Hi,
Problem
As a developer I would like to see (DEBUG) logging from OpenSSL. We have a Ruby application that connects to Amazon Cloudfront to retrieve a file. This runs through a network outside of our control containing NAT gateways, proxies, etc.
This works 99% of the time, but Intermittently we get a self signed certificate error:
OpenSSL::SSL::SSLError (SSL_connect returned=1 errno=0
peeraddr=18.66.171.65:443 state=error: certificate verify failed
(self signed certificate in certificate chain))
But it doesn't show WHICH certificate (or subject, fignerprint, ...) is being seen.
Question / Request
Ideally we would have a ruby OpenSSL flag that instructs OpenSSL to do its (DEBUG) logging so we can get this information. I can see OpenSSL is logging the desired information in:
https://github.com/openssl/openssl/blob/6288aa440c1ba111eaf52cf79659a25329205022/crypto/x509/t_x509.c#L484-L501
Is it possible to get the Ruby app to log this information?
I have found OpenSSL::debug=true, but this only seems to trigger debug logging done in this Ruby Gem.
In java we have -Djava.net.debug=ssl, but I realize that is not using OpenSSL underneath.
Alternative
I have found a way to get Ruby to log the self-signed certificate that is being seen in Ruby via https://github.com/mislav/ssl-tools/blob/master/doctor.rb. Something along these lines, where the store_context contains the failed certificat:
http.verify_callback = lambda { |verify_ok, store_context|
if !verify_ok
failed_cert = store_context.current_cert
failed_cert_reason = "%d: %s" % [ store_context.error, store_context.error_string ]
end
verify_ok
}
This is not ideal as it requires code changes in our Ruby apps, which is using httparty as a wrapper. Also we would be replicating logging that is already done by OpenSSL.
The fact that this SSL Docter script exists seems to confirm there is no Ruby OpenSSL::xxx flag to achieve this?
Would it be possible to implement such a flag? Is there an alternative way to achieve the same?
Hi,
Problem
As a developer I would like to see (DEBUG) logging from OpenSSL. We have a Ruby application that connects to Amazon Cloudfront to retrieve a file. This runs through a network outside of our control containing NAT gateways, proxies, etc.
This works 99% of the time, but Intermittently we get a self signed certificate error:
But it doesn't show WHICH certificate (or subject, fignerprint, ...) is being seen.
Question / Request
Ideally we would have a ruby OpenSSL flag that instructs OpenSSL to do its (DEBUG) logging so we can get this information. I can see OpenSSL is logging the desired information in:
https://github.com/openssl/openssl/blob/6288aa440c1ba111eaf52cf79659a25329205022/crypto/x509/t_x509.c#L484-L501
Is it possible to get the Ruby app to log this information?
I have found
OpenSSL::debug=true, but this only seems to trigger debug logging done in this Ruby Gem.In java we have -Djava.net.debug=ssl, but I realize that is not using OpenSSL underneath.
Alternative
I have found a way to get Ruby to log the self-signed certificate that is being seen in Ruby via https://github.com/mislav/ssl-tools/blob/master/doctor.rb. Something along these lines, where the
store_contextcontains the failed certificat:This is not ideal as it requires code changes in our Ruby apps, which is using httparty as a wrapper. Also we would be replicating logging that is already done by OpenSSL.
The fact that this SSL Docter script exists seems to confirm there is no Ruby OpenSSL::xxx flag to achieve this?
Would it be possible to implement such a flag? Is there an alternative way to achieve the same?