end
    verify_ok
  }

This is not ideal as it requires code changes in our Ruby apps, which is using httparty as a wrapper. Also we would be replicating logging that is already done by OpenSSL.

The fact that this SSL Docter script exists seems to confirm there is no Ruby OpenSSL::xxx flag to achieve this?

Would it be possible to implement such a flag? Is there an alternative way to achieve the same?

valentijnscholten commented 2 months ago

Additionally, we tried setting the environment variable SSL_DEBUG=1, but this doens't seem to output any extra logging.

bdewater commented 3 days ago

I don't think the comparison is fair about reuse - the code linked is from the openssl x509 utility, not the OpenSSL library. Both use the same callback mechanism to hook into the verification process.

Would it be possible to implement such a flag? Is there an alternative way to achieve the same?

You could open a PR to tweak the error message here: https://github.com/ruby/openssl/blob/2b9f444833147b123b4133572da9e78fd8898aa1/ext/openssl/ossl_ssl.c#L1803

Or fork httparty and change it to allow passing through a lambda to http.verify_callback around here, so you can do in your app whatever you need: https://github.com/jnunemaker/httparty/blob/f0c42a7198c9357f0d95633e46512c92769f6476/lib/httparty/connection_adapter.rb#L189