add rvm osx-ssl-certs #1764

Merged
merged 5 commits into from Apr 9, 2013

Projects

None yet

5 participants

@mpapis mpapis was assigned Apr 3, 2013
@DanielKehoe

openssl-certificate-verify-failed

Here's the traffic to the page on my site that tries to help people with the OpenSSL issues. What can I say. The chart speaks for itself. With the release of Ruby 2.0, a jump from 60 page views a day to 400 daily. And people spending at least six minutes on the page. If I knew the page actually helped everyone, that might be okay, but it seems a lot of people are struggling.

@mpapis
Member
mpapis commented Apr 6, 2013

so the plan is for:

rvm osx-ssl-certs [status [<ruby>|all]]
rvm osx-ssl-certs update [<ruby>|all]
rvm osx-ssl-certs cron [status]
rvm osx-ssl-certs cron install [schedule]
rvm osx-ssl-certs cron uninstall
@richardkmichael
Contributor

I've read part of your OpenSSL help page, nice writeup! I have several
half-baked pages of notes dealing with openssl segfaults, I should clean
them up and publish. :-)

I have a few comments. (Disqus is not loading on your page, unsure why.)

0/ Reading openssl-osx-ca, I do not think it updates Mac certificates
from Mozilla's (as indicated on your page). What I believe it does is dump
the Mac's system certificates ('security find-certificates -a -p') and
install them at openssl's default cert file location X509_CERT_FILE (or, a
directory of certs at X509_CERT_DIR), as seen in the openssl source:
http://cvs.openssl.org/fileview?f=openssl/crypto/cryptlib.h&v=1.20.2.1.2.1

This is useful because the OpenSSL project does not ship CA certificates.
Meaning, if you "brew install openssl", but do not "brew install
curl-ca-bundle", you will have no certificates (unless the brew people
modified openssl to include them; I am not sure, I do not use brew.)

I suppose you'd want brew openssl to use the same certificates as the
system to avoid potential confusion caused because/when "system programs"
(your browser?) use different certificates than Ruby or on the command line
(assuming PATH adjusted for brew's openssl).

1/ I do not understand the reason to run the script from a cron job, unless
you are regularly updating your system certificates (which might happen
when Apple releases a security update, but that's fairly rare; and you'd
[presumably] know), or are moving around your brew openssl installation
(e.g. changing "Cellar", I think?).

2/ If you want to download the latest certificates and install them, either
download the already built PEM file from the curl people, as you suggested
with "brew install curl-ca-bundle", or simply curl/wget "
http://curl.haxx.se/ca/cacert.pem". Or, build their 'cacert.pem' yourself
from Mozilla's source by using their 'mk-ca-bundle.pl' script.

3/ It's perhaps more helpful to teach people to run: "openssl version -a"
because it will also show not only the OPENSSL_DIR (needed for the paths to
the default cert files; the openssl-osx-ca script uses "-d" for exactly
that), but also how it was compiled. Minimally, I'd suggest "openssl
version -v -d".

Cheers! Thanks again!

@mpapis

I don't think RVM should handle this, and especially not special casing it
for MacOS. Neither outdated nor missing certificates are MacOS specific
problems. I am doubtful people have outdated certificates; Apple would be
handling that (anyway, CA certs move slowly). I do think It's likely they
have no certificates (custom openssl installation).

From RVM's point of view of "being helpful", I would inspect the openssl
installation for certificates (cert.pem exists at openssl -d?), then just
output helpful options/commands. If RVM starts fooling around with
openssl, you could break much more. (If RVM installed rubies against
system openssl on a Mac, it shouldn't change certificates for sure!)

On Sat, Apr 6, 2013 at 2:10 AM, Michal Papis notifications@github.comwrote:

so the plan is for:

rvm osx-ssl-certs update # current ruby
rvm osx-ssl-certs cron install
rvm osx-ssl-certs cron uninstall


Reply to this email directly or view it on GitHubhttps://github.com/wayneeseguin/rvm/issues/1764#issuecomment-15987265
.

@envygeeks
Contributor

The CURL pem will never be accepted or happen. It's an insecure PEM and they admit that fact on their main page because they have yet to adapt to browser blocking, which means they could have dirty certificates. Not to mention the fact that it's not done over SSL and does not even support SSL.

The best idea is to use the OS X keychain to gather the certificates. It's updated and controlled by the user/Apple.

@DanielKehoe

@richardkmichael thanks for the details. I very much appreciate assistance in improving the help page.

Disqus is not loading on the RailsApps help page because GitHub today changed URLs from railsapps.github.com to railsapps.github.io (I'm hoping Disqus will recover as the comments were instructive though often very confused).

From what I've observed, updating the Mac OS X version doesn't update OpenSSL or certificates. That seems very odd to me, as I would expect a Mac OS X update to do so. I've seen a user with a Mac purchased in 2009 and a fresh OS X 10.8.3 with an old version of OpenSSL. Perhaps someone else can shed light.

@envygeeks
Contributor

It seems to me that people are getting confused. This issue has nothing to do with OpenSSL, although it's indirectly related to OpenSSL in that we need to manually add the certificates to fix Ruby OpenSSL and brew installed OpenSSL. On system OpenSSL this is managed by Apple, on RVM installed OpenSSL it is not, and we are pulling certificates from the system and putting them into OpenSSL so that Ruby no longer has problems. This also works to solve CURL problems. Old OpenSSL has nothing to do with it as OpenSSL has nothing to do with the root certificates that are supplied by Apple other than the fact that it uses them and updating OpenSSL is irrelevant to updating certificates since they are in-fact two different pieces that are simply tied together.

To address your other problem, update your Disqus allowed domains.

@mpapis
Member
mpapis commented Apr 6, 2013

OSX is not a normal operating system, it does not provide package manager, it does not provide a new version of openssl nor ca-certificates - which are basic packages in most of the systems and get updates regularly (when needed).

As rubies can be linked against different certificates it is safe bet to assume you need to update more then one location with certificates (compared to https://github.com/raggi/openssl-osx-ca which updates only one location).

Updated certificates are required for proper functioning of rubygems and bundler this is why RVM will try to make it easier for users by exporting tasks that we already have scripted.

@richardkmichael
Contributor

@envygeeks Yes, I agree there is confusion. Although, I would not say this has nothing to do with OpenSSL, as you note: the Ruby linked openssl lacks a certificate chain.

It's an insecure PEM and they admit that fact on their main page because they have yet to adapt to browser
blocking, which means they could have dirty certificates. Not to mention the fact that it's not done over SSL and
does not even support SSL.

Could you elaborate on:

  • "they" and the "main page" - who and where, just a link is good.
  • "dirty certificates" and "browser blocking" - what do you mean?
  • "not over SSL" and "does not even support SSL" - do you mean retrieving the PEM from haxx.se, or from Mozilla?

I'm sure you know you can build it yourself. I do that; I was just hacking on mk-ca-bundle.pl this week in fact. :-)

@DanielKehoe I also find that surprising. I won't say more about it here because I don't want to thread-jack. We can move to your article comments. But briefly, my 10.6.8 has definitely updated openssl:

$ ls -l /usr/lib/libssl*
-rwxr-xr-x 1 root wheel 699088 Jun 25  2010 /usr/lib/libssl.0.9.7.dylib
-rwxr-xr-x 1 root wheel 932816 Apr 23  2011 /usr/lib/libssl.0.9.8.dylib
-rwxr-xr-x 1 root wheel 219120 May 29  2009 /usr/lib/libssl.0.9.dylib
lrwxr-xr-x 1 root wheel     18 Oct 12  2011 /usr/lib/libssl.dylib -> libssl.0.9.8.dylib

$ strings /usr/lib/libssl*.dylib | sort | uniq | grep 0\.9\.

DTLSv1 part of OpenSSL 0.9.8r 8 Feb 2011
OpenSSL 0.9.6l 04 Nov 2003                            # ==> The original libssl.0.9.dylib.

@mpapis I definitely agree RVM can help. I suppose I am thinking of this more from an autolibs or setup / packager perspective. Exposing a single RVM command for only OSX to do this felt strange; either openssl "works" or it does not, and during installation it should be configured in working condition. Moreover, a user might want (could need) to do certificate installation on any platform, not only a Mac. Though, I did not consider multiple Rubies linked against different OpenSSL versions ( probably helpful for testing). Although that too seems potentially cross-platform, because I would assume such people use RVM itself to install various openssls, doing so would not be OSX specific.

All that said, "epic thread"! I agree RVM should go ahead and help users, and making the update command cross platform can certainly be done later, if required at all.

@envygeeks
Contributor

@richardkmichael read: http://curl.haxx.se/ca/ -- " but it may contain related certificates that Mozilla (and others) would block using other means. (Like some certs that were cross-signed by Entrust etc)." Your suggestion to to build it ourselves does not mitigate that known fact. Even though they closed http://sourceforge.net/p/curl/bugs/1178/ the fact still remains.

@richardkmichael
Contributor

@envygeeks. Yes, agreed. I skimmed that page re: the DigiNotar certs, but
I'll investigate further. Thanks!

On Sat, Apr 6, 2013 at 5:11 PM, Jordon Bedwell notifications@github.comwrote:

@richardkmichael https://github.com/richardkmichael read:
http://curl.haxx.se/ca/ -- " but it may contain related certificates that
Mozilla (and others) would block using other means. (Like some certs that
were cross-signed by Entrust etc)." Your suggestion to to build it
ourselves does not mitigate that known fact. Even though they closed
http://sourceforge.net/p/curl/bugs/1178/ the fact still remains.


Reply to this email directly or view it on GitHubhttps://github.com/wayneeseguin/rvm/issues/1764#issuecomment-15997727
.

@mpapis
Member
mpapis commented Apr 7, 2013

this is already implemented:

rvm --debug osx-ssl-certs status all
rvm --debug osx-ssl-certs update all

please let me know if there are any issues with it.

@mpapis
Member
mpapis commented Apr 8, 2013

that should be all:

rvm get branch /features/osx-ssl-certs
rvm --debug osx-ssl-certs status all
rvm --debug osx-ssl-certs update all
rvm --silent osx-ssl-certs update # just current one, only return status on success
rvm osx-ssl-certs cron install
rvm osx-ssl-certs cron status
rvm osx-ssl-certs cron uninstall

anyone eager to try it? the cron job will be called once a day(@daily), most likely at midnight, but might depend on used cron implementation.

@mpapis mpapis merged commit 7fe6ada into master Apr 9, 2013

1 check was pending

default The Travis build is in progress
Details
@mpapis mpapis deleted the features/osx-ssl-certs branch Apr 9, 2013
@mpapis
Member
mpapis commented Apr 9, 2013

scheduled for 1.19.2

@mcandre
mcandre commented Mar 4, 2015

I ran rvm osx-ssl-certs update all, but gitlab user still fails with certificate verify failed.

NARKOZ/gitlab#116

Any tips?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment