Can no longer pass file contents as ca_file property with OpenSSL 3 #649
Comments
|
Yes, Net::HTTP#ca_file (OpenSSL::SSL::SSLContext#ca_file) wants the path to the file. I don't think setting the file contents to the attribute ever worked. With OpenSSL 1.1.1, it is simply ignored with a verbose-mode warning: openssl/ext/openssl/ossl_ssl.c Lines 882 to 892 in 97fb410 The behavior difference was not intentional, but I think the OpenSSL <= 1.1.1 code should've also raised an exception since this is clearly an error case. |
|
ahhhhhh, ok that makes a lot more sense 😄 . Thanks for investigating 🙇 |
|
Reopening because the OpenSSL <= 1.1.1 code should be fixed. |
rhenium
added a commit
to rhenium/ruby-openssl
that referenced
this issue
Aug 10, 2023
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit 5375a55 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: ruby#649
matzbot
pushed a commit
to ruby/ruby
that referenced
this issue
Aug 16, 2023
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit ruby/openssl@5375a55ffc35 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: ruby/openssl#649 ruby/openssl@7eb10f7b75
anakinj
pushed a commit
to anakinj/openssl
that referenced
this issue
Feb 17, 2024
When compiled with OpenSSL <= 1.1.1, OpenSSL::SSL::SSLContext#setup does not raise an exception on an error return from SSL_CTX_load_verify_locations(), but instead only prints a verbose-mode warning. This is not helpful since it very likely indicates an actual error, such as the specified file not being readable. Also, OpenSSL's error queue is not correctly cleared: $ ruby -w -ropenssl -e'OpenSSL.debug=true; ctx=OpenSSL::SSL::SSLContext.new; ctx.ca_file="bad-path"; ctx.setup; pp OpenSSL.errors' -e:1: warning: can't set verify locations ["error:02001002:system library:fopen:No such file or directory", "error:2006D080:BIO routines:BIO_new_file:no such file", "error:0B084002:x509 certificate routines:X509_load_cert_crl_file: system lib"] The behavior is currently different when compiled with OpenSSL >= 3.0: SSLError is raised if SSL_CTX_load_verify_file() or SSL_CTX_load_verify_dir() fails. This inconsistency was unintentionally introduced by commit 5375a55 ("ssl: use SSL_CTX_load_verify_{file,dir}() if available", 2020-02-22). However, raising SSLError seems more appropriate in this situation. Let's adjust the OpenSSL <= 1.1.1 code so that it behaves the same way as the OpenSSL >= 3.0 code currently does. Fixes: ruby#649
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi, I have some code that was retrieving the string contents of a certificate from a database (so
"-----BEGIN CERTIFICATE...") and setting it to theca_fileproperty with OpenSSL. This works for OpenSSL 1.1.1, but on OpenSSL 3.0.9 raisesSSL_CTX_load_verify_file: system lib (OpenSSL::SSL::SSLError). From what I've read I'm guessing this might have always been unsupported behaviour with OpenSSL 1.1.1, but I was wondering if this was an intentional breaking change, or if there is an alternative way to pass the contents of a certificate to OpenSSL.I have a set of minimal reproduction steps based of the wget sample below:
OpenSSL 1.1.1
OpenSSL 3.0.9
full stacktrace
The text was updated successfully, but these errors were encountered: