Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Only works without ssl_ca_file? #4

Closed
Swizec opened this Issue · 15 comments

5 participants

@Swizec

Hey,

I'm trying to use coinbase from rails and whenever I use this gem I get an error along the lines of SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed (OpenSSL::SSL::SSLError)

However, when I comment out the ssl_ca_file line in client.rb, everything starts working flawlessly.

Has the ca-coinbase.crt included in the gem gone out of sync with what the website is actually using these days, or is something more sinister going on?

Cheers,
~Swizec

@kyledrake

Interesting. What version of ruby are you using?

@kyledrake

I have confirmed this. The current certificate is failing verification. Let me see if I can figure out what is going on.

@kyledrake
$ openssl x509 -in ca-coinbase.crt -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            02:ac:5c:26:6a:0b:40:9b:8f:0b:79:f2:ae:46:25:77
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
        Validity
            Not Before: Nov 10 00:00:00 2006 GMT
            Not After : Nov 10 00:00:00 2031 GMT
        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
.. blah blah ..
-----BEGIN CERTIFICATE-----
MIIDxTCCAq2gAwIBAgIQAqxcJmoLQJuPC3nyrkYldzANBgkqhkiG9w0BAQUFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTA2MTExMDAwMDAwMFoXDTMxMTExMDAwMDAwMFowbDEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTErMCkGA1UEAxMiRGlnaUNlcnQgSGlnaCBBc3N1cmFuY2Ug
RVYgUm9vdCBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMbM5XPm
+9S75S0tMqbf5YE/yc0lSbZxKsPVlDRnogocsF9ppkCxxLeyj9CYpKlBWTrT3JTW
PNt0OKRKzE0lgvdKpVMSOO7zSW1xkX5jtqumX8OkhPhPYlG++MXs2ziS4wblCJEM
xChBVfvLWokVfnHoNb9Ncgk9vjo4UFt3MRuNs8ckRZqnrG0AFFoEt7oT61EKmEFB
Ik5lYYeBQVCmeVyJ3hlKV9Uu5l0cUyx+mM0aBhakaHPQNAQTXKFx01p8VdteZOE3
hzBWBOURtCmAEvF5OYiiAhF8J2a3iLd48soKqDirCmTCv2ZdlYTBoSUeh10aUAsg
EsxBu24LUTi4S8sCAwEAAaNjMGEwDgYDVR0PAQH/BAQDAgGGMA8GA1UdEwEB/wQF
MAMBAf8wHQYDVR0OBBYEFLE+w2kD+L9HAdSYJhoIAu9jZCvDMB8GA1UdIwQYMBaA
FLE+w2kD+L9HAdSYJhoIAu9jZCvDMA0GCSqGSIb3DQEBBQUAA4IBAQAcGgaX3Nec
nzyIZgYIVyHbIUf4KmeqvxgydkAQV8GK83rZEWWONfqe/EW1ntlMMUu4kehDLI6z
eM7b41N5cdblIZQB2lWHmiRk9opmzN6cN82oNLFpmyPInngiK3BD41VHMWEZ71jF
hS9OMPagMRYjyOfiZRYzy78aG6A9+MpeizGLYAiJLQwGXFK3xPkKmNEVX58Svnw2
Yzi9RKR/5CYrCsSXaQ3pjOLAEFe4yHYSkVXySGnYvCoCWw9E1CAx2/S6cCZdkGCe
vEsXCS+0yx5DaMkHJ8HSXPfqIbloEpw8nL+e/IBcm2PN7EeqJSdnoDfzAIJ9VNep
+OkuE6N36B9K
-----END CERTIFICATE-----
$ curl --cacert ./ca-coinbase.crt -vi https://coinbase.com/api/v1/account/balance?api_key=SECRET_KEY
* About to connect() to coinbase.com port 443 (#0)
*   Trying 141.101.113.127...
* connected
* Connected to coinbase.com (141.101.113.127) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: ./ca-coinbase.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using RC4-SHA
* Server certificate:
*    subject: C=US; ST=CA; L=San Francisco; O=CloudFlare, Inc.; CN=ssl4029.cloudflare.com
*    start date: 2013-04-12 19:18:21 GMT
*    expire date: 2018-01-15 17:32:16 GMT
*    subjectAltName: coinbase.com matched
*    issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Organization Validation CA - G2
*    SSL certificate verify ok.
> GET /api/v1/account/balance?api_key=SECRET_KEY HTTP/1.1
> User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8r zlib/1.2.5
> Host: coinbase.com
> Accept: */*
> 
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: cloudflare-nginx

My current theory is that Coinbase has recently switched to Cloudflare and is now using a different ssl certificate as a result.

@kyledrake

"Enable SSL with either a SSL certificate issued by CloudFlare or by uploading your own dedicated certificate to the CloudFlare network. We allow for upload of any SSL certificate type including Extended Validation (EV) SSL."

So I think the ssl cert just needs to get uploaded on Cloudflare. This problem should go away soon! I suspect this isn't foul play.

@Swizec

Awesome!

So it's just a matter of waiting for coinbase to update their CloudFlare settings?

@kyledrake

If my hypothesis is correct then yes. Until then you can either add the certificate for Cloudflare's default wildcard SSL, or disable the certificate check in the interim as a temporary workaround.

@sibblegp

You dastardly fools! You've foiled my plan to steal all of teh bitcoinz! And I would have gotten away with it too, if it weren't for you meddling developers!

/sorry, had to

@kyledrake

@sibblegp Are you seeing a similar problem with the python library? I can't get cURL to fail verification, which is strange to me.

@sibblegp

I haven't tried it yet and won't have time for a few days. My guess is yes. The Cloudflare theory is sound.

@lian
Collaborator

we changed from digicert to globalsign and missed to update the rubygem. thanks for noticing!

issue resolved in current master now.

@lian lian closed this
@kyledrake kyledrake referenced this issue in sibblegp/coinbase_python
Merged

New certs #1

@lian
Collaborator

@Swizec btw, if you comment out the ssl_ca_file and your ruby doesn't know about your systems ca certs or the system ones are bad then mitm is possible and ruby gives you now hit/error.

@kyledrake kyledrake referenced this issue in hostvpn/whmcs-coinbase-bitcoin
Merged

Update ca-coinbase.crt #1

@lian
Collaborator

@kyledrake awesome job pushing it to libs in another languages. thank you very much!

@kyledrake

I sent pull requests for a few other coinbase libraries using the old certs, see my news feed to see them all.

@kyledrake

@lian NP, see you tomorrow. :smiley:

@barmstrong
Owner

Nice work guys :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.