Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Puma verify_mode default, difference in 3.4 /3.5 #1028

Closed
matobinder opened this issue Jul 23, 2016 · 5 comments
Closed

Puma verify_mode default, difference in 3.4 /3.5 #1028

matobinder opened this issue Jul 23, 2016 · 5 comments

Comments

@matobinder
Copy link

matobinder commented Jul 23, 2016
edited

So when upgrading to 3.5.1(from 3.4) when I specify my own SSL key and cert options. It look like it now requires a SSL ca option too.... I'm getting this error

ERROR: Please specify the SSL ca via 'ca='

It looks like this is the change that that makes this happen. #968

So my question, is what was it using for a CA before?
I had the assumption it was just looking at the OS for its CA (in my case CentOS 7.2)

Basically, should the example config.rb be updated to show ca is now a required parameter, unless the dev specifically set verify_mode=none? From the config.rb current example file is

ssl_bind '127.0.0.1', '9292', {
  key: path_to_key,
  cert: path_to_cert
}

So now it really defaults to having verify_mode=peer when you set ssl_bind.
Which requires a ca: path_to_ca

So the example could be one of the following

ssl_bind '127.0.0.1', '9292', {
  key: path_to_key,
  cert: path_to_cert
  verify_peer: 'none'       # disable the default
}

or

ssl_bind '127.0.0.1', '9292', {
  key: path_to_key,
  cert: path_to_cert
  ca: path_to_cert          # giva a ca file since verify_peer:peer is default
}
@evanphx
Copy link
Member

evanphx commented Jul 24, 2016

Sorry about that! #968 incorrectly set the default to VERIFY_PEER, which is a really bad default for a server since most users are NOT using client certs (which is what this controls).

@matobinder
Copy link
Author

This didn't seem to fix the issue. The change to the dsl.rb file is what is causing this issue.

bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{opts[:verify_mode] || 'peer'}"

Well I guess both changes in that pull request are making the problem

@matobinder matobinder mentioned this issue Jul 28, 2016
Closed
@itsNikolay
Copy link

@evanphx the issue is still there:

Puma starting in cluster mode...
* Version 3.6.0 (ruby 2.3.1-p112), codename: Sleepy Sunday Serenity
* Min threads: 1, max threads: 6
* Environment: production
* Process workers: 1
* Phased restart available
ERROR: Please specify the SSL ca via 'ca='
exited with code 1

with ssl_bind:

ssl_bind '0.0.0.0', '9292', {
  key:  "#{app_dir}/config/certs/server.key",
  cert: "#{app_dir}/config/certs/server.crt"
}

But there's NO the issue with ugly bind:

bind "ssl://0.0.0.0:9292\
?key=#{app_dir}/config/certs/server.key\
&cert=#{app_dir}/config/certs/server.crt"

@edwardmp
Copy link

edwardmp commented Oct 26, 2016
edited

@itsNikolay
Seeing exactly the same issue here. No trouble with ugly syntax, but with ssl_bind the issue does occur.

@gitjake
Copy link

gitjake commented Nov 20, 2016

If you need a workaround for this issue manually set verify_mode: 'none'

ssl_bind '0.0.0.0', '9292', {
  key:  "#{app_dir}/config/certs/server.key",
  cert: "#{app_dir}/config/certs/server.crt",
  verify_mode: 'none'  
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@evanphx @itsNikolay @matobinder @edwardmp @gitjake