Only works without ssl_ca_file? #4

Closed
Swizec opened this Issue Apr 16, 2013 · 15 comments

Comments

Projects
None yet
5 participants
Contributor

Swizec commented Apr 16, 2013

Hey,

I'm trying to use coinbase from rails and whenever I use this gem I get an error along the lines of SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

However, when I comment out the ssl_ca_file line in client.rb, everything starts working flawlessly.

Has the ca-coinbase.crt included in the gem gone out of sync with what the website is actually using these days, or is something more sinister going on?

Cheers,
~Swizec

Contributor

kyledrake commented Apr 16, 2013

Interesting. What version of ruby are you using?

Contributor

kyledrake commented Apr 16, 2013

I have confirmed this. The current certificate is failing verification. Let me see if I can figure out what is going on.

Contributor

kyledrake commented Apr 16, 2013

$ openssl x509 -in ca-coinbase.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
.. blah blah ..
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
$ curl --cacert ./ca-coinbase.crt -vi https://coinbase.com/api/v1/account/balance?api_key=SECRET_KEY
* About to connect() to coinbase.com port 443 (#0)
*   Trying 141.101.113.127...
* connected
* Connected to coinbase.com (141.101.113.127) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: ./ca-coinbase.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
*    subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=ssl4029.cloudflare.com
*    start date: 2013-04-12 19:18:21 GMT
*    expire date: 2018-01-15 17:32:16 GMT
*    subjectAltName: coinbase.com matched
*    issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - G2
*    SSL certificate verify ok.
> GET /api/v1/account/balance?api_key=SECRET_KEY HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: coinbase.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: cloudflare-nginx

My current theory is that Coinbase has recently switched to Cloudflare and is now using a different ssl certificate as a result.

Contributor

kyledrake commented Apr 16, 2013

"Enable SSL with either a SSL certificate issued by CloudFlare or by uploading your own dedicated certificate to the CloudFlare network. We allow for upload of any SSL certificate type including Extended Validation (EV) SSL."

So I think the ssl cert just needs to get uploaded on Cloudflare. This problem should go away soon! I suspect this isn't foul play.

Contributor

Swizec commented Apr 16, 2013

Awesome!

So it's just a matter of waiting for coinbase to update their CloudFlare settings?

Contributor

kyledrake commented Apr 16, 2013

If my hypothesis is correct then yes. Until then you can either add the certificate for Cloudflare's default wildcard SSL, or disable the certificate check in the interim as a temporary workaround.

You dastardly fools! You've foiled my plan to steal all of teh bitcoinz! And I would have gotten away with it too, if it weren't for you meddling developers!

/sorry, had to

Contributor

kyledrake commented Apr 17, 2013

@sibblegp Are you seeing a similar problem with the python library? I can't get cURL to fail verification, which is strange to me.

I haven't tried it yet and won't have time for a few days. My guess is yes. The Cloudflare theory is sound.

Contributor

lian commented Apr 17, 2013

we changed from digicert to globalsign and missed to update the rubygem. thanks for noticing!

issue resolved in current master now.

lian closed this Apr 17, 2013

kyledrake referenced this issue in sibblegp/coinbase_python Apr 17, 2013

Merged

New certs #1

Contributor

lian commented Apr 17, 2013

@Swizec btw, if you comment out the ssl_ca_file and your ruby doesn't know about your systems ca certs or the system ones are bad then mitm is possible and ruby gives you now hit/error.

kyledrake referenced this issue in hostvpn/whmcs-coinbase-bitcoin Apr 17, 2013

Merged

Update ca-coinbase.crt #1

Contributor

lian commented Apr 17, 2013

@kyledrake awesome job pushing it to libs in another languages. thank you very much!

Contributor

kyledrake commented Apr 17, 2013

I sent pull requests for a few other coinbase libraries using the old certs, see my news feed to see them all.

Contributor

kyledrake commented Apr 17, 2013

@lian NP, see you tomorrow. 😃

Owner

barmstrong commented Apr 17, 2013

Nice work guys :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment