New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Incorrect certificate error message #2395

Open
Jac2NL opened this Issue Sep 10, 2018 · 3 comments

Comments

Projects
None yet
3 participants
@Jac2NL

Jac2NL commented Sep 10, 2018

I would like to suggest updating a security error message.

When I simulate an Man-in-the-Middle attack against rubygems.org and replace the SSL/TLS certificate then the Ruby application (in this case Logstash) reports the following error:

# /usr/share/logstash/bin/logstash-plugin install
logstash-some-plugin
Validating logstash-some-plugin
ERROR:  SSL verification error at depth 0: unable to get local issuer certificate (20)
ERROR:  You must add /CN=jac2/OU=etc/O=etc/C=NL to your local trusted store
Unable to download data from https://rubygems.org - certificate verify failed
(https://api.rubygems.org/latest_specs.4.8.gz)
ERROR: Installation aborted, verification failed for logstash-some-plugin

My issue with this error is the "You must add to your local trusted store" part. i believe it should be left to the user to resolve the problem. Could be that the user forgot to add the root certificate to the truststore, could be that the server is not sending proper intermediate certificates, or it could be a MITM... In that case the user should not continue.

For comparison, here's how wget handles the same situation:

Connecting to api.rubygems.org (api.rubygems.org)|192.168.x.x|:443... connected.
ERROR: cannot verify api.rubygems.org's certificate, issued by
‘C=NL,O=etc,OU=etc,CN=jac2’:
  Unable to locally verify the issuer's authority. 

This issue is related to:

  • Network problems
  • Installing a library
  • Publishing a library
  • The command line gem
  • Other

Here are my current environment details:

$ gem env version
2.5.2.1

The code responsible for this error can be found here: https://github.com/rubygems/rubygems/blob/master/lib/rubygems/request.rb#L120-L122

I will abide by the code of conduct.

@indirect

This comment has been minimized.

Show comment
Hide comment
@indirect

indirect Sep 10, 2018

Member

@Jac2NL I think I agree with your reasoning, but Rubygems does not generate the text that you are complaining about. It passes through that text from the OpenSSL error message. Maybe you can file this against OpenSSL?

Member

indirect commented Sep 10, 2018

@Jac2NL I think I agree with your reasoning, but Rubygems does not generate the text that you are complaining about. It passes through that text from the OpenSSL error message. Maybe you can file this against OpenSSL?

@indirect

This comment has been minimized.

Show comment
Hide comment
@indirect

indirect Sep 11, 2018

Member

Whoops, I was totally wrong about that. RubyGems does print that message, and I agree that it could be misleading. Good suggestion!

Member

indirect commented Sep 11, 2018

Whoops, I was totally wrong about that. RubyGems does print that message, and I agree that it could be misleading. Good suggestion!

@bronzdoc

This comment has been minimized.

Show comment
Hide comment
@bronzdoc

bronzdoc Sep 12, 2018

Member

Maybe just print that message when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY happens and print a different one when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE happens

Member

bronzdoc commented Sep 12, 2018

Maybe just print that message when OpenSSL::X509::V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY happens and print a different one when OpenSSL::X509::V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE happens

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment