Skip to content
This repository
Browse code

Insecure connection to SSL repository

Fixes 2 SSL usage problems of RemoteFetcher.
- No verification
- Follows HTTPS -> HTTP redirection

For the first problem, RemoteFetcher must use OpenSSL::SSL::VERIFY_PEER
instead of VERIFY_NONE.  And to enable SSL verification of
RemoteFetcher, we need to make trusted CA configurable.  This commit
adds :ssl_verify_mode and :ssl_ca_cert to Gem::ConfigFile (normally
.gemrc).  Both configurations are treated as same options in open-uri.

When :ssl_ca_cert is set, only the given path is treated as the trusted
CA certificate(s).  If it's not set, OpenSSL's default store (sometimes
configured as /etc/ssl/certs by system) *AND*
lib/rubygems/ssl_certs/*.pem are trusted.  lib/rubygems/ssl_certs/*.pem
are shipped to make sure all RubyGems clients can successfully access to
https://rubygems.org/.

At this moment, RubyGems.org uses 3 SSL servers (https://rubygems.org/,
https://s3.amazon.com/, and https://d2chzxaqi4y7f8.cloudfront.net/) and
each SSL certificate needs different root CA certificate.  So
lib/rubygems/ssl_certs/ directory has 3 CA certificates in it.

For the second problem, this patch let RemoteFetcher raises
RemoteFetcher::FetchError if a server returns HTTPS -> HTTP redirection.
Other type of redirection, HTTP -> HTTP, HTTPS -> HTTPS and HTTP ->
HTTPS are allowed as before like open-uri.rb

The second issue is rather harmless because RemoteFetcher does not send
Cookie nor Referer to the server (Those resources for HTTPS site must
not be sent to HTTP site.)  However, by following HTTPS -> HTTP
redirection, an attacker can inject malicious gem contents into the
user's environment who expected secure content download from HTTPS site
by using HTTPS repository.
  • Loading branch information...
commit c7d6c6efd2a9e813eb538d805a6f5780437d7006 1 parent b00a56b
Hiroshi Nakamura authored March 13, 2012 evanphx committed April 16, 2012
12  lib/rubygems/config_file.rb
@@ -131,6 +131,16 @@ class Gem::ConfigFile
131 131
   attr_reader :api_keys
132 132
 
133 133
   ##
  134
+  # openssl verify mode value, used for remote https connection
  135
+
  136
+  attr_reader :ssl_verify_mode
  137
+
  138
+  ##
  139
+  # Path name of directory or file of openssl CA certificate, used for remote https connection
  140
+
  141
+  attr_reader :ssl_ca_cert
  142
+
  143
+  ##
134 144
   # Create the config file object.  +args+ is the list of arguments
135 145
   # from the command line.
136 146
   #
@@ -192,6 +202,8 @@ def initialize(arg_list)
192 202
     @path             = @hash[:gempath]          if @hash.key? :gempath
193 203
     @update_sources   = @hash[:update_sources]   if @hash.key? :update_sources
194 204
     @verbose          = @hash[:verbose]          if @hash.key? :verbose
  205
+    @ssl_verify_mode  = @hash[:ssl_verify_mode]  if @hash.key? :ssl_verify_mode
  206
+    @ssl_ca_cert      = @hash[:ssl_ca_cert]      if @hash.key? :ssl_ca_cert
195 207
 
196 208
     load_api_keys
197 209
 
41  lib/rubygems/remote_fetcher.rb
@@ -210,6 +210,11 @@ def fetch_http uri, last_modified = nil, head = false, depth = 0
210 210
       raise FetchError.new('too many redirects', uri) if depth > 10
211 211
 
212 212
       location = URI.parse response['Location']
  213
+
  214
+      if https?(uri) && !https?(location)
  215
+        raise FetchError.new("redirecting to non-https resource: #{location}", uri)
  216
+      end
  217
+
213 218
       fetch_http(location, last_modified, head, depth + 1)
214 219
     else
215 220
       raise FetchError.new("bad response #{response.message} #{response.code}", uri)
@@ -313,18 +318,42 @@ def connection_for(uri)
313 318
     connection = @connections[connection_id]
314 319
 
315 320
     if uri.scheme == 'https' and not connection.started? then
316  
-      require 'net/https'
317  
-      connection.use_ssl = true
318  
-      connection.verify_mode = OpenSSL::SSL::VERIFY_NONE
  321
+      configure_connection_for_https(connection)
319 322
     end
320 323
 
321 324
     connection.start unless connection.started?
322 325
 
323 326
     connection
324  
-  rescue Errno::EHOSTDOWN => e
  327
+  rescue OpenSSL::SSL::SSLError, Errno::EHOSTDOWN => e
325 328
     raise FetchError.new(e.message, uri)
326 329
   end
327 330
 
  331
+  def configure_connection_for_https(connection)
  332
+    require 'net/https'
  333
+    connection.use_ssl = true
  334
+    connection.verify_mode =
  335
+      Gem.configuration.ssl_verify_mode || OpenSSL::SSL::VERIFY_PEER
  336
+    store = OpenSSL::X509::Store.new
  337
+    if Gem.configuration.ssl_ca_cert
  338
+      if File.directory? Gem.configuration.ssl_ca_cert
  339
+        store.add_path Gem.configuration.ssl_ca_cert
  340
+      else
  341
+        store.add_file Gem.configuration.ssl_ca_cert
  342
+      end
  343
+    else
  344
+      store.set_default_paths
  345
+      add_rubygems_trusted_certs(store)
  346
+    end
  347
+    connection.cert_store = store
  348
+  end
  349
+
  350
+  def add_rubygems_trusted_certs(store)
  351
+    pattern = File.expand_path("./ssl_certs/*.pem", File.dirname(__FILE__))
  352
+    Dir.glob(pattern).each do |ssl_cert_file|
  353
+      store.add_file ssl_cert_file
  354
+    end
  355
+  end
  356
+
328 357
   def correct_for_windows_path(path)
329 358
     if path[0].chr == '/' && path[1].chr =~ /[a-z]/i && path[2].chr == ':'
330 359
       path = path[1..-1]
@@ -465,5 +494,9 @@ def user_agent
465 494
     ua
466 495
   end
467 496
 
  497
+  def https?(uri)
  498
+    uri.scheme.downcase == 'https'
  499
+  end
  500
+
468 501
 end
469 502
 
90  lib/rubygems/ssl_certs/AddTrustExternalCARoot.pem
... ...
@@ -0,0 +1,90 @@
  1
+This CA certificate is for verifying HTTPS connection to;
  2
+  - https://rubygems.org/ (obtained by RubyGems team)
  3
+
  4
+Certificate:
  5
+    Data:
  6
+        Version: 3 (0x2)
  7
+        Serial Number: 1 (0x1)
  8
+    Signature Algorithm: sha1WithRSAEncryption
  9
+        Issuer: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
  10
+        Validity
  11
+            Not Before: May 30 10:48:38 2000 GMT
  12
+            Not After : May 30 10:48:38 2020 GMT
  13
+        Subject: C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root
  14
+        Subject Public Key Info:
  15
+            Public Key Algorithm: rsaEncryption
  16
+                Public-Key: (2048 bit)
  17
+                Modulus:
  18
+                    00:b7:f7:1a:33:e6:f2:00:04:2d:39:e0:4e:5b:ed:
  19
+                    1f:bc:6c:0f:cd:b5:fa:23:b6:ce:de:9b:11:33:97:
  20
+                    a4:29:4c:7d:93:9f:bd:4a:bc:93:ed:03:1a:e3:8f:
  21
+                    cf:e5:6d:50:5a:d6:97:29:94:5a:80:b0:49:7a:db:
  22
+                    2e:95:fd:b8:ca:bf:37:38:2d:1e:3e:91:41:ad:70:
  23
+                    56:c7:f0:4f:3f:e8:32:9e:74:ca:c8:90:54:e9:c6:
  24
+                    5f:0f:78:9d:9a:40:3c:0e:ac:61:aa:5e:14:8f:9e:
  25
+                    87:a1:6a:50:dc:d7:9a:4e:af:05:b3:a6:71:94:9c:
  26
+                    71:b3:50:60:0a:c7:13:9d:38:07:86:02:a8:e9:a8:
  27
+                    69:26:18:90:ab:4c:b0:4f:23:ab:3a:4f:84:d8:df:
  28
+                    ce:9f:e1:69:6f:bb:d7:42:d7:6b:44:e4:c7:ad:ee:
  29
+                    6d:41:5f:72:5a:71:08:37:b3:79:65:a4:59:a0:94:
  30
+                    37:f7:00:2f:0d:c2:92:72:da:d0:38:72:db:14:a8:
  31
+                    45:c4:5d:2a:7d:b7:b4:d6:c4:ee:ac:cd:13:44:b7:
  32
+                    c9:2b:dd:43:00:25:fa:61:b9:69:6a:58:23:11:b7:
  33
+                    a7:33:8f:56:75:59:f5:cd:29:d7:46:b7:0a:2b:65:
  34
+                    b6:d3:42:6f:15:b2:b8:7b:fb:ef:e9:5d:53:d5:34:
  35
+                    5a:27
  36
+                Exponent: 65537 (0x10001)
  37
+        X509v3 extensions:
  38
+            X509v3 Subject Key Identifier: 
  39
+                AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
  40
+            X509v3 Key Usage: 
  41
+                Certificate Sign, CRL Sign
  42
+            X509v3 Basic Constraints: critical
  43
+                CA:TRUE
  44
+            X509v3 Authority Key Identifier: 
  45
+                keyid:AD:BD:98:7A:34:B4:26:F7:FA:C4:26:54:EF:03:BD:E0:24:CB:54:1A
  46
+                DirName:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
  47
+                serial:01
  48
+
  49
+    Signature Algorithm: sha1WithRSAEncryption
  50
+         b0:9b:e0:85:25:c2:d6:23:e2:0f:96:06:92:9d:41:98:9c:d9:
  51
+         84:79:81:d9:1e:5b:14:07:23:36:65:8f:b0:d8:77:bb:ac:41:
  52
+         6c:47:60:83:51:b0:f9:32:3d:e7:fc:f6:26:13:c7:80:16:a5:
  53
+         bf:5a:fc:87:cf:78:79:89:21:9a:e2:4c:07:0a:86:35:bc:f2:
  54
+         de:51:c4:d2:96:b7:dc:7e:4e:ee:70:fd:1c:39:eb:0c:02:51:
  55
+         14:2d:8e:bd:16:e0:c1:df:46:75:e7:24:ad:ec:f4:42:b4:85:
  56
+         93:70:10:67:ba:9d:06:35:4a:18:d3:2b:7a:cc:51:42:a1:7a:
  57
+         63:d1:e6:bb:a1:c5:2b:c2:36:be:13:0d:e6:bd:63:7e:79:7b:
  58
+         a7:09:0d:40:ab:6a:dd:8f:8a:c3:f6:f6:8c:1a:42:05:51:d4:
  59
+         45:f5:9f:a7:62:21:68:15:20:43:3c:99:e7:7c:bd:24:d8:a9:
  60
+         91:17:73:88:3f:56:1b:31:38:18:b4:71:0f:9a:cd:c8:0e:9e:
  61
+         8e:2e:1b:e1:8c:98:83:cb:1f:31:f1:44:4c:c6:04:73:49:76:
  62
+         60:0f:c7:f8:bd:17:80:6b:2e:e9:cc:4c:0e:5a:9a:79:0f:20:
  63
+         0a:2e:d5:9e:63:26:1e:55:92:94:d8:82:17:5a:7b:d0:bc:c7:
  64
+         8f:4e:86:04
  65
+
  66
+-----BEGIN CERTIFICATE-----
  67
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
  68
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
  69
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
  70
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
  71
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
  72
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
  73
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
  74
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
  75
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
  76
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
  77
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
  78
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
  79
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
  80
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
  81
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
  82
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
  83
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
  84
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
  85
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
  86
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
  87
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
  88
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
  89
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
  90
+-----END CERTIFICATE-----
90  lib/rubygems/ssl_certs/Entrust_net-Secure-Server-Certification-Authority.pem
... ...
@@ -0,0 +1,90 @@
  1
+This CA certificate is for verifying HTTPS connection to;
  2
+  - https://d2chzxaqi4y7f8.cloudfront.net/ (prepared by AWS)
  3
+
  4
+Certificate:
  5
+    Data:
  6
+        Version: 3 (0x2)
  7
+        Serial Number: 927650371 (0x374ad243)
  8
+    Signature Algorithm: sha1WithRSAEncryption
  9
+        Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
  10
+        Validity
  11
+            Not Before: May 25 16:09:40 1999 GMT
  12
+            Not After : May 25 16:39:40 2019 GMT
  13
+        Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
  14
+        Subject Public Key Info:
  15
+            Public Key Algorithm: rsaEncryption
  16
+                Public-Key: (1024 bit)
  17
+                Modulus:
  18
+                    00:cd:28:83:34:54:1b:89:f3:0f:af:37:91:31:ff:
  19
+                    af:31:60:c9:a8:e8:b2:10:68:ed:9f:e7:93:36:f1:
  20
+                    0a:64:bb:47:f5:04:17:3f:23:47:4d:c5:27:19:81:
  21
+                    26:0c:54:72:0d:88:2d:d9:1f:9a:12:9f:bc:b3:71:
  22
+                    d3:80:19:3f:47:66:7b:8c:35:28:d2:b9:0a:df:24:
  23
+                    da:9c:d6:50:79:81:7a:5a:d3:37:f7:c2:4a:d8:29:
  24
+                    92:26:64:d1:e4:98:6c:3a:00:8a:f5:34:9b:65:f8:
  25
+                    ed:e3:10:ff:fd:b8:49:58:dc:a0:de:82:39:6b:81:
  26
+                    b1:16:19:61:b9:54:b6:e6:43
  27
+                Exponent: 3 (0x3)
  28
+        X509v3 extensions:
  29
+            Netscape Cert Type: 
  30
+                SSL CA, S/MIME CA, Object Signing CA
  31
+            X509v3 CRL Distribution Points: 
  32
+
  33
+                Full Name:
  34
+                  DirName: C = US, O = Entrust.net, OU = www.entrust.net/CPS incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Secure Server Certification Authority, CN = CRL1
  35
+
  36
+                Full Name:
  37
+                  URI:http://www.entrust.net/CRL/net1.crl
  38
+
  39
+            X509v3 Private Key Usage Period: 
  40
+                Not Before: May 25 16:09:40 1999 GMT, Not After: May 25 16:09:40 2019 GMT
  41
+            X509v3 Key Usage: 
  42
+                Certificate Sign, CRL Sign
  43
+            X509v3 Authority Key Identifier: 
  44
+                keyid:F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
  45
+
  46
+            X509v3 Subject Key Identifier: 
  47
+                F0:17:62:13:55:3D:B3:FF:0A:00:6B:FB:50:84:97:F3:ED:62:D0:1A
  48
+            X509v3 Basic Constraints: 
  49
+                CA:TRUE
  50
+            1.2.840.113533.7.65.0: 
  51
+                0
  52
+..V4.0....
  53
+    Signature Algorithm: sha1WithRSAEncryption
  54
+         90:dc:30:02:fa:64:74:c2:a7:0a:a5:7c:21:8d:34:17:a8:fb:
  55
+         47:0e:ff:25:7c:8d:13:0a:fb:e4:98:b5:ef:8c:f8:c5:10:0d:
  56
+         f7:92:be:f1:c3:d5:d5:95:6a:04:bb:2c:ce:26:36:65:c8:31:
  57
+         c6:e7:ee:3f:e3:57:75:84:7a:11:ef:46:4f:18:f4:d3:98:bb:
  58
+         a8:87:32:ba:72:f6:3c:e2:3d:9f:d7:1d:d9:c3:60:43:8c:58:
  59
+         0e:22:96:2f:62:a3:2c:1f:ba:ad:05:ef:ab:32:78:87:a0:54:
  60
+         73:19:b5:5c:05:f9:52:3e:6d:2d:45:0b:f7:0a:93:ea:ed:06:
  61
+         f9:b2
  62
+
  63
+-----BEGIN CERTIFICATE-----
  64
+MIIE2DCCBEGgAwIBAgIEN0rSQzANBgkqhkiG9w0BAQUFADCBwzELMAkGA1UEBhMC
  65
+VVMxFDASBgNVBAoTC0VudHJ1c3QubmV0MTswOQYDVQQLEzJ3d3cuZW50cnVzdC5u
  66
+ZXQvQ1BTIGluY29ycC4gYnkgcmVmLiAobGltaXRzIGxpYWIuKTElMCMGA1UECxMc
  67
+KGMpIDE5OTkgRW50cnVzdC5uZXQgTGltaXRlZDE6MDgGA1UEAxMxRW50cnVzdC5u
  68
+ZXQgU2VjdXJlIFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05OTA1
  69
+MjUxNjA5NDBaFw0xOTA1MjUxNjM5NDBaMIHDMQswCQYDVQQGEwJVUzEUMBIGA1UE
  70
+ChMLRW50cnVzdC5uZXQxOzA5BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5j
  71
+b3JwLiBieSByZWYuIChsaW1pdHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBF
  72
+bnRydXN0Lm5ldCBMaW1pdGVkMTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUg
  73
+U2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGdMA0GCSqGSIb3DQEBAQUA
  74
+A4GLADCBhwKBgQDNKIM0VBuJ8w+vN5Ex/68xYMmo6LIQaO2f55M28Qpku0f1BBc/
  75
+I0dNxScZgSYMVHINiC3ZH5oSn7yzcdOAGT9HZnuMNSjSuQrfJNqc1lB5gXpa0zf3
  76
+wkrYKZImZNHkmGw6AIr1NJtl+O3jEP/9uElY3KDegjlrgbEWGWG5VLbmQwIBA6OC
  77
+AdcwggHTMBEGCWCGSAGG+EIBAQQEAwIABzCCARkGA1UdHwSCARAwggEMMIHeoIHb
  78
+oIHYpIHVMIHSMQswCQYDVQQGEwJVUzEUMBIGA1UEChMLRW50cnVzdC5uZXQxOzA5
  79
+BgNVBAsTMnd3dy5lbnRydXN0Lm5ldC9DUFMgaW5jb3JwLiBieSByZWYuIChsaW1p
  80
+dHMgbGlhYi4pMSUwIwYDVQQLExwoYykgMTk5OSBFbnRydXN0Lm5ldCBMaW1pdGVk
  81
+MTowOAYDVQQDEzFFbnRydXN0Lm5ldCBTZWN1cmUgU2VydmVyIENlcnRpZmljYXRp
  82
+b24gQXV0aG9yaXR5MQ0wCwYDVQQDEwRDUkwxMCmgJ6AlhiNodHRwOi8vd3d3LmVu
  83
+dHJ1c3QubmV0L0NSTC9uZXQxLmNybDArBgNVHRAEJDAigA8xOTk5MDUyNTE2MDk0
  84
+MFqBDzIwMTkwNTI1MTYwOTQwWjALBgNVHQ8EBAMCAQYwHwYDVR0jBBgwFoAU8Bdi
  85
+E1U9s/8KAGv7UISX8+1i0BowHQYDVR0OBBYEFPAXYhNVPbP/CgBr+1CEl/PtYtAa
  86
+MAwGA1UdEwQFMAMBAf8wGQYJKoZIhvZ9B0EABAwwChsEVjQuMAMCBJAwDQYJKoZI
  87
+hvcNAQEFBQADgYEAkNwwAvpkdMKnCqV8IY00F6j7Rw7/JXyNEwr75Ji174z4xRAN
  88
+95K+8cPV1ZVqBLssziY2ZcgxxufuP+NXdYR6Ee9GTxj005i7qIcyunL2POI9n9cd
  89
+2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G+bI=
  90
+-----END CERTIFICATE-----
57  lib/rubygems/ssl_certs/VerisignClass3PublicPrimaryCertificationAuthority-G2.pem
... ...
@@ -0,0 +1,57 @@
  1
+This CA certificate is for verifying HTTPS connection to;
  2
+  - https://s3.amazon.com/ (prepared by AWS)
  3
+
  4
+Certificate:
  5
+    Data:
  6
+        Version: 1 (0x0)
  7
+        Serial Number:
  8
+            7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
  9
+    Signature Algorithm: sha1WithRSAEncryption
  10
+        Issuer: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
  11
+        Validity
  12
+            Not Before: May 18 00:00:00 1998 GMT
  13
+            Not After : Aug  1 23:59:59 2028 GMT
  14
+        Subject: C=US, O=VeriSign, Inc., OU=Class 3 Public Primary Certification Authority - G2, OU=(c) 1998 VeriSign, Inc. - For authorized use only, OU=VeriSign Trust Network
  15
+        Subject Public Key Info:
  16
+            Public Key Algorithm: rsaEncryption
  17
+                Public-Key: (1024 bit)
  18
+                Modulus:
  19
+                    00:cc:5e:d1:11:5d:5c:69:d0:ab:d3:b9:6a:4c:99:
  20
+                    1f:59:98:30:8e:16:85:20:46:6d:47:3f:d4:85:20:
  21
+                    84:e1:6d:b3:f8:a4:ed:0c:f1:17:0f:3b:f9:a7:f9:
  22
+                    25:d7:c1:cf:84:63:f2:7c:63:cf:a2:47:f2:c6:5b:
  23
+                    33:8e:64:40:04:68:c1:80:b9:64:1c:45:77:c7:d8:
  24
+                    6e:f5:95:29:3c:50:e8:34:d7:78:1f:a8:ba:6d:43:
  25
+                    91:95:8f:45:57:5e:7e:c5:fb:ca:a4:04:eb:ea:97:
  26
+                    37:54:30:6f:bb:01:47:32:33:cd:dc:57:9b:64:69:
  27
+                    61:f8:9b:1d:1c:89:4f:5c:67
  28
+                Exponent: 65537 (0x10001)
  29
+    Signature Algorithm: sha1WithRSAEncryption
  30
+         51:4d:cd:be:5c:cb:98:19:9c:15:b2:01:39:78:2e:4d:0f:67:
  31
+         70:70:99:c6:10:5a:94:a4:53:4d:54:6d:2b:af:0d:5d:40:8b:
  32
+         64:d3:d7:ee:de:56:61:92:5f:a6:c4:1d:10:61:36:d3:2c:27:
  33
+         3c:e8:29:09:b9:11:64:74:cc:b5:73:9f:1c:48:a9:bc:61:01:
  34
+         ee:e2:17:a6:0c:e3:40:08:3b:0e:e7:eb:44:73:2a:9a:f1:69:
  35
+         92:ef:71:14:c3:39:ac:71:a7:91:09:6f:e4:71:06:b3:ba:59:
  36
+         57:26:79:00:f6:f8:0d:a2:33:30:28:d4:aa:58:a0:9d:9d:69:
  37
+         91:fd
  38
+
  39
+-----BEGIN CERTIFICATE-----
  40
+MIIDAjCCAmsCEH3Z/gfPqB63EHln+6eJNMYwDQYJKoZIhvcNAQEFBQAwgcExCzAJ
  41
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xh
  42
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
  43
+MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
  44
+emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
  45
+DTk4MDUxODAwMDAwMFoXDTI4MDgwMTIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
  46
+FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
  47
+UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcyMTowOAYDVQQLEzEo
  48
+YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
  49
+MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
  50
+AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
  51
+pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
  52
+13gfqLptQ5GVj0VXXn7F+8qkBOvqlzdUMG+7AUcyM83cV5tkaWH4mx0ciU9cZwID
  53
+AQABMA0GCSqGSIb3DQEBBQUAA4GBAFFNzb5cy5gZnBWyATl4Lk0PZ3BwmcYQWpSk
  54
+U01UbSuvDV1Ai2TT1+7eVmGSX6bEHRBhNtMsJzzoKQm5EWR0zLVznxxIqbxhAe7i
  55
+F6YM40AIOw7n60RzKprxaZLvcRTDOaxxp5EJb+RxBrO6WVcmeQD2+A2iMzAo1KpY
  56
+oJ2daZH9
  57
+-----END CERTIFICATE-----
45  test/rubygems/ca_cert.pem
... ...
@@ -0,0 +1,45 @@
  1
+-----BEGIN CERTIFICATE-----
  2
+MIID0DCCArigAwIBAgIBADANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
  3
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
  4
+DTA0MDEzMDAwNDIzMloXDTM2MDEyMjAwNDIzMlowPDELMAkGA1UEBgwCSlAxEjAQ
  5
+BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQswCQYDVQQDDAJDQTCCASIw
  6
+DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANbv0x42BTKFEQOE+KJ2XmiSdZpR
  7
+wjzQLAkPLRnLB98tlzs4xo+y4RyY/rd5TT9UzBJTIhP8CJi5GbS1oXEerQXB3P0d
  8
+L5oSSMwGGyuIzgZe5+vZ1kgzQxMEKMMKlzA73rbMd4Jx3u5+jdbP0EDrPYfXSvLY
  9
+bS04n2aX7zrN3x5KdDrNBfwBio2/qeaaj4+9OxnwRvYP3WOvqdW0h329eMfHw0pi
  10
+JI0drIVdsEqClUV4pebT/F+CPUPkEh/weySgo9wANockkYu5ujw2GbLFcO5LXxxm
  11
+dEfcVr3r6t6zOA4bJwL0W/e6LBcrwiG/qPDFErhwtgTLYf6Er67SzLyA66UCAwEA
  12
+AaOB3DCB2TAPBgNVHRMBAf8EBTADAQH/MDEGCWCGSAGG+EIBDQQkFiJSdWJ5L09w
  13
+ZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBRJ7Xd380KzBV7f
  14
+USKIQ+O/vKbhDzAOBgNVHQ8BAf8EBAMCAQYwZAYDVR0jBF0wW4AUSe13d/NCswVe
  15
+31EiiEPjv7ym4Q+hQKQ+MDwxCzAJBgNVBAYMAkpQMRIwEAYDVQQKDAlKSU4uR1Iu
  16
+SlAxDDAKBgNVBAsMA1JSUjELMAkGA1UEAwwCQ0GCAQAwDQYJKoZIhvcNAQEFBQAD
  17
+ggEBAIu/mfiez5XN5tn2jScgShPgHEFJBR0BTJBZF6xCk0jyqNx/g9HMj2ELCuK+
  18
+r/Y7KFW5c5M3AQ+xWW0ZSc4kvzyTcV7yTVIwj2jZ9ddYMN3nupZFgBK1GB4Y05GY
  19
+MJJFRkSu6d/Ph5ypzBVw2YMT/nsOo5VwMUGLgS7YVjU+u/HNWz80J3oO17mNZllj
  20
+PvORJcnjwlroDnS58KoJ7GDgejv3ESWADvX1OHLE4cRkiQGeLoEU4pxdCxXRqX0U
  21
+PbwIkZN9mXVcrmPHq8MWi4eC/V7hnbZETMHuWhUoiNdOEfsAXr3iP4KjyyRdwc7a
  22
+d/xgcK06UVQRL/HbEYGiQL056mc=
  23
+-----END CERTIFICATE-----
  24
+
  25
+-----BEGIN CERTIFICATE-----
  26
+MIIDaDCCAlCgAwIBAgIBATANBgkqhkiG9w0BAQUFADA8MQswCQYDVQQGDAJKUDES
  27
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxCzAJBgNVBAMMAkNBMB4X
  28
+DTA0MDEzMDAwNDMyN1oXDTM1MDEyMjAwNDMyN1owPzELMAkGA1UEBgwCSlAxEjAQ
  29
+BgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMQ4wDAYDVQQDDAVTdWJDQTCC
  30
+ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJ0Ou7AyRcRXnB/kVHv/6kwe
  31
+ANzgg/DyJfsAUqW90m7Lu1nqyug8gK0RBd77yU0w5HOAMHTVSdpjZK0g2sgx4Mb1
  32
+d/213eL9TTl5MRVEChTvQr8q5DVG/8fxPPE7fMI8eOAzd98/NOAChk+80r4Sx7fC
  33
+kGVEE1bKwY1MrUsUNjOY2d6t3M4HHV3HX1V8ShuKfsHxgCmLzdI8U+5CnQedFgkm
  34
+3e+8tr8IX5RR1wA1Ifw9VadF7OdI/bGMzog/Q8XCLf+WPFjnK7Gcx6JFtzF6Gi4x
  35
+4dp1Xl45JYiVvi9zQ132wu8A1pDHhiNgQviyzbP+UjcB/tsOpzBQF8abYzgEkWEC
  36
+AwEAAaNyMHAwDwYDVR0TAQH/BAUwAwEB/zAxBglghkgBhvhCAQ0EJBYiUnVieS9P
  37
+cGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUlCjXWLsReYzH
  38
+LzsxwVnCXmKoB/owCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBBQUAA4IBAQCJ/OyN
  39
+rT8Cq2Y+G2yA/L1EMRvvxwFBqxavqaqHl/6rwsIBFlB3zbqGA/0oec6MAVnYynq4
  40
+c4AcHTjx3bQ/S4r2sNTZq0DH4SYbQzIobx/YW8PjQUJt8KQdKMcwwi7arHP7A/Ha
  41
+LKu8eIC2nsUBnP4NhkYSGhbmpJK+PFD0FVtD0ZIRlY/wsnaZNjWWcnWF1/FNuQ4H
  42
+ySjIblqVQkPuzebv3Ror6ZnVDukn96Mg7kP4u6zgxOeqlJGRe1M949SS9Vudjl8X
  43
+SF4aZUUB9pQGhsqQJVqaz2OlhGOp9D0q54xko/rekjAIcuDjl1mdX4F2WRrzpUmZ
  44
+uY/bPeOBYiVsOYVe
  45
+-----END CERTIFICATE-----
19  test/rubygems/ssl_cert.pem
... ...
@@ -0,0 +1,19 @@
  1
+-----BEGIN CERTIFICATE-----
  2
+MIIC/zCCAeegAwIBAgIBATANBgkqhkiG9w0BAQUFADA/MQswCQYDVQQGDAJKUDES
  3
+MBAGA1UECgwJSklOLkdSLkpQMQwwCgYDVQQLDANSUlIxDjAMBgNVBAMMBVN1YkNB
  4
+MB4XDTA0MDEzMTAzMTMxNloXDTMzMDEyMzAzMTMxNlowQzELMAkGA1UEBgwCSlAx
  5
+EjAQBgNVBAoMCUpJTi5HUi5KUDEMMAoGA1UECwwDUlJSMRIwEAYDVQQDDAlsb2Nh
  6
+bGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANFJTxWqup3nV9dsJAku
  7
+p+WaXnPNIzcpAA3qMGZDJTJsfa8Du7ZxTP0XJK5mETttBrn711cJxAuP3KjqnW9S
  8
+vtZ9lY2sXJ6Zj62sN5LwG3VVe25dI28yR1EsbHjJ5Zjf9tmggMC6am52dxuHbt5/
  9
+vHo4ngJuKE/U+eeGRivMn6gFAgMBAAGjgYUwgYIwDAYDVR0TAQH/BAIwADAxBglg
  10
+hkgBhvhCAQ0EJBYiUnVieS9PcGVuU1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAd
  11
+BgNVHQ4EFgQUpZIyygD9JxFYHHOTEuWOLbCKfckwCwYDVR0PBAQDAgWgMBMGA1Ud
  12
+JQQMMAoGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBQUAA4IBAQBwAIj5SaBHaA5X31IP
  13
+CFCJiep96awfp7RANO0cuUj+ZpGoFn9d6FXY0g+Eg5wAkCNIzZU5NHN9xsdOpnUo
  14
+zIBbyTfQEPrge1CMWMvL6uGaoEXytq84VTitF/xBTky4KtTn6+es4/e7jrrzeUXQ
  15
+RC46gkHObmDT91RkOEGjHLyld2328jo3DIN/VTHIryDeVHDWjY5dENwpwdkhhm60
  16
+DR9IrNBbXWEe9emtguNXeN0iu1ux0lG1Hc6pWGQxMlRKNvGh0yZB9u5EVe38tOV0
  17
+jQaoNyL7qzcQoXD3Dmbi1p0iRmg/+HngISsz8K7k7MBNVsSclztwgCzTZOBiVtkM
  18
+rRlQ
  19
+-----END CERTIFICATE-----
15  test/rubygems/ssl_key.pem
... ...
@@ -0,0 +1,15 @@
  1
+-----BEGIN RSA PRIVATE KEY-----
  2
+MIICXQIBAAKBgQDRSU8Vqrqd51fXbCQJLqflml5zzSM3KQAN6jBmQyUybH2vA7u2
  3
+cUz9FySuZhE7bQa5+9dXCcQLj9yo6p1vUr7WfZWNrFyemY+trDeS8Bt1VXtuXSNv
  4
+MkdRLGx4yeWY3/bZoIDAumpudncbh27ef7x6OJ4CbihP1PnnhkYrzJ+oBQIDAQAB
  5
+AoGBAIf4CstW2ltQO7+XYGoex7Hh8s9lTSW/G2vu5Hbr1LTHy3fzAvdq8MvVR12O
  6
+rk9fa+lU9vhzPc0NMB0GIDZ9GcHuhW5hD1Wg9OSCbTOkZDoH3CAFqonjh4Qfwv5W
  7
+IPAFn9KHukdqGXkwEMdErsUaPTy9A1V/aROVEaAY+HJgq/eZAkEA/BP1QMV04WEZ
  8
+Oynzz7/lLizJGGxp2AOvEVtqMoycA/Qk+zdKP8ufE0wbmCE3Qd6GoynavsHb6aGK
  9
+gQobb8zDZwJBANSK6MrXlrZTtEaeZuyOB4mAmRzGzOUVkUyULUjEx2GDT93ujAma
  10
+qm/2d3E+wXAkNSeRpjUmlQXy/2oSqnGvYbMCQQDRM+cYyEcGPUVpWpnj0shrF/QU
  11
+9vSot/X1G775EMTyaw6+BtbyNxVgOIu2J+rqGbn3c+b85XqTXOPL0A2RLYkFAkAm
  12
+syhSDtE9X55aoWsCNZY/vi+i4rvaFoQ/WleogVQAeGVpdo7/DK9t9YWoFBIqth0L
  13
+mGSYFu9ZhvZkvQNV8eYrAkBJ+rOIaLDsmbrgkeDruH+B/9yrm4McDtQ/rgnOGYnH
  14
+LjLpLLOrgUxqpzLWe++EwSLwK2//dHO+SPsQJ4xsyQJy
  15
+-----END RSA PRIVATE KEY-----
20  test/rubygems/test_gem_config_file.rb
@@ -52,6 +52,8 @@ def test_initialize
52 52
       fp.puts ":gempath:"
53 53
       fp.puts "- /usr/ruby/1.8/lib/ruby/gems/1.8"
54 54
       fp.puts "- /var/ruby/1.8/gem_home"
  55
+      fp.puts ":ssl_verify_mode: 0"
  56
+      fp.puts ":ssl_ca_cert: /etc/ssl/certs"
55 57
     end
56 58
 
57 59
     util_config_file
@@ -65,6 +67,8 @@ def test_initialize
65 67
     assert_equal '--wrappers', @cfg[:install]
66 68
     assert_equal(['/usr/ruby/1.8/lib/ruby/gems/1.8', '/var/ruby/1.8/gem_home'],
67 69
                  @cfg.path)
  70
+    assert_equal 0, @cfg.ssl_verify_mode
  71
+    assert_equal '/etc/ssl/certs', @cfg.ssl_ca_cert
68 72
   end
69 73
 
70 74
   def test_initialize_handle_arguments_config_file
@@ -291,6 +295,22 @@ def test_load_api_keys_from_config
291 295
                   :other => 'a5fdbb6ba150cbb83aad2bb2fede64c'}, @cfg.api_keys)
292 296
   end
293 297
 
  298
+  def test_load_ssl_verify_mode_from_config
  299
+    File.open @temp_conf, 'w' do |fp|
  300
+      fp.puts ":ssl_verify_mode: 1"
  301
+    end
  302
+    util_config_file
  303
+    assert_equal(1, @cfg.ssl_verify_mode)
  304
+  end
  305
+
  306
+  def test_load_ssl_ca_cert_from_config
  307
+    File.open @temp_conf, 'w' do |fp|
  308
+      fp.puts ":ssl_ca_cert: /home/me/certs"
  309
+    end
  310
+    util_config_file
  311
+    assert_equal('/home/me/certs', @cfg.ssl_ca_cert)
  312
+  end
  313
+
294 314
   def util_config_file(args = @cfg_args)
295 315
     @cfg = Gem::ConfigFile.new args
296 316
   end
101  test/rubygems/test_gem_remote_fetcher.rb
... ...
@@ -1,6 +1,7 @@
1 1
 require 'rubygems/test_case'
2 2
 require 'ostruct'
3 3
 require 'webrick'
  4
+require 'webrick/https'
4 5
 require 'rubygems/remote_fetcher'
5 6
 require 'rubygems/format'
6 7
 
@@ -73,6 +74,8 @@ class TestGemRemoteFetcher < Gem::TestCase
73 74
   PROXY_PORT = process_based_port + 100 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
74 75
   SERVER_PORT = process_based_port + 200 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
75 76
 
  77
+  DIR = File.expand_path(File.dirname(__FILE__))
  78
+
76 79
   def setup
77 80
     super
78 81
     self.class.start_servers
@@ -740,6 +743,53 @@ def test_yaml_error_on_size
740 743
     end
741 744
   end
742 745
 
  746
+  def test_ssl_connection
  747
+    ssl_server = self.class.start_ssl_server
  748
+    temp_ca_cert = File.join(DIR, 'ca_cert.pem')
  749
+    with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
  750
+      fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
  751
+    end
  752
+  end
  753
+
  754
+  def test_do_not_allow_insecure_ssl_connection_by_default
  755
+    ssl_server = self.class.start_ssl_server
  756
+    with_configured_fetcher do |fetcher|
  757
+      assert_raises Gem::RemoteFetcher::FetchError do
  758
+        fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
  759
+      end
  760
+    end
  761
+  end
  762
+
  763
+  def test_ssl_connection_allow_verify_none
  764
+    ssl_server = self.class.start_ssl_server
  765
+    with_configured_fetcher(":ssl_verify_mode: 0") do |fetcher|
  766
+      fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
  767
+    end
  768
+  end
  769
+
  770
+  def test_do_not_follow_insecure_redirect
  771
+    ssl_server = self.class.start_ssl_server
  772
+    temp_ca_cert = File.join(DIR, 'ca_cert.pem'),
  773
+    with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
  774
+      assert_raises Gem::RemoteFetcher::FetchError do
  775
+        fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/insecure_redirect?to=#{@server_uri}")
  776
+      end
  777
+    end
  778
+  end
  779
+
  780
+  def with_configured_fetcher(config_str = nil, &block)
  781
+    if config_str
  782
+      temp_conf = File.join @tempdir, '.gemrc'
  783
+      File.open temp_conf, 'w' do |fp|
  784
+        fp.puts config_str
  785
+      end
  786
+      Gem.configuration = Gem::ConfigFile.new %W[--config-file #{temp_conf}]
  787
+    end
  788
+    yield Gem::RemoteFetcher.new
  789
+  ensure
  790
+    Gem.configuration = nil
  791
+  end
  792
+
743 793
   def util_stub_connection_for hash
744 794
     def @fetcher.connection= conn
745 795
       @conn = conn
@@ -802,6 +852,49 @@ def start_servers
802 852
       @enable_zip = false
803 853
     end
804 854
 
  855
+    DIR = File.expand_path(File.dirname(__FILE__))
  856
+    DH_PARAM = OpenSSL::PKey::DH.new(128)
  857
+
  858
+    def start_ssl_server(config = {})
  859
+      null_logger = NilLog.new
  860
+      server = WEBrick::HTTPServer.new({
  861
+        :Port => 0,
  862
+        :Logger => null_logger,
  863
+        :AccessLog => [],
  864
+        :SSLEnable => true,
  865
+        :SSLCACertificateFile => File.join(DIR, 'ca_cert.pem'),
  866
+        :SSLCertificate => cert('ssl_cert.pem'),
  867
+        :SSLPrivateKey => key('ssl_key.pem'),
  868
+        :SSLVerifyClient => nil,
  869
+        :SSLCertName => nil
  870
+      }.merge(config))
  871
+      server.mount_proc("/yaml") { |req, res|
  872
+        res.body = "--- true\n"
  873
+      }
  874
+      server.mount_proc("/insecure_redirect") { |req, res|
  875
+        res.set_redirect(WEBrick::HTTPStatus::MovedPermanently, req.query['to'])
  876
+      }
  877
+      server.ssl_context.tmp_dh_callback = proc { DH_PARAM }
  878
+      t = Thread.new do
  879
+        begin
  880
+          server.start
  881
+        rescue Exception => ex
  882
+          abort ex.message
  883
+          puts "ERROR during server thread: #{ex.message}"
  884
+        end
  885
+      end
  886
+      while server.status != :Running
  887
+        sleep 0.1
  888
+        unless t.alive?
  889
+          t.join
  890
+          raise
  891
+        end
  892
+      end
  893
+      server
  894
+    end
  895
+
  896
+
  897
+
805 898
     private
806 899
 
807 900
     def start_server(port, data)
@@ -844,6 +937,14 @@ def start_server(port, data)
844 937
       end
845 938
       sleep 0.2                 # Give the servers time to startup
846 939
     end
  940
+
  941
+    def cert(filename)
  942
+      OpenSSL::X509::Certificate.new(File.read(File.join(DIR, filename)))
  943
+    end
  944
+
  945
+    def key(filename)
  946
+      OpenSSL::PKey::RSA.new(File.read(File.join(DIR, filename)))
  947
+    end
847 948
   end
848 949
 
849 950
   def test_correct_for_windows_path

1 note on commit c7d6c6e

Daniel Kehoe

This change results in an error when attempting to create a new Rails application. See #319.

Hiroshi Nakamura

Aargh, this addition caused a hard dependency to OpenSSL that is not expected...

Daniel Kehoe

Is this why I was getting a failure when using an older version of OpenSSL?

Hiroshi Nakamura

I don't think so. It affects the environment which does not compiled with OpenSSL. It should work as far as it doesn't try to connect https.

Daniel Kehoe

I was getting a failure when connecting to https://rubygems.org/ with an older version of OpenSSL on my machine. Still wondering what was the source of the failure.

Hiroshi Nakamura

Do you think this affect you? #320

Daniel Kehoe

I installed Ruby 1.9.3p194. I expected the certs supplied with the Ruby install would override any included with my older OpenSSL but it appears they didn't. Still mystified as to why I needed to upgrade OpenSSL to resolve the issue.

Please sign in to comment.
Something went wrong with that request. Please try again.