New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Puma verify_mode default, difference in 3.4 /3.5 #1028
Comments
Sorry about that! #968 incorrectly set the default to VERIFY_PEER, which is a really bad default for a server since most users are NOT using client certs (which is what this controls). |
This didn't seem to fix the issue. The change to the dsl.rb file is what is causing this issue. bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{opts[:verify_mode] || 'peer'}" Well I guess both changes in that pull request are making the problem |
@evanphx the issue is still there: Puma starting in cluster mode...
* Version 3.6.0 (ruby 2.3.1-p112), codename: Sleepy Sunday Serenity
* Min threads: 1, max threads: 6
* Environment: production
* Process workers: 1
* Phased restart available
ERROR: Please specify the SSL ca via 'ca='
exited with code 1 with ssl_bind '0.0.0.0', '9292', {
key: "#{app_dir}/config/certs/server.key",
cert: "#{app_dir}/config/certs/server.crt"
} But there's NO the issue with ugly bind "ssl://0.0.0.0:9292\
?key=#{app_dir}/config/certs/server.key\
&cert=#{app_dir}/config/certs/server.crt" |
@itsNikolay |
If you need a workaround for this issue manually set ssl_bind '0.0.0.0', '9292', {
key: "#{app_dir}/config/certs/server.key",
cert: "#{app_dir}/config/certs/server.crt",
verify_mode: 'none'
} |
So when upgrading to 3.5.1(from 3.4) when I specify my own SSL key and cert options. It look like it now requires a SSL ca option too.... I'm getting this error
ERROR: Please specify the SSL ca via 'ca='
It looks like this is the change that that makes this happen. #968
So my question, is what was it using for a CA before?
I had the assumption it was just looking at the OS for its CA (in my case CentOS 7.2)
Basically, should the example config.rb be updated to show ca is now a required parameter, unless the dev specifically set verify_mode=none? From the config.rb current example file is
So now it really defaults to having verify_mode=peer when you set ssl_bind.
Which requires a ca: path_to_ca
So the example could be one of the following
or
The text was updated successfully, but these errors were encountered: