Skip to content
Browse files

Add HTTPClient::SSLConfig#set_default_paths

Make HTTPClient instance to use OpenSSL's default trusted CA
certificates.  Close #89.
  • Loading branch information...
1 parent 78db8db commit 7e836443cd06df2b5c81eeadad7145e7d73394dc @nahi committed May 6, 2012
Showing with 92 additions and 19 deletions.
  1. +18 −0 lib/httpclient/ssl_config.rb
  2. +44 −0 test/ca-chain.cert
  3. +18 −0 test/helper.rb
  4. +0 −18 test/test_httpclient.rb
  5. +12 −1 test/test_ssl.rb
View
18 lib/httpclient/ssl_config.rb
@@ -117,6 +117,24 @@ def set_client_cert_file(cert_file, key_file)
change_notify
end
+ # Sets OpenSSL's default trusted CA certificates. Generally, OpenSSL is
+ # configured to use OS's trusted CA certificates located at
+ # /etc/pki/certs or /etc/ssl/certs. Unfortunately OpenSSL's Windows build
+ # does not work with Windows Certificate Storage.
+ #
+ # On Windows or when you build OpenSSL manually, you can set the
+ # CA certificates directory by SSL_CERT_DIR env variable at runtime.
+ #
+ # SSL_CERT_DIR=/etc/ssl/certs ruby -rhttpclient -e "..."
+ #
+ # Calling this method resets all existing sessions.
+ def set_default_paths
+ @cacerts_loaded = true # avoid lazy override
+ @cert_store = X509::Store.new
+ @cert_store.set_default_paths
+ change_notify
+ end
+
# Drops current certificate store (OpenSSL::X509::Store) for SSL and create
# new one for the next session.
#
View
44 test/ca-chain.cert
@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIID0DCCArigAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
+DTA0MDEzMDAwNDIzMloXDTM2MDEyMjAwNDIzMlowPDELMAkGA1UEBgwCSlAxEjAQ
+BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQswCQYDVQQDDAJDQTCCASIw
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbv0x42BTKFEQOE+KJ2XmiSdZpR
+wjzQLAkPLRnLB98tlzs4xo+y4RyY/rd5TT9UzBJTIhP8CJi5GbS1oXEerQXB3P0d
+L5oSSMwGGyuIzgZe5+vZ1kgzQxMEKMMKlzA73rbMd4Jx3u5+jdbP0EDrPYfXSvLY
+bS04n2aX7zrN3x5KdDrNBfwBio2/qeaaj4+9OxnwRvYP3WOvqdW0h329eMfHw0pi
+JI0drIVdsEqClUV4pebT/F+CPUPkEh/weySgo9wANockkYu5ujw2GbLFcO5LXxxm
+dEfcVr3r6t6zOA4bJwL0W/e6LBcrwiG/qPDFErhwtgTLYf6Er67SzLyA66UCAwEA
+AaOB3DCB2TAPBgNVHRMBAf8EBTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09w
+ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJ7Xd380KzBV7f
+USKIQ+O/vKbhDzAOBgNVHQ8BAf8EBAMCAQYwZAYDVR0jBF0wW4AUSe13d/NCswVe
+31EiiEPjv7ym4Q+hQKQ+MDwxCzAJBgNVBAYMAkpQMRIwEAYDVQQKDAlKSU4uR1Iu
+SlAxDDAKBgNVBAsMA1JSUjELMAkGA1UEAwwCQ0GCAQAwDQYJKoZIhvcNAQEFBQAD
+ggEBAIu/mfiez5XN5tn2jScgShPgHEFJBR0BTJBZF6xCk0jyqNx/g9HMj2ELCuK+
+r/Y7KFW5c5M3AQ+xWW0ZSc4kvzyTcV7yTVIwj2jZ9ddYMN3nupZFgBK1GB4Y05GY
+MJJFRkSu6d/Ph5ypzBVw2YMT/nsOo5VwMUGLgS7YVjU+u/HNWz80J3oO17mNZllj
+PvORJcnjwlroDnS58KoJ7GDgejv3ESWADvX1OHLE4cRkiQGeLoEU4pxdCxXRqX0U
+PbwIkZN9mXVcrmPHq8MWi4eC/V7hnbZETMHuWhUoiNdOEfsAXr3iP4KjyyRdwc7a
+d/xgcK06UVQRL/HbEYGiQL056mc=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDaDCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
+DTA0MDEzMDAwNDMyN1oXDTM1MDEyMjAwNDMyN1owPzELMAkGA1UEBgwCSlAxEjAQ
+BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQ4wDAYDVQQDDAVTdWJDQTCC
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0Ou7AyRcRXnB/kVHv/6kwe
+ANzgg/DyJfsAUqW90m7Lu1nqyug8gK0RBd77yU0w5HOAMHTVSdpjZK0g2sgx4Mb1
+d/213eL9TTl5MRVEChTvQr8q5DVG/8fxPPE7fMI8eOAzd98/NOAChk+80r4Sx7fC
+kGVEE1bKwY1MrUsUNjOY2d6t3M4HHV3HX1V8ShuKfsHxgCmLzdI8U+5CnQedFgkm
+3e+8tr8IX5RR1wA1Ifw9VadF7OdI/bGMzog/Q8XCLf+WPFjnK7Gcx6JFtzF6Gi4x
+4dp1Xl45JYiVvi9zQ132wu8A1pDHhiNgQviyzbP+UjcB/tsOpzBQF8abYzgEkWEC
+AwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAxBglghkgBhvhCAQ0EJBYiUnVieS9P
+cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUlCjXWLsReYzH
+LzsxwVnCXmKoB/owCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCJ/OyN
+rT8Cq2Y+G2yA/L1EMRvvxwFBqxavqaqHl/6rwsIBFlB3zbqGA/0oec6MAVnYynq4
+c4AcHTjx3bQ/S4r2sNTZq0DH4SYbQzIobx/YW8PjQUJt8KQdKMcwwi7arHP7A/Ha
+LKu8eIC2nsUBnP4NhkYSGhbmpJK+PFD0FVtD0ZIRlY/wsnaZNjWWcnWF1/FNuQ4H
+ySjIblqVQkPuzebv3Ror6ZnVDukn96Mg7kP4u6zgxOeqlJGRe1M949SS9Vudjl8X
+SF4aZUUB9pQGhsqQJVqaz2OlhGOp9D0q54xko/rekjAIcuDjl1mdX4F2WRrzpUmZ
+uY/bPeOBYiVsOYVe
+-----END CERTIFICATE-----
View
18 test/helper.rb
@@ -105,4 +105,22 @@ def start_server_thread(server)
def params(str)
HTTP::Message.parse(str).inject({}) { |r, (k, v)| r[k] = v.first; r }
end
+
+ def silent
+ begin
+ back, $VERBOSE = $VERBOSE, nil
+ yield
+ ensure
+ $VERBOSE = back
+ end
+ end
+
+ def escape_env
+ env = {}
+ env.update(ENV)
+ yield
+ ensure
+ ENV.clear
+ ENV.update(env)
+ end
end
View
18 test/test_httpclient.rb
@@ -1419,15 +1419,6 @@ def test_charset
private
- def silent
- begin
- back, $VERBOSE = $VERBOSE, nil
- yield
- ensure
- $VERBOSE = back
- end
- end
-
def check_query_get(query)
WEBrick::HTTPUtils.parse_query(
@client.get(serverurl + 'servlet', query).header["x-query"][0]
@@ -1459,15 +1450,6 @@ def setup_server
@server_thread = start_server_thread(@server)
end
- def escape_env
- env = {}
- env.update(ENV)
- yield
- ensure
- ENV.clear
- ENV.update(env)
- end
-
def escape_noproxy
backup = HTTPClient::NO_PROXY_HOSTS.dup
HTTPClient::NO_PROXY_HOSTS.clear
View
13 test/test_ssl.rb
@@ -27,7 +27,7 @@ def path(filename)
def test_options
cfg = @client.ssl_config
- assert_nil(cfg.client_cert)
+ assert_nil(cfg.dlient_cert)
assert_nil(cfg.client_key)
assert_nil(cfg.client_ca)
assert_equal(OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, cfg.verify_mode)
@@ -155,6 +155,17 @@ def test_ciphers
assert_equal("hello", @client.get_content(@url))
end
+ def test_set_default_paths
+ assert_raise(OpenSSL::SSL::SSLError) do
+ @client.get(@url)
+ end
+ escape_env do
+ ENV['SSL_CERT_FILE'] = File.join(DIR, 'ca-chain.cert')
+ @client.ssl_config.set_default_paths
+ @client.get(@url)
+ end
+ end
+
private
def cert(filename)

0 comments on commit 7e83644

Please sign in to comment.
Something went wrong with that request. Please try again.