Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Verify the SSL certificate for https://rubygems.org/ #4095

Closed
Torxed opened this Issue May 27, 2013 · 9 comments

Comments

Projects
None yet
4 participants

Torxed commented May 27, 2013

The following should produce the desired installation process:

[git@host gitlab]$ bundle install --deployment --without development test mysql

Instead I get this:

Fetching source index from https://rubygems.org/
Could not verify the SSL certificate for https://rubygems.org/.
There is a chance you are experiencing a man-in-the-middle attack, but most likely
your system doesn't have the CA certificates needed for verification.
For information about OpenSSL certificates, see bit.ly/ruby-ssl.
To connect without using SSL, edit your Gemfile sources and change 'https' to 'http'.

Editing config/Gemfile and changing from https:// to http:// works as a temporary fix but perhaps someone could shed some light on this or fix this?
(wrong forum but) I've never liked Ruby and am only forced to install it due to this lovely project. Hence I have no clue in which direction to go on about addressing this Ruby issue but this felt like a good start.

Torxed commented May 27, 2013

Without being able to try much on my current development environment it might be that the proxy (which in normal use-cases lets SSL traffic straight through without doing anything to it) tries to replace the SSL certificate with a local certificate in order to parse the data being sent and verify the contents.

This in turn, results in a "bad" certificate which the setup scripts can't take into considerations (for instance, setting a flag if a proxy is in place or even do a sanity check on it and then ignoring the certificate validity even tho, that would go against the norm of why certificates was enforced in the first place).

Couldn't find this information anywhere but a little bit of digging got me to this conclusion. Perhaps it's useful for someone else ending up in the same seat or if someone could report a more permanent fix for this issue (people behind proxies)?

Contributor

senny commented May 28, 2013

@randx is there a specific reason we use https? I've seen several reports that is causing issues.

Torxed commented May 28, 2013

I would consider signed packages instead and have a signed hash-sum of all the files that is downloaded. That way you get the (most likely) intended security with SSL but you don't have to worry about MITM attacks even without SSL because the packages themselves are signed and content-hashed.

Owner

dzaporozhets commented May 29, 2013

@senny I guess it was a temporary ssl problem with rubygems.
Since error description is pretty clean and you can always handle this case I recommend to leave Gemfile as is

Contributor

senny commented May 29, 2013

@Torxed can you confirm that this was a temporary problem? Does it work now?

Torxed commented May 29, 2013

@randx Wouldn't it be easier (for someone who's not familiar with crypto messages etc) to have an option to download from a second non-https link (same link, just not SSL)?

@senny Not at the moment, won't have access to the environment until monday or somewhere around that time.
The problem will most likely still be there tho, since it's a proxy related issue and the SSL will always come out as "malicious" to the client.

Contributor

bbodenmiller commented Jun 14, 2013

Does this issue still exist on the latest master? Thanks for the issue report. Please reformat your issue to conform to the issue tracker guidelines found in our contributing guidelines.

Torxed commented Jun 15, 2013

Don't know, and i can't verify either because of the one time install i did in a test environment :/

Contributor

bbodenmiller commented Jun 18, 2013

@Torxed please open a new issue once you can provide reproduction steps.

@dzaporozhets dzaporozhets added a commit that referenced this issue Mar 3, 2016

@dzaporozhets dzaporozhets Merge branch 'issue_4095' into 'master'
Don't show Issues/MRs from archived projects in Groups view

Fixes #4095 

See merge request !2980
7e710ac
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment